Malloc Privacy Weekly

In this edition of Malloc Privacy Weekly, we discuss the latest events from the past week in the world of cybersecurity, that have a strong bearing on the day-to-day lives of smartphone users around the world.

An Android malware app disguised as a financial tool, SpyLend, was downloaded over 100,000 times from Google Play. This app, along with variants like KreditApple, PokketMe, and StashFur, tricks users into granting access to personal data like contacts, call logs, and even location. This data is then used for predatory lending practices, including harassment and extortion, particularly in India.

Google's new ad tracking policy, which replaces cookies with digital fingerprinting, has sparked concerns from privacy experts and regulators. This new technology allows advertisers to track users' online activity across multiple devices and browsers, making it harder for people to remain anonymous online, even when using privacy tools like VPNs. Digital fingerprinting collects various data points, including IP addresses, device specifications, and browsing behavior, to create a unique "persistent identity" for each user. Critics argue that this practice is a major privacy violation.

To learn more about these developments and other news, read the article below.

Spyware Apps Cocospy and Spyic Exposed Data of Users and Victims

A significant data breach involving the spyware applications Cocospy and Spyic has compromised the personal information of millions, exposing sensitive data such as messages, photos, and call logs. Discovered on February 14, 2025, the breach revealed 2.65 million unique email addresses, with data attributed to a security researcher who shared findings with Have I Been Pwned. The breach originated from an unpatched vulnerability, allowing unauthorized access to stored data, raising concerns about the privacy and security of victims. Both applications, stealthily disguising themselves as benign services, are connected to a common spyware infrastructure and have previously been linked to troubling security flaws. Despite the alarming nature of the breach, the developers have failed to respond or address the flaws, leaving exposed data vulnerable to exploitation, potentially leading to blackmail or stalking incidents. Recommended actions include checking device settings and enhancing account security to combat such threats.

Source: Cyber Insider

Pegasus spyware infections found on several private sector phones

Recent findings from researchers reveal a concerning increase in the use of Pegasus spyware, with infections detected on multiple devices, particularly among business executives in various industries. In December, Pegasus was identified on 11 of the 18,000 devices tested, highlighting a broader scope of impact beyond its usual targets of journalists and activists. The zero-click spyware, developed by NSO Group, can infect devices without user interaction, raising critical questions about privacy and security. Researchers emphasized the prevalence of sophisticated malware and have suggested that many victims remain unaware of their compromised status, as only half had received notifications from Apple. This underscores a severe lack of preparedness to combat these cyber threats.

Source: The Record

Apple currently only able to detect Pegasus spyware in half of infected iPhones

Apple is currently facing a significant challenge in detecting Pegasus spyware, which poses a serious threat to iPhone users' privacy. While the company has developed methods to identify such infections, it is reported that only 50% of compromised devices are being detected. Pegasus exploits zero-day vulnerabilities, allowing it to access personal data without user intervention, including cameras and microphones. Apple has proactively notified users in 98 countries about potential spyware attacks, yet many affected individuals are unaware of their compromised status— as researchers have found that infected users often did not receive alerts from Apple. The issue highlights a broader pattern of mobile compromise affecting various sectors, not just high-profile targets, and raises concerns about comprehensive security measures for all users.

Source: 9 To 5 Mac

SpyLend Android malware downloaded 100,000 times from Google Play

An Android malware app named SpyLend has crossed 100,000 downloads on Google Play, disguised as a financial tool while primarily serving as a predatory loan application targeting users in India. It is part of a malicious category known as SpyLoan, which falsely promises easy loans but requests excessive permissions to steal sensitive data such as contacts, SMS messages, and location information. This stolen data is used to harass and extort users, particularly those who struggle to meet repayment terms. Despite its removal from the Play Store, the app may continue to operate in the background, highlighting the ongoing risk of financial fraud and cybercrime associated with such applications. Users are advised to promptly remove any such apps and secure their devices to mitigate potential harm.

Source: Bleeping Computer

New Google ad tracking policy a ‘Pandora’s box’ for privacy, experts warn

Google's new ad tracking policy is raising significant privacy concerns, as it shifts from cookies to digital fingerprinting, a method that enables advertisers to collect comprehensive consumer data across multiple devices and sessions. This change complicates efforts for users to maintain anonymity online, especially with the limitations of existing privacy tools like ad blockers and incognito mode. Experts have criticized this move for being irresponsible, highlighting how digital fingerprinting can create a persistent identity that combines various personal data points. The policy shift is expected to transform the advertising ecosystem, leading to widespread adoption of fingerprinting techniques, which experts warn are significantly more invasive than traditional tracking methods. Ultimately, critics believe Google's motivation may be more about profit than user privacy, suggesting that the new policy opens a “Pandora's box” for data collection.

Source: The Record Media

Google Ad-Tech Users Can Target National Security ‘Decision Makers’ and People With Chronic Diseases

A recent investigation reveals that Google's advertising platform allows marketers to target sensitive groups, including national security officials and individuals with chronic illnesses or financial hardship, despite these practices violating Google’s own policies. The investigation uncovered thousands of audience segments that can identify specific individuals based on sensitive data such as health conditions and medical needs. Experts express concern that this exploitation of personal data poses serious national security risks, as it enables foreign adversaries to potentially collect information on government personnel and sensitive workers. Google has denied wrongdoing while facing scrutiny about its ability to regulate its advertising ecosystem effectively and the implications of exposing sensitive information to foreign entities, leading to ongoing calls for governmental intervention and regulation.

Source: Wired

Mobile Phishing Attacks Surge with 16% of Incidents in US

Mobile phishing attacks, known as "mishing," have surged, with 16% of all incidents occurring in the US. These attacks exploit mobile-specific features like small screens and SMS to trick users into divulging sensitive information. Threat actors deploy tactics like shortened URLs, QR code phishing, and device-specific redirections, making detection and analysis more challenging. The rise in mobile-first communication channels has enabled attackers to bypass traditional email security controls, and geolocation-targeted campaigns further complicate defenses. The report identifies four primary mobile phishing attack types: smishing, quishing, vishing, and mobile-targeted email phishing. Protecting mobile communication channels and adopting mobile-specific security strategies, including phishing-resistant multi-factor authentication and user training, are crucial to mitigate this growing threat.

Source: Infosecurity Magazine

How Phished Data Turns into Apple & Google Wallets

The rise of sophisticated phishing schemes has led to Chinese cybercriminals innovating within the carding industry by turning stolen payment card data into mobile wallets for Apple and Google. These groups utilize advanced phishing kits that allow them to send messages directly via iMessage and RCS, bypassing traditional SMS defenses. Victims are tricked into providing one-time passcodes that link their card details to wallets controlled by scammers. This reinvention of the carding process enables criminals to package numerous digital wallets on a single device for sale or quick fraudulent transactions. The ghost tap technology allows for fraudulent NFC transactions remotely, further escalating the threat. This wave of attacks is significantly more aggressive than before, with financial institutions struggling to keep pace, indicating a major challenge in the fight against digital fraud.

Source: Kerbs on Security

In a test, 2000 people were shown deepfake content, and only two of them managed to get a perfect score

A recent study revealed an alarming lack of AI literacy among the general public, with only 2 out of 2000 participants able to accurately differentiate between deepfake content and real images or videos. This highlighted the particular vulnerability of older adults, as many had never encountered deepfakes, while younger participants displayed a false confidence despite inadequate detection skills. Deepfake videos proved to be significantly harder to identify than images, raising concerns about fraud and misinformation, especially on social media platforms like Meta and TikTok.

Source: Tech Radar

Google Chrome may soon be able to scan your sideloaded APKs

Google is developing a built-in malware scanner for APK downloads within Chrome on Android, enhancing security beyond the current Play Protect system. This feature, currently in Chrome Canary, aims to scan APK files for malware before installation, potentially reducing dependence on Play Protect for these initial checks. While still non-functional and lacking a release date, the inclusion in Canary indicates active development. Once operational, the Malicious APK download check will alert users if malware is detected in downloaded files, enhancing user safety and privacy, especially for those sideloading apps.

Source: Android Police

X is reportedly blocking links to secure Signal contact pages

X, formerly known as Twitter, is reportedly blocking links to Signal, the encrypted messaging platform popular among government workers for secure communication. Users have experienced error messages such as "Message not sent" when trying to share links to Signal.me, which connects to Signal users. Despite this, links to Signal handles and the homepage remain accessible. The platform has a history of restricting links to other services, having previously banned links to platforms like Instagram and Substack. This recent action has raised concerns about censorship and the implications for users relying on Signal for confidential discussions.

Source: areTechnica

Apple pulls iCloud end-to-end encryption feature for UK users after government demanded backdoor

Apple has announced it will discontinue its end-to-end encryption feature, Advanced Data Protection (ADP), for iCloud users in the United Kingdom following a demand from the government to create a backdoor for authorities to access user data. The company expressed disappointment, highlighting that this decision compromises the privacy and security of U.K. users amidst rising threats like data breaches. Although some types of data will remain encrypted, U.K. users will lose the ability to opt into end-to-end encryption for photos, notes, and backups, leading to increased vulnerability to potential cyber threats. Apple emphasized its commitment to never building a backdoor for its services and indicated it will provide guidance for users already utilizing the ADP feature.

Source: Tech Crunch

South Korea Suspends Downloads of AI Chatbot DeepSeek

South Korea has suspended new downloads of the AI chatbot DeepSeek due to concerns about its non-compliance with the country’s data protection laws. The Personal Information Protection Commission (PIPC) identified significant deficiencies in the app's communication features and data processing practices, noting issues such as the collection of data through unsecured channels and the sharing of user information with third parties without proper safeguards. Although existing users can still access the app via the web, the PIPC has warned against sharing personal information until the issues are resolved. This suspension reflects broader global concerns regarding AI chatbots, with similar restrictions already imposed in countries like Australia, Taiwan, and Italy due to privacy risks associated with DeepSeek's operation and data storage practices.

Source: Infosecurity Magazine