San Mateo, CA, March 3, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
1000s Android and iPhone devices infected with Spyzie
A phone surveillance operation known as Spyzie has infected over half a million Android devices and thousands of iPhones and iPads, according to an unnamed security researcher who spoke with TechCrunch. Most affected people are unaware that the software is on their devices. Spyzie is vulnerable to a bug that, if exploited, “allows anyone to access the phone data, including messages, photos, and location data.” Spyware variants like Spyzie operate in the background of a device, all the while uploading data from the victim’s phone to servers accessible to the person who planted the software. When compromised, however, spyware apps provide hackers with troves of data they can use to commit fraud, create phishing scams, or otherwise abuse. TechCrunch offers tips on how to determine if your device has been infected. Read more.
Vo1d malware botnet reaches 1.6 million Android TVs
1,590,299 Android TV devices across 226 countries have been infected with a new variant of the Vo1d malware botnet, according to research from Xlab. The campaign, which sees the devices recruited as part of anonymous proxy server networks, has been tracked since last November. The new botnet has features not present in previous variants, such as “advanced encryption (RSA + custom XXTEA), resilient DGA-powered infrastructure, and enhanced stealth capabilities.” The botnet is one of the largest observed and has experienced infection surges that have seen bot numbers in India increase from 3,900 to 217,000 in three days. The fluctuations lead researchers to believe that the operators are “renting” infected devices as proxy servers that third parties use for botting or illegal activity. How the TVs are infected is currently unknown. Read more.
$140 million bounty for information about stolen crypto
Bybit is reeling from the theft of around $1.4 billion in Ethereum cryptocurrency at the hands of North Korea’s Lazarus Group and has offered a staggering $140 million in bounties for individuals who can help trace and freeze the stolen funds. According to Bybit, every time someone traces and freezes stolen funds, 5% of the amount goes to the individual who found them, and another 5% goes to the “entity” that freezes them. So far, $4.23 million has been paid to 5 bounty hunters. “We will not stop until Lazarus or bad actors in the industry is eliminated. In the future, we will open it up to other victims of Lazarus as well,” said Bybit’s CEO and co-founder, Ben Zhou. The theft, the largest crypt heist ever committed, is believed to have been made possible after a threat actor breached a developer’s device at SafeWallet. Read more.
Linux “Auto-color” backdoor sets sights on U.S. institutions
The education and public sectors of the U.S. and Asia are under attack from a stealthy Linux backdoor that can avoid detection and deletion. Discovered by researchers from Palo Alto Networks Unit 42 and dubbed “Auto-color,” the malware has been characterized as “uniquely evasive and persistent, using a different file name each time it deploys on a specific system and featuring a mechanism that prevents uninstallation by protecting the file against modification or removal.” According to Alex Armstrong, Palo Alto senior staff security engineer, “once installed, Auto-color allows threat actors full remote access to compromised machines, making it very difficult to remove without specialized software.” Researchers aren’t sure how the malware reaches its targets and have called out its similarities to Symbiotic, which may be its predecessor. Read more.
Australia bans Kaspersky products for “unacceptable security risks”
Australia has banned government officials from using products made by Russian cybersecurity firm Kaspersky over national security concerns. “After considering threat and risk analysis, I have determined that the use of Kaspersky Lab products and web services… poses an unacceptable security risk to the government networks and data, arising from threats of foreign interference, espionage, and sabotage,” Australia’s secretary of the Department of Home Affairs, Stephanie Foster, said in the directive. The country now joins the U.S., Canada, and the United Kingdom in blocking the use of Kaspersky’s software. Kaspersky spokesperson Stefan Rojacher said the company was “disappointed with the decision” and that the ban was reached with no engagement with Kaspersky to address the government’s concerns. Government agencies have until April 1 to remove all of the company’s software from systems and devices. Read more.
Apple ending iCloud encryption for UK customers
Due to the UK government’s demands for a “backdoor” into encrypted data, Apple has removed end-to-end encryption in iCloud for customers in the region. The removal of Advanced Data Protection (ADP), an opt-in feature that enhances user security by encrypting iCloud storage, has prompted strong reactions from privacy and consumer rights advocates who call the feature’s removal an “erosion of personal liberties and privacy” and a “brazen, imperialist manoeuvre.” In a statement, Apple said, “We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy.” Experts feel that the UK’s demands will hurt residents in the region, risk data agreements between countries, and, at least according to Malwarebytes senior privacy advocate David Ruiz, “embolden other countries, particularly those in the Five Eyes, to make a similar demand of Apple.” Read more.
GitVenom malware campaign steals Bitcoin
Kaspersky has called out a campaign called GitVenom that has targeted gamers and cryptocurrency investors by posing as open-source projects hosted on GitHub. “The infected projects include an automation instrument for interacting with Instagram accounts, a Telegram bot that enables the remote management of Bitcoin wallets, and a crack tool to play the Valorant game,” the Russian cybersecurity vendor said. “All of this alleged project functionality was fake, and cybercriminals behind the campaign stole personal and banking data and hijacked cryptowallet addresses from the clipboard.” 5 Bitcoins have been stolen so far, totaling $456,600. It is believed that the campaign has been active for at least two years. Read more.
3.2+ million infected by malicious Chrome extensions
GitLab Threat Intelligence has uncovered a campaign using 16 malicious Chrome extensions. According to their findings, over 3.2 million users have become infected with the extensions, “leveraging browser security vulnerabilities to execute advertising fraud and search engine optimization manipulation.” While the extensions, which cover a range of functions from screen capture tools to ad blockers, are no longer in the Chrome Web Store, those who downloaded them and have yet to remove them are still at risk. Reviews from users impacted by the extensions describe “unexpected redirects and performance degradation,” which are hallmarks of the malicious script being used. Read more.
Black Basta ransomware exposed in communications leak
Leaked chat logs that contain more than 200,000 messages sent between September 2023 and September 2024 have unveiled the internal operations of the ransomware group Black Basta. The leaker’s identity is unknown, although they have claimed that leaking the information was done in retaliation for the group attacking Russian banks. The exposed texts reveal tensions in the group between subordinates and their leader, believed to be Oleg Nefedov. “It turns out that the personal financial interests of Oleg, the group’s boss, dictate the operations, disregarding the team’s interests,” a researcher at security firm Prodraft wrote. “Under his administration, there was also a brute force attack on the infrastructure of some Russian banks. It seems that no measures have been taken by law enforcement, which could present a serious problem and provoke reactions from these authorities.” It is unknown whether the leaker was an insider within the group or an outside adversary. Read more.
Lazarus Group linked to $1.5 billion crypto theft
North Korea’s Lazarus hacking group has been linked to a $1.5 billion theft from cryptocurrency exchange Bybit, making the financially motivated gang responsible for the biggest crypto hack in history. In a statement, Bybit said they “detected unauthorized activity within one of our Ethereum (ETH) Cold Wallets during a routine transfer process… Unfortunately, the transaction was manipulated by a sophisticated attack that altered the smart contract logic and masked the signing interface, enabling the attacker to gain control of the ETH Cold Wallet. As a result, over 400,000 ETH and stETH worth more than $1.5 billion were transferred to an unidentified address.” The attack was linked to Lazarus when investigators discovered the funds were being laundered through an Ethereum address used in previous hacks. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
