Malware Bytes

This week on the Lock and Code podcast…

There’s a problem in class today, and the second largest school district in the United States is trying to solve it.

After looking at the growing body of research that has associated increased smartphone and social media usage with increased levels of anxiety, depression, suicidal thoughts, and isolation—especially amongst adolescents and teenagers—Los Angeles Unified School District (LAUSD) implemented a cellphone ban across its 1,000 schools for its more than 500,000 students.

Under the ban, students who are kindergartners all the way through high school seniors cannot use cellphones, smartphones, smart watches, earbuds, smart glasses, and any other electronic devices that can send messages, receive calls, or browse the internet. Phones are not allowed at lunch or during passing periods between classes, and, under the ban, individual schools decide how students’ phones are stored, be that in lockers, in magnetically sealed pouches, or just placed into sleeves at the front door of every classroom, away from students’ reach.

The ban was approved by the Los Angeles Unified School District through what is called a “resolution”—which the board voted on last year. LAUSD Board Member Nick Melvoin, who sponsored the resolution, said the overall ban was the right decision to help students.  

“The research is clear: widespread use of smartphones and social media by kids and adolescents is harmful to their mental health, distracts from learning, and stifles meaningful in-person interaction.”

Today, on the Lock and Code podcast with host David Ruiz, we speak with LAUSD Board Member Nick Melvoin about the smartphone ban, how exceptions were determined, where opposition arose, and whether it is “working.” Melvoin also speaks about the biggest changes he has seen in the first few months of the cellphone ban, especially the simple reintroduction of noise in hallways.

“[During a school visit last year,] every single kid was on their phone, every single kid. They were standing there looking, texting again, sometimes texting someone who was within a few feet of them, and it was quiet.”

Tune in today to listen to the full episode.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Google released an emergency update for the Chrome browser to patch an actively exploited vulnerability that could have serious ramifications.

The update brings the Stable channel to versions 136.0.7103.113/.114 for Windows and Mac and 136.0.7103.113 for Linux.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click Settings > About Chrome. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is restart the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

This update is crucial since it addresses an actively exploited vulnerability which could allow an attacker to steal information you share with other websites. Google says it’s aware that knowledge of CVE-2025-4664 exists in the wild. But while Google didn’t acknowledge that the vulnerability is actually being actively exploited, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities catalog—a strong indication the vulnerability is being used out there.

Technical details

The vulnerability tracked as CVE-2025–4664, lies in the Chrome Loader component, which handles resource requests. When you visit a website, your browser often needs to load additional pieces of that site, such as images, scripts, or stylesheets, which may come from various sources. The Loader manages these requests to fetch and display those resources properly.

While it does that, it should enforce security policies that prevent one website from accessing data belonging to another website, a principle known as the “same-origin policy.”

The vulnerability lies in the fact that those security policies were not applied properly to Link headers. This allowed an attacker to set a referrer-policy in the Link header which tells Chrome to include full URLs, including sensitive query parameters.

This is undesirable since query parameters in full URLs often contain sensitive information such as OAuth tokens (used for authentication), session identifiers, and other private data.

Imagine you visit a website related to sensitive or financial information, and the URL includes a secret code in the address bar that proves it’s really you. Normally, when your browser loads images or other content from different websites, it keeps that secret code private. But because of this Chrome Loader flaw, a successful attacker can trick your browser into sending that secret code to a malicious website just by embedding an image or other resource there.

The attacker could, for example, embed a hidden image hosted at their own server, and harvest the full URLs. This means they can steal your private information without you realizing it, potentially letting them take over your account or other online services.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Last week on Malwarebytes Labs:

• Data broker protection rule quietly withdrawn by CFPB
• Meta sent cease and desist letter over AI training
• Google to pay $1.38 billion over privacy violations
• Android users bombarded with unskippable ads

Last week on ThreatDown:

• ThreatDown introduces Firewall Management
• Introducing Browser Phishing Protection: enhanced web security for your organization

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The Consumer Financial Protection Bureau (CFPB) has decided to withdraw a 2024 rule to limit the sale of Americans’ personal information by data brokers.

In a Federal Register notice published yesterday, the CFPB said it “has determined that legislative rulemaking is not necessary or appropriate at this time to address the subject matter”.

The data brokerage industry generates an estimated $300 billion in annual revenue. Data brokers actively collect and sell your Personally Identifiable Information (PII), including financial details, personal behavior, and interests, for profit. They often do this without seeking your consent or without making it clear that you have given consent.

The CFPB proposed the rule in December 2024 to curb data brokers from selling Americans’ sensitive personal and financial information. By restricting the sale of personal identifiers such as Social Security Numbers (SSNs) and phone numbers, the rule aimed to ensure that companies share financial data, like income, only for legitimate purposes, such as facilitating a mortgage approval, rather than selling it on to scammers who target people in financial distress.

The proposal sought to make data brokers comply with federal law and address serious threats posed by current industry practices. It targeted not only national security, surveillance, and criminal exploitation risks, but also aimed to limit doxxing and protect the personal safety of law enforcement personnel and domestic violence survivors.

The CFPB intended to treat data brokers like credit bureaus and background check companies, requiring them to comply with the Fair Credit Reporting Act (FCRA) regardless of how they use financial information. The proposal would also have required data brokers to obtain much more explicit and separately authorized consumer consent.

By setting it up this way it wouldn’t have interfered with the existing pathways created for and by the FCRA while offering more consumer protection.

However, acting CFPB Director Russell Vought said the agency had determined the rule was not for now, pointing to “updates to Bureau policies.”

Watchdog groups have a different view on the matter though. Matt Schwartz, a policy analyst at Consumer Reports, stated it would leave consumers vulnerable:

“Data brokers collect a treasure trove of sensitive information about virtually every American and sell that information widely, including to scammers looking to rip off consumers.”

If data brokers would be required to comply with the FCRA:

• They would have to ensure the accuracy and privacy of the data they collect and share.
• Consumers must be provided with mechanisms to dispute and correct inaccurate information.
• Consumers should be notified when their data is used for decisions about credit, insurance, or employment.
• They could face enforcement actions and penalties for non-compliance, as the Federal Trade Commission (FTC) and CFPB have done in the past.

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

EU privacy advocacy group NOYB has clapped back at Meta over its plans to start training its AI model on European users’ data. In a cease and desist letter to the social networking giant’s Irish operation signed by founder Max Schrems, the non-profit demanded that it justify its actions or risk legal action.

In April, Meta told users that it was going to start training its generative AI models on their data.

Schrems uses several arguments against Meta in the NOYB complaint:

1. Meta’s ‘legitimate interests’ are illegitimate

NOYB continues to question Meta’s use of opt-out mechanisms rather than excluding all EU users from the process and requiring them to opt in to the scheme. “Meta may face massive legal risks – just because it relies on an “opt-out” instead of an “opt-in” system for AI training,” NOYB said on its site.

Companies who want to process personal data without explicit consent must demonstrate a legitimate interest to do so under GDPR. Meta hasn’t published information about how it justifies those interests, says Schrems. He has trouble seeing how training a general-purpose AI model could be deemed a legitimate interest because it violates a key GDPR principle; limiting data process to specific goals.

NOYB doesn’t believe that Meta can enforce GDPR rights for personal data like the right to be forgotten once an AI system is trained on it, especially if that system is an open-source one like Meta’s Llama AI model.

“How should it have a ‘legitimate interest’ to suck up all data for AI training?” Schrems said. “While the ‘legitimate interest’ assessment is always a multi-factor test, all factors seem to point in the wrong direction for Meta. Meta simply says that its interest in making money is more important than the rights of its users.”

2. What you don’t know can hurt you

Schrems warns that people who don’t have a Facebook account but just happen to be mentioned or caught in a picture on a user’s account will be at risk under Meta’s AI training plans. They might not even be aware that their information has been used to train AI, and therefore couldn’t object, he argues.

3. Differentiation is difficult

NOYB also worries that the social media giant couldn’t realistically separate people whose data is linked on the system. For example, what happens if two users are in the same picture, but one has opted out of AI training and one hasn’t? Or they’re in different geographies and one is protected under GDPR and one isn’t?

Trying to separate data gets even stickier when trying to separate ‘special category’ data, which GDPR treats as especially sensitive. This includes things like religious beliefs or sexual orientation.

“Based on previous legal submissions by Meta, we therefore have serious doubts that Meta can indeed technically implement a clean and proper differentiation between users that performed an opt-out and users that did not,” Schrems says.

Other arguments

People who have been entering their data into Facebook for the last two decades could not have been expected to know that Facebook would use their data to train AI now, the letter said. That data is private because it tries hard to protect it from web scrapers, and limits who can see it.

In any case, other EU laws would make it the proposed AI training illegal, NOYB warns. It points to the Digital Markets Act, which stops companies cross-referencing personal data between services without consent.

Meta, which says that it won’t train its AI on private user messages, had originally delayed the process altogether after pushback from the Irish Data Privacy commissioner. Last month the company said that had “engaged constructively” with the regulator. There has been no further news from the Irish DPC on the issue aside from a statement thanking the European Data Protection Board for an opinion on the matter handed down in December. That opinion left the specifics of AI training policy up to national regulators.

“We also understand that the actions planned by Meta were neither approved by the Irish DPC nor other Concerned Supervisory Authorities (CSAs) in the EU/EEA. We therefore have to assume that Meta is openly disregarding previous guidance by the relevant Supervisory Authorities (SAs),” Schrems’ letter said.

NOYB has asked Meta to justify itself or sign a cease and desist order by May 21. Otherwise, it threatens legal action by May 27, which is the date that Meta is due to start its training. If it brings an action under the EU’s new Collective Redress Scheme, it could obtain an injunction from different jurisdictions outside Ireland to shut down the training process and delete the data. A class action suit might also be possible, Schrems added.

In a statement to Reuters, Meta called NOYB “wrong on the facts and the law”, saying that gives adequate opt-out options for users.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

The state of Texas reached a mammoth financial agreement with Google last week, securing $1.375 billion in payments to settle two three year-old lawsuits.

The Office of Texas Attorney General Ken Paxton originally filed the first lawsuit against Google in January 2022, complaining that the tech giant collected users’ geolocation data. It alleged that Google has continued to track users’ locations even after they thought they had disabled the feature, and then used the data to serve them advertisements.

Then in May 2022, the state updated that lawsuit to include another allegation—that the company wasn’t being fully up front about the data it collected from users in private browsing mode, also known as Incognito Mode.

Google warned users in its Incognito Mode splash page that that their ISPs, employers or schools, and websites they visited in this mode might still collect data about their activity. The suit called this “insufficient to alert Texans to the amount, kind, and richness of data-collection that persists during Incognito mode.” By promising private browsing, Google created an expectation of privacy that it didn’t fulfil, it alleged.

In October that year, Texas launched another suit that accused Google of collecting biometric information including voice prints and records of facial geometry, using services like Google Photos and the Google Assistant product along with its Nest Hub Max product.

A collection of 40 states had pursued Google over the location tracking issue and had secured a $391.5m payout in 2022, but others had gone it alone. Arizona settled for $85m. Paxton played his own game of Texas Hold’em and won. In a press release on Friday he proudly compared his settlement to the multi-state suit, pointing out that it was “almost a billion dollars less than Texas’s recovery”.

This isn’t the first time that Paxton has trounced Google in a legal fight. In 2023 Texas was part of an all-state $700m settlement with the company over anti-competitive practices in its Play store. It also settled for $8m that year over a deceptive advertising claim. Google paid DJs to promote a new Pixel phone model even though it hadn’t been released yet and they had never used it, the state said.

Last August, it also won a four-year legal battle with Google over monopolistic search practices.

In financial terms, this is Paxton’s second-largest victory by a whisker against Big Tech companies. Texas settled for a $1.4bn payout from Facebook and Instagram owner Meta last July, after suing it for capturing biometric data on Texans. The suit specifically targeted the company’s use of facial recognition to power its Tag Suggestions feature, which enabled users to easily identify and tag people in photos.

The allegations of biometric data misuse against both Meta and Google were bought under the Texas Capture or Use of Biometric Data Act, which it introduced in 2009. The geolocation and private browsing accusations were bought under another Texas law, the Deceptive Trade Practices Act. At a federal level, there is still no cohesive consumer data privacy law, despite several efforts to introduce them on the Hill.

Emboldened by earlier victories, Paxton set up a legal swat team to pursue Big Tech last June. The team, which works within his office’s consumer division, will go after companies that play fast and loose with consumer data, Paxton said. He warned:

“As many companies seek more and more ways to exploit data they collect about consumers, I am doubling down to protect privacy rights.”

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Researchers have discovered a very versatile ad fraud network—known as Kaleidoscope—that bombards users with unskippable ads.

Normally, ad fraud is not a concern for users of infected devices. They might experience some sluggish behavior on their device, but often that’s the extent of it. Ad fraud is a type of scam aimed at companies, causing them to pay for advertisements that nobody actually sees or clicks on. Instead of real people viewing or clicking on ads, fraudsters use automated programs (bots) or other tricks to generate fake views, clicks, or interactions.

As a result, the advertising company pays for ads without receiving any real value in return. Users of infected devices usually don’t notice anything, since the malicious activity takes place in the background. This also helps the malware avoid detection.

However, the newly discovered ad fraud operation, dubbed Kaleidoscope, is different. Kaleidoscope targets Android users through seemingly legitimate apps in the Google Play Store, as well as malicious lookalikes distributed through third-party app stores.

Both versions of the app share the same app ID. Researchers found over 130 apps associated with Kaleidoscope, resulting in approximately 2.5 million fraudulent installs per month.

Advertisers believe they are paying for ads shown in the “legitimate” app, while users who download versions from third-party app stores are bombarded with the same ads—but they can’t skip them. Because both apps use the same app ID, advertisers never know the difference.

Kaleidoscope is very similar to, and appears to be built on, the CaramelAds ad fraud network, which also used duplicate apps and shares similarities in code and underlying infrastructure.

The researchers explain:

“The malicious app delivers intrusive out-of-context ads under the guise of the benign app ID in the form of full-screen interstitial images and videos, triggered even without user interaction.”

How to protect your device

Google Play Protect automatically protects users against apps that engage in malicious behavior. As a result, the researchers didn’t find any malicious Kaleidoscope versions on the Google Play Store.

To keep your devices free from ad fraud related malware:

• Get your apps from the Google Play store whenever you can.
• Be careful about the permissions you allow a new app. Does it really need those permissions for what it’s supposed to do? In this case the “Display over other apps” should raise a red flag.
• Dubious ad sites often request permission to display notifications. Allowing this will increase the number of ads as they push them to the device’s notification bar.
• Use up-to-date and active security software on your Android.

Malwarebytes detects malware from the Kaleidoscope family as Adware.AdLoader.EXTNXN.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Last week on Malwarebytes Labs:

• The AI chatbot cop squad is here (Lock and Code S06E09)
• Android fixes 47 vulnerabilities, including one zero-day. Update as soon as you can!
• “Your privacy is a promise we don’t break”: Dating app Raw exposes sensitive user data
• FBI issues warning as scammers target victims of crime
• WhatsApp hack: Meta wins payout over NSO Group spyware
• Passwords in the age of AI: We need to find alternatives
• Tired of Google sponsored ads? So are we! That’s why we’re introducing the option to block them on iOS
• Cyber criminals impersonate payroll, HR and benefits platforms to steal information and funds
• Google Chrome will use AI to block tech support scam websites

Last week on ThreatDown:

• Ransomware in April 2025—RansomHub is gone

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google has expressed plans to use Artificial Intelligence (AI) to stop tech support scams in Chrome.

With the launch of Chrome version 137, Google plans to use the on-device Gemini Nano large language model (LLM) to recognize and block tech support scams.

Users already have the ability to chose Enhanced Protection under Settings > Privacy and security > Security > Safe Browsing.

Safe Browsing settings

Google’s reasoning, and we agree, is that LLMs are fairly good at understanding and classifying the varied, complex nature of websites. Meaning that, since many malicious sites have a very short lifespan, it is more effective to learn and recognize their behavior rather than keep adding a host of domain names to a block-list (something which Google has frustrated with the introduction of Manifest V3, by the way).

Tech support scams typically follow a certain pattern that should be simple to learn:

• They make your browser tab full screen
• Display the number they want you to call all over the place
• Show the visitor fake ongoing scans and alerts

These are just a few of the characteristics I’d teach the LLM. I’m not speaking for Google here. They just mention they’ll be looking at usage of the Keyboard Lock API.

On that, the Keyboard Lock API is a web technology that allows websites to “capture” keyboard input, meaning they can prevent certain key combinations (or all keys) from working as they normally do in your browser or operating system. Originally, this tool was designed for legitimate purposes, like making web games or remote desktop apps more immersive by stopping accidental key presses from interrupting the experience. But tech support scammers exploit the Keyboard Lock API to make it harder for victims to escape their scam pages. This means that when a visitor tries to close the scam page or switch to another program, nothing happens, making them feel trapped on the site. Which also makes them think their system is actually infected.

Google explains why it went for the on-device method, saying it allows them to see the threats at the same moment the users see them and in the same way the users see them.

“We’ve found that the average malicious site exists for less than 10 minutes, so on-device protection allows us to detect and block attacks that haven’t been crawled before.”

How it works

When the user lands on a suspicious page, which is decided by the on-device LLM, based on specific triggers like the Keyboard Lock API, Chrome provides the LLM with the contents of the page that the user is on and queries it to extract security signals, such as the intent of the page. This information is then sent to a Safe Browsing server for a final verdict.

If Safe Browsing decides the website is malicious, Chrome will block the content and show the user a big warning screen, called an “interstitial.”

Image courtesy of Google

By making the target think their system is infected, tech support scammers try to gain remote access or obtain payment information. Google says:

“Tech Support scams are an increasingly prevalent form of cybercrime, characterized by deceptive tactics aimed at extorting money or gaining unauthorized access to sensitive data.”

Malwarebytes’ Browser Guard data over the last month shows that 30% of the fraudulent websites we blocked through the browser extensions are tech support scams.

30% of the three fraud categories are TSS

So, it’s nice of Google to let Chrome help us take care of some of those, but Chrome is not the only browser. We’re even hearing stories from users that ran into a website telling them their Windows machine was infected while they were using the Safari browser on their iPad.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

The relentless battle against online fraud is a constant evolution, a digital chase where security teams and malicious actors continually adapt. The increasing sophistication of attacks is blurring the lines between legitimate user behavior and impersonation attempts.

The campaign we are exposing today is a reminder that even the most advanced security technologies do not dissuade threat actors. We discovered a new phishing kit targeting payroll and payment platforms that aims to not only steal victims’ credentials but also to commit wire fraud.

Our investigation began with a fraudulent search ad for Deel, a payroll and human resources company. Clicking on the ad sent employees and employers to a phishing website impersonating Deel.

Beside stealing usernames, passwords and circumventing two factor authentication, we identified malicious code capable of performing additional nefarious actions unbeknownst to the victim. Using a fully authenticated web worker, this phishing kit is using a legitimate hosted web service called Pusher with the intent of manipulating sensitive profile data fields related to banking and payment information.

While we were working this case, the FBI issued a public service announcement (PSA250424) warning people that cyber criminals are using search engine advertisements to impersonate legitimate websites and expanded to target payroll, unemployment programs, and health savings accounts with the goal of stealing money through fraudulent wire transactions or redirecting payments.

The Google ad was taken down quickly, and we have informed Deel and MessageBird (Pusher’s parent company) about the misuse of their respective platforms.

Search results ad targets Deel

Deel is a US-based payroll and human resources company founded in 2019 Deel whose platform is designed to streamline the complexities of managing a global workforce, offering solutions for payroll, HR, compliance, and more.

We first identified a malicious Google Search ad for Deel in mid April for the keywords ‘deel login‘. The top link is a sponsored search result, appearing just above the organic search result for Deel’s official website.

The URL in the ad (deel[.]za[.]com) uses the .ZA.COM subdomain of .COM targeting South Africa, essentially an alternative to the .CO.ZA extension. That URL is used as a redirect only, allowing the threat actors to use cloaking in order to redirect clicks to decoy websites (white page) or phishing domains they can rotate.

Phishing portal and 2FA

The first phishing domain we saw was login-deel[.]app but at the time we checked it did not resolve. Shortly thereafter, the same Google ad URL pointed to a new domain, accuont-app-deel[.]cc.

The phishing page is a replica of Deel’s login page with one minor difference: the Log in using Google and Continue with QR code options are disabled, only leaving the user name and password fields for authentication.

After entering their credentials, victims are social engineered by the crooks to type a security code that was sent to their email address. While two-factor authentication is a great added security feature, we can see that it can be rendered useless when victims authenticate into the wrong website.

On the surface, this looks just like another phishing site, until you look deeper and discover more intriguing code.

Traffic analysis

To better understand how this phishing kit works, we recorded a network capture showing the web requests sent and received. This allowed us to identify several interesting components that make this phishing campaign unique.

Of particular interest are several JavaScript libraries, namely pusher.min.js, Worker.js and kel.js.

The phishing kit uses anti-debugging techniques to prevent us from stepping through its code. This is a common practice to hide malicious intent and makes analysis more time consuming.

Scripts analysis

Looking at the files that the anti-debugger is trying to conceal, we see that only one is human readable, while the other two are heavily obfuscated using obfuscator.io. The pusher.min.js JavaScript file is a legitimate library from Pusher, a hosted web service that uses APIs, developer tools and libraries to manage connections between servers and clients using technologies like WebSockets.

There seems to be two different types of sessions, based on the functions named createBankSession and createCardSession. When attempting to login into the phishing site, we see a session_type value of “bank” which belongs to the former function.

The kel.js and Worker.js files are both used for authenticating the victim into the real Deel website while a web worker communicates with the threat actor’s infrastructure for processing the credentials and to receive the OTP code to get past two-factor authentication.

WebSockets are a persistent communication protocol that allows for full-duplex communication between a user’s browser and a server. This means data can be pushed from the server to the client in real-time without the client having to constantly request it.

Here’s an example of a WebSocket communication where the user provided the wrong login credentials:

The conversation begins with a pusher:connection_established message, confirming a successful connection to the Pusher real-time service and providing a unique socket_id and an activity_timeout of 120 seconds.

Next, a pusher:subscribe message shows the client requesting to listen for events on a specific channel identified by a unique session ID, indicating a desire to receive real-time updates for that session.

The server then acknowledges this request with a pusher_internal:subscription_succeeded message for the same channel, confirming that the client is now successfully subscribed and will receive broadcasts.

Finally, an events message is received on that session channel, carrying data indicating a “wrongLogin” event has occurred and instructing the client-side application to “Show” something, likely an error message to the user in real-time.

Additional targets

This phishing kit is unique and can be tracked with the following characteristics:

• Obfuscator.io
• Pusher WebSockets
• Worker.js library
• kel.js/otp.js/auth.js/jquery.js library

We identified several other targets, related to payroll, HR, billing, payment solutions and even commerce platform Shopify. The earliest use we could find goes back to July 2024, but it appears to have flown under the radar.

Justworks: Payroll, benefits, HR, and compliance — all in one place.

Marqeta: End to end credit and payment solutions integration into business processes

Shopify: Commerce platform

OmniFlex (Worldpay): online point of sale solution

Conclusion

The FBI’s PSA highlights several key measures businesses can adopt to protect users related to the following:

• Domain spoofing: Brand impersonation is a real problem that companies need to proactively lookout for.
• Notifications: Victims need to be alerted in several different ways in a timely manner.
• Education: Phishing is getting more sophisticated and users need to be aware of how to best protect themselves.

In that same report, the FBI advises consumers to check the URL to make sure the site is authentic before clicking on an advertisement. This is usually a sound practice, but as we have documented it on this blog many times, URLs within ads can be spoofed also.

Ultimately, the discovery of this phishing kit, with its advanced capability to interact with financial data, reinforces a critical message: online security is a shared responsibility. Users must exercise caution and critical thinking in their online interactions while enhancing their security with available tools; platforms must remain committed to detecting and preventing abuse.

Browser extensions such as Malwarebytes Browser Guard will block ads but also the scams or malware sites associated with these schemes.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Indicators of Compromise

Redirect

deel[.]za[.]com

Phishing domains

login-deel[.]app
accuont-app-deel[.]cc
justvvokrs-login[.]cc
vye-starr[.]net
maqreta[.]com
ctelllo[.]com
angelistt[.]com
account[.]datedeath[.]com
account[.]turnkeycashsite[.]com
admin-shopffy[.]cc
biilll[.]com
app-parker[.]com
shluhify[.]com
login-biil[.]net
founderga[.]com
admin-shoopiffy[.]com
access-shupfify[.]com
virluaterminal[.]net

Worker.js (SHA256)

56755aaba6da17a9f398c3659237d365c52d7d8f0af9ea9ccde82c11d5cf063f

kel.js/otp.js/auth.js/jquery.js (SHA256)

72864bd09c09fe95360eda8951c5ea190fbb3d3ff4424837edf55452db9b36fb
6fb006ecc8b74e9e90d954fa139606b44098fc3305b68dcdf18c5b71a7b5e80f
908a128f47b7f34417053952020d8bbdacf3aed1a1fcf4981359e6217b7317c9
5dadc559f2fb3cff1588b262deb551f96ff4f4fc05cd3b32f065f535570629c3
0ef66087d8f23caf2c32cc43db010ffe66a1cd5977000077eda3a3ffce5fa65f
95d008f7f6f6f5e3a8e0961480f0f7a213fa7884b824950fe9fb9e40d918a164
3e4e78a3e1c6a336b17d8aed01489ab09425b60a761ff86f46ab08bfcf421eac
a37463862628876cecfc4f55c712f79a150cdc6ae3cf2491a39cc66dadcf81eb
15606c5cd0e536512a574c508bd8a4707aace9e980ab4016ce84acabed0ad3be
81bcf866bd94d723e50ce791cea61b291e1f120f3fc084dc28cbe087b6602573
1665387c632391e26e1606269fb3c4ddbdf30300fa3e84977b5974597c116871
c56e277fd98fc2c28f85566d658e28a19759963c72a0f94f82630d6365e62c4f

Sponsored ads on Google search don’t just irritate users—they also provide a dangerous opportunity for cybercriminals to spread malware and scams to their unsuspecting victims. What looks like a harmless search result can be a carefully disguised trap.  

At Malwarebytes, our researchers have uncovered a variety of threats hiding in plain sight within these sponsored ads, including Mac stealers distributed through Google Ads, scams targeting popular utility software, and tech support traps.  

In some cases, scammers use advanced AI tools like DeepSeek AI to create convincing ads and web pages, increasing the risk to unsuspecting users.  

That’s why we’re excited to roll out a brand new feature in Malwarebytes for iOS: the ability to block Google sponsored ads directly on Safari.  

If you’ve used our iOS app before, you already know it blocks ads on webpages and ad trackers. But with our newest feature, we’re extending protection to cover those annoying and potentially dangerous sponsored ads listed on search results.  

Now, with just a simple toggle, you can make those annoying sponsored ads disappear from your Safari browsing experience.  

Try it for yourself: Download Malwarebytes for iOS and enjoy this feature—alongside scam text filtering, a privacy VPN, and call protection—with a free seven-day trial.  

Existing users should already have this feature option in their app—check it out now!

Don’t have an iOS device? Download our free Browser Guard extension for ad blocking and scam protection while browsing on your desktop.

For decades, passwords have been our default method for keeping online accounts safe. But in the age of artificial intelligence, this traditional security method is facing challenges it was never built to withstand.

A team at Cybernews conducted a study of over 19 billion newly exposed passwords which showed we’re looking at a “a widespread epidemic of weak password reuse.” It shows that despite years of trying to educate users about the dangers of using weak, lazy passwords, and re-using them across different sites and services, we have hardly made any progress.

But our opponents have. They can use new tools, faster computers, and because of both these developments, they ended up needing less effort for a greater yield. Because our digital presence in life has grown enormously and with that the number of passwords and the importance of the information they can unlock.

Enter AI

Artificial Intelligence (AI)-powered tools are now capable of cracking passwords faster and more efficiently than ever before. What once took days or weeks using brute force can now be accomplished in minutes. Tools like PassGAN (Password Generative Adversarial Network) use deep learning to predict and generate likely passwords based on leaked data sets. Unlike traditional dictionary attacks, AI doesn’t rely solely on existing word lists. AI is able to learn patterns from billions of compromised passwords and create new ones that closely mimic real human behavior.

This represents a huge advantage to the attackers. While a human hacker might guess that someone used their pet’s name followed by the year they were born, an AI can deduce that “Fluffy2023!” is statistically probable based on thousands of other similar combinations. And it can do this millions of times per second.

AI’s password-cracking capabilities are further supercharged by powerful hardware. Graphics processing units (GPUs), which are commonly used in gaming and scientific computing, can now be harnessed to run password-cracking algorithms at scale. Combined with AI, these machines make short work of weak or even moderately complex passwords.

The result is a world where even passwords once considered strong, like for example “Tr33House!” may no longer provide meaningful protection.

Does that make the password obsolete?

Tech companies are already betting on a passwordless future. Passkeys, biometrics, and multi-factor authentication (MFA) are gaining traction. Passkeys, in particular, offer a cryptographic alternative that eliminates the need for users to remember or even create passwords at all. But adoption of passkeys is still in the early stages, and many systems still rely on traditional passwords.

Beyond the technical risks, there are serious personal consequences when passwords are stolen. Due to our widespread online presence, once an attacker obtains your login credentials, they can access sensitive documents, reset other account passwords, or impersonate you online. From there, the path to identity theft is short. Criminals can use stolen data to open credit lines, file fraudulent tax returns, or drain your savings. In many cases, victims don’t even know their identity has been stolen until serious financial or legal damage has already occurred.

In the age of AI, the stakes are higher, and the window of vulnerability is shorter. A single reused or weak password might be all it takes to lose control over your digital identity.

The lesson is clear: we can’t rely on passwords alone anymore. AI has changed the game even further, and now it’s up to us to change how we play it. And as far as passwords go, there are some ways to use them as securely as possible where you have no alternative:

• Make passwords as strong as possible and never reuse passwords.
• Use a password manager to help remember all the passwords.
• Where possible, use MFA as an extra layer.
• Pressure important services into adapting passkeys and use them as soon as the occasion arises.

You can use Malwarebytes’ free Digital Footprint scan to see how many passwords of yours have been included in leaks and data breaches.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Meta has won almost $170m in damages from Israel-based NSO Group, maker of the Pegasus spyware. The ruling comes after a six-year legal case against the company after Meta accused it of misusing its servers to spy on users.

According to the original complaint against NSO Group, filed in October 2019, the spyware vendor used WhatsApp servers to send malware to around 1400 mobile phones. The purpose was to gain access to the messages on those devices, which were typically used by attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials.

NSO Group reverse engineered WhatsApp’s software and developed its own software and servers to send messages to victims via the WhatsApp service that contained malware. That malware installed itself on the victims’ smartphones using a zero-click attack, meaning that the victim didn’t have to take any action such as opening an link or even answering a call for the compromise to happen; it was enough simply for the message to arrive.

A judge ruled in December that NSO Group had repeatedly dodged requests to provide its code for review, and granted Meta partial summary judgment over the vendor. That set up conditions for a trial to determine damages that started in late April.

NSO Group reportedly argued that Facebook lost nothing as part of the attack, arguing that it should pay the minimum amount in damages. However, the jury awarded Meta $444,719 in compensatory damages and $167,254,000 in punitive damages.

NSO Group is no stranger to controversy. The US federal government blacklisted it in 2021 for enabling foreign governments to spy on a range of people in acts of “transnational repression”. The same year, investigative website The Pegasus Project alleged that the company targeted over 180 journalists around the world. The European Data Protection Supervisor recommended an EU ban on the technology in 2022, although this has not yet happened.

The ruling drew praise from Amnesty International, which had filed a court brief as part of the case outlining the human rights implications of the attacks on Meta. The organization commented:

“This decision should serve as a wake-up call to governments to take proactive, concrete steps to regulate the surveillance industry, to enforce safeguards on their surveillance practices, and to comprehensively ban tools that are inherently incompatible with human rights obligations and standards, such as Pegasus,”

One takeaway stands out for our readers: end-to-end encryption is important for privacy, but it is not enough on its own.

As Meta pointed out in its complaint, NSO couldn’t decrypt WhatsApp messages in transit to users because they are encrypted when they’re sent from one device and stay unreadable until they’re decrypted by the receiving device. However, that doesn’t stop someone from reading the messages after they’re decrypted by the receiving device—someone who compromises your smartphone or PC has control over all of the data on it, including those decrypted messages.

For consumers, this means applying more layer of protection in the form of regular updates, security software, and cybersecurity awareness. Never open links, files, or videos from someone you don’t know. Be skeptical even if they’re from someone you do know—we recommend checking with them over a different channel first to ensure it was really them that sent it.

In this case, even that would not have enough, because NSO Group was able to infect phones without the victim even answering the call. Attacks this sophisticated often target people with sensitive roles such as journalists, activists, and government workers. Google has an advanced protection program for people like this, while Apple launched lockdown mode for high-risk users. Facebook has its own initiative.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

The FBI has issued a warning about an ongoing fraud scheme where criminal scammers are impersonating FBI Internet Crime Complaint Center (IC3) employees in order to scam people.

Between December 2023 and February 2025, the FBI received over 100 reports of scams involving people posing as IC3 employees. These scammers contact their victims using various methods, including email, phone calls, social media, and online forums.

One popular lure involves the scammers claiming to have recovered money that the victim has lost, or offering assistance to recovering lost money.

Some scammers create fake profiles of IC3 officials, such as a supposed “Chief Director” named “Jaime Quin,” to lend credibility to their claims. This persona is also active on social media, as some victims pointed out.

This “Quin” engages with victims via Telegram, telling them their funds have been recovered and can be returned, but only after gaining access to more personal and financial data. Of course, that data will then be used for further fraud.

Other recovery scammers will ask you to pay for their services up front or ask you to buy a “tool” they need for their work.

“As soon as you are ready to pay for the extractor software I will send you the Bitcoin wallet address you are to make payment so that we cab purchase the extractor software immediately and help you recover your funds back to you.”

Besides other direct payments, called recovery fees, processing fees, tax clearance, or compliance charges, the scammers will typically try to get hold of:

• Financial information like credit card details, bank account numbers, cryptocurrency wallet addresses, and private keys.
• Personal information like social security numbers, driver’s licenses or passports, login credentials, and answers to security questions.

How to recognize these scams

Scammers rely on the fact that victims of fraud are desperate. Here are some signs to look out for:

• Spoofed email addresses: Emails may appear to come from legitimate IC3 domains, such as support@ic3-gov.org, which closely resemble official addresses. Always check the sender’s email address for inconsistencies or misspellings.
• Urgent language: The messages will often create a sense of urgency, pressuring recipients to act quickly to recover lost funds or avoid penalties.  
• Requests for personal information: Scammers may ask for sensitive data, including Social Security numbers, bank account details, or login credentials. Don’t provide them. Legitimate organizations will not ask for sensitive information via email.
• Unsolicited attachments or links: Emails might contain attachments or links that, when clicked, can install malware or lead to phishing websites. Always check with the source in another way of communication whether they sent you an attachment, and hover over links to see their true destination before clicking.
• Report fraudulent and dubious emails: If you receive a dubious email claiming to be from the IC3, report it directly through the official IC3 website.

What an IC3 scam mail might look like

Based on the data we gathered from several sources, we asked an AI to create a mock scam email example.

This is not an actual email, but it does contain all the elements we were able to uncover about the IC3 impersonating scams.

“From: Jamie Quin j.quin@ic3-recovery.org

Subject: Recovery of Funds – Immediate Action Required

Date: April 22, 2025

To: [victim’s email address]

“Dear [Full Name],

This is to notify you that after a recent audit by the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3), we have identified your case as eligible for full recovery of lost funds stemming from your previous online fraud complaint (Case ID: #IC3-R2471982-Q2).

We are currently holding $48,762.14 USD in a secured escrow account, which was seized from an international cybercriminal operation. This amount corresponds with the losses you reported and is available for immediate disbursement upon verification.

To proceed with the recovery process, we require the following for identity confirmation and to ensure legal compliance:

• Full Legal Name
• Date of Birth
• Mailing Address
• Government-Issued ID (passport or driver’s license scan)
• Bank Account Details for Refund (IBAN or Routing Number)

Please send this information within 48 hours to prevent forfeiture under Section 45-C of the Electronic Fraud Recovery Act (2023).

This case is being handled with the utmost confidentiality by Jamie Quin, Chief Director, IC3 Bureau of Financial Recovery. You are advised not to discuss this matter with third parties to avoid compromising the investigation.

If you have any questions, contact my secure line at +1 (202) 555-8231 or reply directly to this email.

Sincerely,

Jamie Quin

Chief Director – Internet Crime Complaint Center

Federal Bureau of Investigation

Email: j.quin@ic3-recovery.org

Phone: +1 (202) 555-8231

CONFIDENTIAL – FOR RECIPIENT ONLY”

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Any app that hands over user data is a concern, but leaky dating apps are especially worrying given the sensitivity of the data involved. A relatively new app called Raw that aims to rewrite the rules of dating is the latest to trip over its coattails by exposing user data to…well, anyone who asked for it.

Launched in 2023, Raw is a dating app that aims to solve some of the traditional problems in online dating, including fake or egregiously touched-up photos, and ghosting (where one person goes silent on each other). The company’s app shares user locations and asks them to post daily photos of themselves to create a more authentic matching experience.

The service collects customer data including what you’d expect for a dating app, such as name, birth date, gender identity, and photos, along with your geolocation and IP address. It stores at least some of its data on servers in the US.

Its privacy policy tells people that it uses end-to-end encryption, or, according to its GenZ-speak on its consumer FAQ:

“Your information is cloaked in encryption and guarded like a princess in a castle by our devs. We don’t sell or share your info in any way – your privacy is a promise we don’t break.”

That text is in all caps on the site so the company’s intentions must be deadly serious, but unfortunately it didn’t follow through according to TechCrunch, which did some impressive sleuthing. The news site ran a copy of the app on a virtualized Android device, which is a copy of the Android operating system running in software. It created a new user account on the app, and watched what happened when another copy of the app requested that user’s profile data. The publication saw the server return the profile data without requiring any authentication.

Like most online services, Raw answers requests for data via an application programming interface (API). This is a service designed for software (in this case, its smartphone app) to request user profile data from its servers. The app does that by sending an 11-digit user ID to an online address.

TechCrunch worked out that anyone could grab information from a profile by accessing the API in a browser, and all they need is the 11-digit user ID. They could also vacuum lots of peoples’ data en masse by just changing the user ID numbers.

Raw hadn’t mentioned the issue on its site at the time of writing. CEO Marina Anderson told TechCrunch that the issue had been resolved and that regulators had been notified. The news site also reported that she hadn’t arranged for a third-party audit for the app.

The company has ambitions beyond better matches. It is planning to release a wearable device called the Raw Ring, with sensors that read wearers’ vital signs and an audio tracker that listens to them. Raw is marketing the Black Mirror-esque device as an anti-infidelity tool that “analyzes voice and emotional cues for changes that tell the real story”. The sign-up button to register your interest in the device urges you to “Join the Flirt-Free Zone”.

This idea gives us the chills even without the data leak, as there’s a long, dark history of surveillance tech online that those in controlling relationships can use to monitor their partners. Not only that, there are also many cases of such apps exposing peoples’ sensitive data.

The Raw Ring, which stores its data in the cloud, promises end-to-end data encryption, although the TechCrunch story gives us pause. We wonder how many people will wear this willingly after the company’s technological faux-pas?

We mailed Anderson and Raw with these and other questions. If they reply we’ll update this story.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Google has patched 47 vulnerabilities in Android, including one actively exploited zero-day vulnerability in its May 2025 Android Security Bulletin.

Zero-days are vulnerabilities that are exploited before vendors have a chance to patch them—often before they even know about them.

The May updates are available for Android 13, 14, and 15. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

If your Android phone shows patch level 2025-05-05 or later then you can consider the issues as fixed. The difference with patch level 2025-05-01 is that the higher level provides all the fixes from the first batch and security patches for closed-source third-party and kernel subcomponents, which may not necessarily apply to all Android devices.

Keeping your device as up to date as possible protects you from known vulnerabilities and helps you to stay safe.

The zero-day

The actively exploited zero-day patched with this update was flagged by Facebook in March and found in the FreeType library. FreeType is an open-source software library that Android devices use to display text by rendering fonts. In essence, it turns font files into the letters and characters that you see on your screen. It is designed to be small, fast, and flexible, supporting many font formats and used widely across billions of devices and applications.

The vulnerability, tracked as CVE-2025-27363, allows attackers to execute remote code (RCE) by exploiting how FreeType processes certain TrueType GX and variable font files. Because FreeType mishandles values in the device’s memory, it creates an out-of-bounds write vulnerability. When a program accesses memory outside its allocated area—either by reading or writing beyond the bounds—it can cause crashes, run arbitrary code, or expose sensitive information. This happens when the data size exceeds the allocated memory, when data writes target incorrect memory locations, or when the program miscalculates data size or position.

FreeType versions newer than 2.13.0 fix this vulnerability. Since FreeType operates as a native library embedded within system components that render fonts, typical Android users cannot easily check which version their device uses. Therefore, the best defense is to install the latest system updates and run active anti-malware protection.

Facebook warned that attackers “may have exploited the vulnerability in the wild,” and Google confirmed the vulnerability “may be under limited, targeted exploitation,” though neither disclosed further details.

It’s reasonable to assume that simply opening a document or app containing a malicious font could compromise your device—without requiring any additional user action or permissions.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

This week on the Lock and Code podcast…

“Heidi” is a 36-year-old, San Francisco-born, divorced activist who is lonely, outspoken, and active on social media. “Jason” is a shy, bilingual teenager whose parents immigrated from Ecuador who likes anime, gaming, comic books, and hiking.

Neither of them is real. Both are supposed to fight crime.

Heidi and Jason are examples of “AI personas” that are being pitched by the company Massive Blue for its lead product, Overwatch. Already in use at police departments across the United States, Overwatch can allegedly help with the identification, investigation, and arrest of criminal suspects.

Understanding exactly how the technology works, however, is difficult—both Massive Blue and the police departments that have paid Massive Blue have remained rather secretive about Overwatch’s inner workings. But, according to an investigation last month by 404 Media, Overwatch is a mix of a few currently available technologies packaged into one software suite. Overwatch can scan social media sites for alleged criminal activity, and it can deploy “AI personas”—which have their own social media accounts and AI-generated profile pictures—to gather intelligence by chatting online with suspected criminals.

According to an Overwatch marketing deck obtained by 404 Media, the software’s AI personas are “highly customizable and immediately deployable across all digital channels” and can take on the personalities of escorts, money launderers, sextortionists, and college protesters (who, in real life, engage in activity protected by the First Amendment).

Despite the variety of applications, 404 Media revealed that Overwatch has sparked interest from police departments investigating immigration and human trafficking. But the success rate, so far, is non-existent: Overwatch has reportedly not been used in the arrest of a single criminal suspect.

Today, on the Lock and Code podcast with host David Ruiz, we speak with 404 Media journalists and co-founders Emanuel Maiberg and Jason Koebler about Overwatch’s capabilities, why police departments are attracted to the technology, and why the murkiness around human trafficking may actually invite unproven solutions like AI chatbots.

 ”Nobody is going to buy that—that if you throw an AI chatbot into the mix, that’s somehow going to reduce gun crime in Americ,” Maiberg said. “But if you apply it to human trafficking, maybe somebody is willing to entertain that because, well, what is the actual problem with human trafficking? Where is it actually happening? Who is getting hurt by it? Who is actually committing it?”

He continued:

“Maybe there you’re willing to entertain a high tech science fiction solution.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Last week on Malwarebytes Labs:

• On world password day, Microsoft says fewer passwords, more passkeys
• Apple AirPlay SDK devices at risk of takeover—make sure you update
• The 3 biggest cybersecurity threats to small businesses
• Zero-day attacks on browsers and smartphones drop, says Google
• Fake Social Security Statement emails trick users into installing remote tool
• Digital rampage saw ex-Disney employee remove nut allergy info from menus, dox co-workers, and more
• What privacy? Perplexity wants your data, builds browser to track you and serve ads
• Employee monitoring app exposes users, leaks 21+ million screenshots

Last week on ThreatDown:

• Where malware likes to hide the most
• Ransomware in March 2025

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

And we agree. If there is a cybersecurity themed day that we would like to get rid as soon as possible it’s world password day. Sorry, old friend, but you’re outdated, and it looks like your days are numbered. Let’s switch to passkeys.

To quote Microsoft:

“As the world shifts from passwords to passkeys, we’re excited to join the FIDO Alliance in leaving World Password Day behind to celebrate the very first World Passkey Day.”

In 2013, Intel introduced World Password Day to remind people of the importance of strong passwords. But over time, the number of passwords we use, and the necessary strengths have grown so much that the system has become practically unusable without a password manager. So, only a few years later, Microsoft introduced Windows Hello, a new way for users to securely sign in to their accounts with their face, fingerprint, or PIN.

For several good reasons we want to say goodbye to passwords, especially for the important sites and services. Passwords are:

• Hard to create
• Easy to forget
• Often reused across sites
• Vulnerable to hacking techniques like brute-force attacks and phishing.

The alternative: passkeys

Passkeys are an alternative, more modern authentication method designed to replace passwords with a safer, simpler alternative. Despite their clear advantages, many people hesitate to switch to passkeys due to unfamiliarity and misconceptions. This blog post will try to explain what passkeys are, how to use them, and why they are better than passwords, helping you embrace this next step in online security.

A passkey is a digital credential that replaces traditional passwords by using cryptographic keys stored locally, and securely, on your device, such as your phone or computer.

At your demand, a program on your device will create a passkey automatically when you set up an account or enable a passkey login. Basically, it’s a unique key that identifies you without ever leaving your device.

When you log in with a passkey, your device proves you are the legitimate user by using the passkey to solve a challenge without actually providing the passkey itself. As with passwords, it’s a way to prove you know the answer and with that who you are. But the difference is that, unlike passwords, passkeys can’t be stolen by fake or malicious websites.

OK. I heard some sighs in the back from the I-know-this-already crowd. There are plenty of technical explanations to be found. Feel free to try explaining cryptographic public and private keys to the people you do tech support for.

Because passkeys are tied to your device and cannot be shared or stolen like passwords, they offer a safer login experience.

It’s not hard to use passkeys. Really!

Using passkeys is straightforward and really not that hard:

• Create a passkey: When you sign up or log into a website or app that supports passkeys, the system prompts you to create one. Your device automatically generates the cryptographic keys. This means there is truly no need to struggle with inventing a complicated 12-character password that meets confusing requirements for a site you might never use again. Your device does all the work.
• Log in: Instead of typing a password, unlock your device using biometrics or a PIN. Your device then securely verifies your identity and tells the site or service it can trust you, without ever sending sensitive secrets over the internet.
• Sync across devices: You can securely sync passkeys across your devices using encrypted cloud services or password managers. This lets you log in effortlessly from multiple devices and prevents the hassle of losing access if your device goes missing.

Having to create and memorize hundreds of complex, unique passwords is difficult and stressful. Passkeys remove this burden entirely. You don’t need to create anything or remember a lot. The authentication process is as simple as unlocking your device.

And it’s faster. Microsoft has seen that on average passkey sign-ins to their services take only 8 seconds, compared with 69 seconds to sign in using a traditional password and second factor. 

Common misconceptions

Many people shy away from using passkeys for the wrong reasons.

• Your biometrics, like fingerprints or facial scans are not stored externally, the site you’re visiting never gets to see them. They are just meant for your device to verify it’s really you.
• Using passkeys is not complicated as we explained above. Sure, the theory behind it is, but the user-experience may actually be simpler than password creation and management.
• You are not losing the extra layer of 2FA security you set up for important sites and services. Passkeys inherently support two-factor authentication (2FA) without extra steps, since possession of your device plus biometric or PIN verification is required.

There are downsides

I have to be honest here. Some things are not ideal yet. But as we move forward and more people start using passkeys, these will improve soon enough.

As I hinted earlier, losing your device can pose a problem, since your key got lost along with it, unless you synchronize it. This is a problem that’s actively being worked on.

Many websites and services also don’t support passkeys yet. Developers and service providers are actively working to make passkey adoption smoother and more widespread, so you will see more websites and apps supporting passkeys soon.

Not every passkey system is equal. Due to the history of their development which is still ongoing, there are currently multiple flavors of passkey. These range from device-bound and physical token passkeys (that never leave the device) to synchronized passkeys that offer the option to use a device’s Credential Manager to back up and synchronize passkeys across the user’s other devices. This can confuse or frustrate users who just want the authentication to work, without having to worry about the nuances of the underlying technology. Industry groups (including the FIDO Alliance and W3C) are working on standards, guides, and tools to improve this situation for developers and users.

Give it a try

It doesn’t take a lot of effort to convince yourself of the benefits of passkeys.

Passkeys are created on, saved to, and synchronized across devices through a password manager. For example, passkeys created on a website on Chrome on Android are stored to the Google Password Manager by default, and then synchronized to different environments where Google Password Manager is available, such as Chrome on macOS, Windows, Linux, and ChromeOS. It’s up to the user which password manager to store a passkey to or to authenticate a passkey from depending on the environment.

To save a passkey to Google Password Manager, ensure you’re signed into your Google Account on an eligible device (Android, Chrome, or other supported platforms). When prompted by a website supporting passkeys, agree to create a passkey and follow the on-screen instructions.

MacOS allows you to save passkeys either in Google Password Manager or iCloud Keychain if you’re using macOS 13.5 or higher.

• Try passkeys today: Look for websites and apps that offer passkey login options and give them a try. You’ll likely find the experience faster and easier than passwords.
• Educate yourself and others: Share what you learn about passkeys with friends and family, especially those who find passwords confusing or frustrating.
• Advocate for passkey support: Encourage your favorite sites and services to support passkeys to help make the internet safer for everyone.
• Use secure device authentication: Enable biometrics or PINs on your devices to fully benefit from passkey security.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Researchers found a set of vulnerabilities in Apple’s AirPlay SDK that put billions of users at risk of their devices being taking over.

AirPlay is Apple’s proprietary wireless technology that allows you to stream audio, video, photos, and even mirror your device’s screen from an iPhone, iPad, or Mac to other compatible devices like Apple TV, HomePod, smart TVs, or speakers. It works over Wi-Fi, so you don’t need cables.

Apple added the necessary updates on April 28 to the March 31 update. The update—iOS 18.4 and iPadOS 18.4—was initially issued on March 31, but the additional security fixes were delivered through Rapid Security Responses, or minor patches that Apple incorporated after the initial release. Rapid Security Response (RSR) is a type of software patch delivering security fixes between Apple’s regular, scheduled software updates.

The good news is if you installed the March 31 update, you should be fine. Otherwise, check manually if any updates are available.

To check if you’re using the latest software version, go to Settings > General > Software Update. You want to be on iOS 18.4.1 or iPadOS 18.4.1, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

• The latest version of macOS is 15.4.1. Learn how to update the software on your Mac and how to allow important background updates.
• The latest version of tvOS is 18.4.1. Learn how to update the software on your Apple TV.
• The latest version of watchOS is 11.4. Learn how to update the software on your Apple Watch.
• The latest version of visionOS is 2.4.1. Learn how to update the software on your Apple Vision Pro.

The AirPlay SDK (Software Development Kit) is a set of programming tools Apple provides to app developers to integrate AirPlay functionality into their apps. Using the AirPlay SDK, developers can add features that allow their apps to stream audio or video content wirelessly to AirPlay-compatible devices. This makes apps “AirPlay-ready” by handling the streaming and control behind the scenes.

Combining vulnerabilities allows an attacker on the local network to potentially take control of devices that support AirPlay—both Apple devices and third-party devices that leverage the AirPlay SDK.

Apple released updates to fix the vulnerabilities on April 29 for members of the Apple MFi Program, who are developers of Apple-compatible accessories or software.

The researchers who found and reported these flaws warn they can be exploited without any user interaction—or with just a single click—to execute remote code. Attackers could also use them for man-in-the-middle interceptions, denial-of-service disruptions, and to bypass access controls and user prompts. On top of that, these vulnerabilities may allow unauthorized access to sensitive data and local files, making them a serious risk that demands immediate attention.

Technical details

In total, the researchers responsibly disclosed 23 vulnerabilities to Apple, leading to 17 CVEs being issued. A complete list and description of these CVEs, as well as specific attack scenarios they enable, can be found on their blog.

The most important vulnerabilities are:

CVE-2025-24252: Successful exploitation of the use-after-free vulnerability could allow a remote attacker to execute arbitrary code. When exploited together with CVE-2025-24206, the attacker is able to perform zero-click remote code execution on other vulnerable AirPlay-enabled devices in the same network, without any user interaction. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.8 out of 10.

CVE-2025-24206: Successful exploitation of the vulnerability could allow an attacker to bypass authentication and conduct malicious activities without user interaction when exploited with other vulnerabilities.

CVE-2025-24132: Successful exploitation of the stack-based buffer overflow vulnerability could allow an attacker to perform zero-click remote code execution on vulnerable AirPlay SDK devices and potentially leak sensitive information by eavesdropping.

That the attacker does need to be on the same network, but exploitation require minimal to no interaction of the target.

Possible protective actions

These depend very much on the types of devices you are using, so I will try to give some general guidance and the reasons behind them.

• As we said above, make sure your devices are fully updated
• Use up-to-date and active malware protection
• Disable AirPlay if you’re not using it, or set it to Ask as a minimum

• Disable AirPlay Receiver if it is not in use.
• Be extra careful on public networks. This vulnerability could theoretically spread in airports, offices, hotels, or conferences where many Apple devices are in close proximity. In such cases, avoid using unsecured Wi-Fi.
• Restrict AirPlay settings: Change the Allow AirPlay for to Current User. While this does not prevent all of the issues, it does reduce the protocol’s attack surface.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.