Malware Bytes Security

Senator Cassidy, the chair of the US Senate Health, Education, Labor, and Pensions Committee has expressed concerns about foreign adversaries, including the Chinese Communist Party, acquiring the sensitive genetic data of millions of Americans through 23andMe. 

The risk is considered real because of the impending takeover of the genetic database that belongs to 23andMe. Since the DNA testing company 23andMe filed for bankruptcy it has been looking for a new owner, and views its genetic data as an asset in the possible sale.

An asset that Senator Cassidy fears could do a lot of harm in the wrong hands, as he wrote in a letter to Treasury Secretary Scott Bessent:

“The recent bankruptcy filing by 23andMe raises questions about potential buyers of its genetic database that contains the information of approximately 15 million customers. Chinese companies have already taken steps to collect genetic data across the world that could be used for adverse purposes.”

The Department of the Treasury, through the Committee on Foreign Investment in the United States (CFIUS), has broad authority to review transactions that may impact the national security of the United States.

23andMe tried to reassure customers that:

“Any buyer of 23andMe will be required to agree to comply with our privacy policy and with all applicable law with respect to the treatment of customer data.”

However, the senator fears that the company and its assets will be sold to the highest bidder which will put the information of its approximately 15 million customers at risk of falling into the wrong hands. For this reason he has asked 23andMe to answer a number of questions about the sales process, the supervision of the transfer, the ability of customers to delete their data, and the effect of the bankruptcy on 23andMe’s cybersecurity infrastructure.

For those that missed our tips the last time, I’ll repeat them here.

How to delete your 23andMe data

For 23andMe customers who want to delete their data from 23andMe:

• Log into your account and navigate to Settings.
• Under Settings, scroll to the section titled 23andMe data. Select View.
• You will be asked to enter your date of birth for extra security. 
• In the next section, you’ll be asked which, if there is any, personal data you’d like to download from the company (onto a personal, not public, computer). Once you’re finished, scroll to the bottom and select Permanently delete data.
• You should then receive an email from 23andMe detailing its account deletion policy and requesting that you confirm your request. Once you confirm you’d like your data to be deleted, the deletion will begin automatically, and you’ll immediately lose access to your account. 

Check if your 23andMe data was part of the 2023 breach

In 2023, 23andMe suffered a data breach that impacted up to seven million people. Found being sold on the dark web, the data reportedly included “profile and account ID numbers, names, gender, birth year, maternal and paternal genetic markers, ancestral heritage results, and data on whether or not each user has opted into 23AndMe’s health data.”

With the data, cybercriminals could learn about a person’s genealogy and potentially use some of the information to aid them in committing identity fraud.

There is no meaningful way to remove this data from the dark web. Instead, we recommend that you run a scan using our free Digital Footprint Portal to see if your data was exposed in the 2023 breach, and then to take additional steps to protect yourself.

SCAN NOW

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

In a security advisory, Meta has disclosed a vulnerability that allowed an attacker to run arbitrary code on a user’s system that existed in all WhatsApp versions before 2.2450.6.

WhatsApp offers a desktop application for Windows and macOS, which users can synchronize with their mobile devices. Desktop versions of WhatsApp are generally used as extensions of mobile apps rather than primary platforms. So, while wide usage of these apps exists, their adoption rate lies likely significantly lower when compared to mobile platforms.

WhatsApp has over 3.14 billion monthly active users as of January 2025, with 73% using Android and 22% using iOS. Using WhatsApp on your desktop offers some advantages that users might appreciate. My excuse is that I can type faster on my laptop and I can make better screenshots of my conversations.

If you use WhatsApp for Windows, you should update as soon as you can.

How to update WhatsApp for Windows

You can find the current version of your WhatsApp for Windows by clicking on the Settings (gear symbol) > Help.

If your version number is lower than 2.2450.6, install a new version by following these steps:

1. Click the Start menu and search for Microsoft Store to open it.
2. In the Microsoft Store, click on Library located at the bottom left corner.
3. Scroll through the list or use the search bar to find WhatsApp Desktop.
4. Click on Get Updates or look for an Update button next to WhatsApp Desktop. If an update is available, it will appear here.
5. Click the Update button to download and install the latest version of WhatsApp Desktop.
6. Once the update is complete, restart the application to ensure all changes are applied.

My WhatsApp was already up to date because I have automatic updates turned on. This is how Microsoft Store on Windows can automatically install app updates.

1. Select Start, then search for and select Microsoft Store.
2. In the Microsoft Store app, select Profile (your account picture) > Settings.
3. Make sure App updates is turned On.

The vulnerability

The vulnerability tracked as CVE-2025-30401 is described by Meta as:

“A spoofing issue in WhatsApp for Windows prior to version 2.2450.6 displayed attachments according to their MIME type but selected the file opening handler based on the attachment’s filename extension. A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp.”

In other words, it was possible for a sender to disguise the true nature of their attachment by changing the file extension to something harmless, like a jpeg, when in reality it was a malicious file that would be opened with the program the receiver had set as default for such a file.

In the past we’ve seen this used against users that have Python installed on their systems. People were sent a python or php script as an attachment which would get executed without any warning if the receiver opened them.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

When you next type something sensitive on your computer keyboard, be sure that no-one else is watching. A recent case of alleged cyber-voyeurism shows how important it is to secure your computer against unwanted eavesdroppers using malwareware.

In a class action lawsuit, six women have accused pharmacist Matthew Bathula of invading their privacy by spying on them at work and at home.

According to the lawsuit, Bathula is alleged to have planted spyware on at least 400 computers in clinics, treatment rooms, and labs at the University of Maryland Medical Center where he worked. Bathula is said to have installed a keylogger. This software monitors what a user types on a keyboard without their knowledge, relaying it back to the keylogger’s owner.

The lawsuit claims that this gave Bathula login credentials for the victims’ personal accounts and systems, including bank accounts, emails, home surveillance systems, Dropbox accounts, Google Drives, dating applications, Google Nests, and iCloud accounts.

This access enabled Bathula to download the victims’ personal information, including their private photographs and videos, the class action asserts, adding that he also used his access to systems both at home and at work to spy on the victims in real time.

He used webcams installed on work computers for telehealth sessions to spy on new mothers pumping milk at work, and did the same through their home webcams.

Bathula allegedly spied on victims with their children at home, and also watched them undressing and being intimate with partners. He is said to have disabled the cameras’ operating lights so that victims could not see they were being viewed.

How to protect yourself

Bathula has not thus far been charged with a crime. The anonymous women, who first became aware of the issue when the FBI contacted them, are suing their employer, University of Maryland Medical Systems, for “failure to take reasonable, readily available measures to protect its employees.”

But spyware is a threat for people outside the workplace too. What should you do to protect yourself from someone logging your keystrokes? Here are some tips.

Keep your software up to date. Some spies manually install keyloggers on target computers, but others use malware to install it remotely. Malware droppers frequently take advantage of known vulnerabilities in older versions of operating system and application software. They exploit these security holes to install their malware. You can minimize these loopholes by constantly keeping your software up to date.

Install anti-malware protection. Anti-malware protection works at the lowest level of the operating system to check on the software applications that it’s running and watch for suspicious or known malicious activity.

Watch where you download from. Software downloaded from unofficial sites – especially pirated software – often comes with unwelcome additions including keyloggers and other spyware.

Don’t reuse passwords. People often use the same password across multiple accounts for convenience. This is not a good idea. If a keylogger reads one password, its owner can try the same credentials on your other accounts. According to the lawsuit, Bathula harvested passwords from the workplace keylogger and used them to hijack personal accounts that victims hadn’t accessed at work.

Use a password manager. Another way to prevent a keylogger from reading your passwords is not to type them in. Instead, you can use a trusted password manager that will auto-fill password fields on login pages for you.

Use multi-factor authentication. Where online accounts support it, use two authentication methods to log in. Your password is one such method, but many use an authenticator app on their phone that provides an extra code to type in. Because that code changes all the time, an attacker won’t be able to use it to enter your account in future. For even more security against keyloggers, some accounts now support the use of hardware-based passkeys that don’t require you to type in a code at all.

Protect your webcam. Another layer of defense is to protect your webcam and microphone. Some come with security shutters, while for others, a Post-It will do. If Mark Zuckerberg covers up his camera, it’s probably a good sign that we should too, while using a microphone with a physical off switch – or at least covering your laptop one tightly with tape – can protect your audio. If someone does gain access to your webcam, at least it won’t reveal your secrets.

As with all layers of protection, these defensive measures are best used in conjunction with each other. The more difficult you make it for an attacker to spy on you, the less likely they are to succeed.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Bad vibes are big news in privacy right now, with the public feeling isolated in securing their sensitive information from companies, governments, AI models, and scammers.

That’s the latest from Malwarebytes research conducted this month, which revealed that the vast majority of people are concerned about wrongful data access from nearly every corner of their lives. For example, 89% of people “agreed” or “strongly agreed” that they are “concerned about my personal data being used inappropriately by corporations,” and another 72% agreed or strongly agreed that they are “concerned about my personal data being accessed and used inappropriately by the government.”

The anxieties are easy to trace.

In just the first three months of 2025, the UK government asked Apple for access to encrypted cloud storage for users across the globe, the US government exposed active Social Security Numbers in releasing files related to the assassination of former President John F. Kennedy, and the announced bankruptcy of genetic testing company 23andMe prompted many customers to delete their data.

Against this backdrop, many users are taking privacy into their own hands. More than 40% of people have stopped using either TikTok, Instagram, or X (formerly Twitter), and 26% stopped using a fertility or period tracking app. A robust 75% said they “opt out of data collection, as possible,” and 23% have gone a step further, using a data removal service to help clean up any personal information that is easily found online.

These findings come from a pulse survey that Malwarebytes conducted of its newsletter readers in March via the Alchemer Survey Platform.

Broadly, Malwarebytes found that:

• 89% of people are “concerned about my data being used by AI tools without my consent.”
• 70% of people “feel resigned that my personal data is already out there, and I can’t get it back.”
• 77% of people said that “many online transactions today, from purchases to downloads to creating new accounts, feel like ploys to take my data.”
• While 87% of people “support national laws regulating how companies can collect, store, share, or use our personal data,” 60% feel that “we will never have simple, meaningful ways to protect our data.”
• To protect their personal information and that of their family, at least 40% of people have stopped using Instagram, TikTok, and X (formerly Twitter).
• 26% of people stopped using a fertility app or period tracking app.

Institutional distrust

The public believe that the biggest threats to their privacy right now are AI models, companies, governments, and, well, pretty much every single interaction they have with the internet at large.

Aside from the 89% of people concerned about their data being “accessed and used inappropriately by the government,” another 50% said they were concerned about wrongful government access of their “private conversations.”

Elsewhere, an astounding 89% of people said that they are “concerned about my data being used by AI tools without my consent.” It is unclear exactly where these fears lie. People may be concerned that AI tools are scraping public websites for their information—like the facial recognition company ClearView AI does by scouring articles, mugshot websites, and publicly listed social media profiles—or they may fear that tools like ChatGPT and Google’s Gemini are recording “conversations” or questions for future use.

Exacerbating these concerns is, likely, the current murkiness around AI technology and what it requires to function. The New York Times is currently suing OpenAI for allegations that its large language model wrongfully ingested the outlet’s copyrighted articles as training data, human contractors that helped train the AI recognition systems for Roomba vacuums mistakenly leaked sensitive photos on Facebook, and a national mental health support chatline siphoned off some of its users’ conversations to train an AI-powered customer support chatbot in an effort to boost funding.

But it isn’t just AI that the public distrust, it’s also the many ways they’re forced to engage with the internet, overall, as 77% agreed or strongly agreed that “many online transactions today, from purchases to downloads to creating new accounts, feel like ploys to take my data.”

They may have a point. Downloading a mobile game can reveal your location data to countless ad companies, searching for airline tickets on a Mac device can force you into paying higher prices, and buying a car can subject your sex life—seriously—to data collection. And these are the largely legal consequences of everyday life! Real-deal cybercriminal campaigns like “malvertising,” that abuse Google search results to direct victims to malicious websites, only make matters worse.

Amidst this landscape, the public broadly agreed that they wanted privacy protections that, unfortunately, they feel no one is going to grant them.

A full 87% of people “support national laws regulating how companies can collect, store, share, or use our personal data,” while 70% also believe “we will never have simple, meaningful ways to protect our data.”

So, in the absence of legal or corporate protections, the public are taking matters into their own hands.

Individual action

The dire privacy concerns shared by many respondents have, for the most part, not resulted in privacy nihilism. In fact, a heartening 60% of respondents did not agree that they have “become less vigilant about my data privacy and security because there is little I can do these days.”

Instead, as Malwarebytes found, many people have started disengaging from major online platforms and adding privacy-conscious tools and habits to their daily regimen.

For instance, to protect their and their family’s personal information, 47% of people said they “stopped using TikTok,” 45% said they “stopped using X” (formerly Twitter), 44% said they “stopped using Instagram,” and 37% said they “stopped using Facebook.” Another 26% said they “stopped using a fertility/period tracking app.”

Elsewhere, 69% of people said they “use an ad blocker for online browsing,” and 75% of people “opt out of data collection, as possible.” Another 42% said they use a VPN, which can provide an extra level of comfort by encrypting all web traffic when connecting to public or unknown Wi-Fi networks.

Malwarebytes also found that 69% of respondents said they use “multifactor authentication,” or MFA. MFA is one of the strongest security protections against account takeovers and hacking, requiring that login attempts aren’t approved with just a username and password, but with a separate piece of information, like a one-time passcode that is texted to a user’s device. Though understood as a cybersecurity best practice, MFA also strengthens a user’s privacy. After all, thieves don’t hack into accounts just for fun—they hack into accounts to sometimes steal any sensitive information stored within.

Finally, a smaller percentage of people said they use identity theft protection solutions (43%) and personal data removal services (23%). These are critical tools for catching and stopping identity theft, and for making it harder for scammers to find and target victims.

Malwarebytes understand that privacy isn’t “easy” right now—it never necessarily has been—but that doesn’t mean it’s time to give up. Thankfully, many people responded that, despite their serious concerns, they aren’t about to take corporate and government privacy invasions willingly. That’s the type of attitude that the public needs more than ever, and we’re grateful to see it.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The pressure of the looming tax filing deadline (April 15th in the US) can make anyone rush online tasks. Cybercriminals are acutely aware of this increased activity and are exploiting trusted platforms like Google to target Intuit QuickBooks users.

By purchasing prominent Google Ads, they are creating highly convincing fake login pages designed to pilfer sensitive information, including usernames, passwords, and even one-time passcodes (OTPs) – the keys to someone’s financial data needed for tax compliance.

Understanding this deceptive tactic is the first step in protecting yourself from falling victim.

Brand impersonation: from Google ad to phishing page

Accounting and tax preparation software has traditionally been a common lure for scammers, particularly those related to online support operating out of large call centres in India and surrounding areas.

Late last year, we documented a fraudulent QuickBooks installer that was laced with malware and generated a fake pop up to trick users into calling for assistance.

This time, the attack is even more dangerous as it goes after victims’ login credentials for QuickBooks. It starts from a Google search, showing an ad that impersonates Intuit’s branding for “QuickBooks Online”.

This leads to a fraudulent website that is essentially a lookalike.

Domain Name: QUICCKBOORKS-ACCCOUNTING .COM
Registrar URL: https://www.hostinger.com
Creation Date: 2025-04-07T01:44:46Z

Unbeknownst to victims, the sign-in page is actually a phishing portal that will steal account credentials in real-time and leak them to the criminals behind this scheme.

One-time passcode workaround

Passwords alone offer a limited level of security because they can be easily guessed, stolen through phishing, or compromised in data breaches. It is highly recommended to enhance account protection by enabling a second form of authentication like one-time passcodes sent to your device or utilizing a 2FA app for an extra layer of verification.

Phishing kits have evolved to become increasingly sophisticated, with some now capable of circumventing one-time passcodes and 2FA. These kits often employ “man-in-the-middle” or “adversary-in-the-middle” (AiTM) techniques.

When a victim enters their credentials and the one-time passcode on a fake login page created by the phishing kit, this information is intercepted in real-time and relayed to the attacker. The attacker can then use these stolen credentials and the valid one-time passcode to log in to the victim’s account before the passcode expires.

Conclusion

Cybercriminals often intensify their efforts to target accounting software like QuickBooks during or around tax season, hoping to capitalize on the increased volume of financial transactions and the time-sensitive nature of tax preparations.

Deceptive Google ads can be designed to closely resemble legitimate QuickBooks search results, leading unsuspecting users to fake login pages that harvest their credentials, financial data, or even install malware.

OTP and 2FA still significantly increase security against a vast majority of attacks, especially automated attempts and less sophisticated phishing, making them essential layers of protection when used on authentic platforms.

However, even with the added security of one-time passcodes and 2FA, these measures are rendered ineffective if the initial login occurs through a malicious website reached via a deceptive ad.

Therefore, it is critical to access your QuickBooks account and conduct all sensitive activities directly through the official Intuit QuickBooks website or application, carefully verifying the URL.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Malicious QuickBooks domains quicckboocks-accounting[.]com
quicckbooks-accounting[.]com
quicckrbooks-acccounting[.]com
quicfkbooks-accounting[.]com
quichkbooks-accounting[.]com
quicjkbooks-accounting[.]com
quickboorks-acccounting[.]com
quickboorks-accountings[.]com
quicnkbooks-accounting[.]com
quicrkbookrs-accounting[.]com
quicrkbooks-acccounting[.]com
quicrkbooks-accountting[.]com
quicrkboorks-accounnting[.]com
quicrkboorks-accounting[.]com
quicrkbrooks-online[.]com
quicrkrbooks-accounting[.]com
quictkbooks-accounting[.]com
quicvkbooks-accounting[.]com
quicxkbooks-accounting[.]com
quirckbooks-accounting[.]com

Cwmbran in Wales, a town with a population of just under 50,000, holds the Guinness World Record for the most roundabouts—at least according to Google AI Overviews.

Except that’s not actually true…

Ben Black has been publishing lighthearted fake stories on April Fools’ Day for his community news site Cwmbran Life since 2018. The April Fools include the erection of a Hollywood-style sign on a mountain, and the creation of a nudist cold-water swimming club at a lake.   

In 2020, Black published a fake story saying Cwmbran had been recognized by Guinness World Records for having the highest number of roundabouts per square kilometer.  

He fabricated a random number of roundabouts, added a quote from a fictitious resident, and clearly stated that the “news” was an April Fool’s Day joke several hours later. 

So it came as quite a surprise when Black discovered that Google AI Overviews picked up this story as real news recently.  

The thing about April Fools’ Day is that it is treated very differently to every other day online. Normal news outlets publish deliberately fake news stories and we, as people with knowledge of April Fools Day, can use that to assess if something is true. Google AI obviously didn’t get that memo.

As Black said:

“It’s not a dangerous story, but it shows how fake news can easily spread even if it’s from a trusted news source.” 

Google AI Overviews has been under scrutiny since testing last year after generating false information, including advising people on the minimum required pebbles to eat in a day or using gasoline to cook spaghetti faster.

Black decided not to publish an April Fools’ prank this year due to his busy schedule and his recent experience with Google, which has made him hesitant about future pranks. 

We feel similar about online pranks coming from us, a cybersecurity company that you can trust, so we opted out of April Fools’ Day this year too.

Google has patched 62 vulnerabilities in Android, including two actively exploited zero-days in its April 2025 Android Security Bulletin.

When we say “zero-day” we mean an exploitable software vulnerability for which there was no patch at the time of the vulnerability being exploited or published. The term reflects the amount of time that a vulnerable organization has to protect against the threat by patching—zero days.

The April updates are available for Android 13, 14, and 15. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

If your Android phone shows patch level 2025-04-05 or later then you can consider the issues as fixed. The difference with patch level 2025-04-01 is that the higher level provides all the fixes from the first batch and security patches for closed-source third-party and kernel subcomponents, which may not necessarily apply to all Android devices.

Keeping your device as up to date as possible protects you from known vulnerabilities and helps you to stay safe.

Technical details

The zero-days are both located in the kernel:

CVE-2024-53150: an out-of-bounds flaw in the USB sub-component of the Linux Kernel that could result in information disclosure. Local attackers can exploit this flaw to access sensitive information on vulnerable devices without user interaction.

The out of bounds vulnerability was caused by the USB-audio driver code which failed to check the length of each descriptor before passing it on.  There are currently no details on how CVE-2024-53150 has been exploited in real-world attacks, by whom, and who may have been targeted in those attacks.

CVE-2024-53197: a privilege escalation flaw in the USB audio sub-component of the Linux Kernel. Again, no user interaction is required.

This vulnerability is the missing link to CVE-2024-50302 and CVE-2024-53104 which put together were reportedly exploited in Serbia by law enforcement using Cellebrite forensic tools to unlock a student activist’s device and attempt spyware installation.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

This week on the Lock and Code podcast…

It has probably happened to you before.

You and a friend are talking—not texting, not DMing, not FaceTiming—but talking, physically face-to-face, about, say, an upcoming vacation, a new music festival, or a job offer you just got.

And then, that same week, you start noticing some eerily specific ads. There’s the Instagram ad about carry-on luggage, the TikTok ad about earplugs, and the countless ads you encounter simply scrolling through the internet about laptop bags.

And so you think, “Is my phone listening to me?”

This question has been around for years and, today, it’s far from a conspiracy theory. Modern smartphones can and do listen to users for voice searches, smart assistant integration, and, obviously, phone calls. It’s not too outlandish to believe, then, that the microphones on smartphones could be used to listen to other conversations without users knowing about it.

Recent news stories don’t help, either.

In January, Apple agreed to pay $95 million to settle a lawsuit alleging that the company had eavesdropped on users’ conversations through its smart assistant Siri, and that it shared the recorded conversations with marketers for ad targeting. The lead plaintiff in the case specifically claimed that she and her daughter were recorded without their consent, which resulted in them receiving multiple ads for Air Jordans.

In agreeing to pay the settlement, though, Apple denied any wrongdoing, with a spokesperson telling the BBC:

“Siri data has never been used to build marketing profiles and it has never been sold to anyone for any purpose.”

But statements like this have done little to ease public anxiety. Tech companies have been caught in multiple lies in the past, privacy invasions happen thousands of times a day, and ad targeting feels extreme entirely because it is.

Where, then, does the truth lie?

Today, on the Lock and Code podcast with David Ruiz, we speak with Electronic Frontier Foundation Staff Technologist Lena Cohen about the most mind-boggling forms of corporate surveillance—including an experimental ad-tracking technology that emitted ultrasonic sound waves—specific audience segments that marketing companies make when targeting people with ads, and, of course, whether our phones are really listening to us.

“Companies are collecting so much information about us and in such covert ways that it really feels like they’re listening to us.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Back in August 2024, we warned about a relatively new type of SMS phishing (or smishing) scam that was doing the rounds.

Now a new wave of toll fee scams are working their way round the US. These attempts come as an unexpected text message linking to a website pretending to belong to one of the US toll authorities, like E-ZPass, The Toll Roads, SunPass, or TxTag.

The texts usually create a sense of urgency—a common tactic of scammers, by telling you there is only a limited time left to act or there will be dire consequences.

The phishing sites are typically out to steal personal information and/or payment details. Reportedly, some users get up to 7 such messages in a day.

Many state departments are issuing warnings. For example, the Wisconsin Department of Transportation (WisDOT) Division of Motor Vehicles (DMV) recently warned consumers of reported phishing attempts via text, and the Arizona Department of Transportation even published a reminder that the state highway system doesn’t have toll roads, because of these scams.

A typical text message might look like this:

“Your toll payment for E-ZPass Lane must be settled by {a date in the very near future}. To avoid fines and the suspension of your driving privileges, kindly pay by the due date.

Pay here: {malicious link}

(Please reply with “Y”, then exit the text message. Open it again, click the link, or copy it into your browser and open it.)”

 The malicious links are often fabricated to look legitimate by including an existing domain name before the actual domain name. E.g. e-zpass.com- roadioe[.]cc.

How to avoid falling for toll fee scams

• Check the phone number that the text message comes from. Some of the scams we saw were easy to dismiss because they came from telephone numbers outside the US.
• Look for the actual site that handles the alleged toll fees and compare the domain name. Sometimes there is only a small difference, so inspect it carefully.
• If you decided to pay, make sure you receive confirmation of payment. Official toll agencies will send confirmation after collecting payments. If you don’t receive that, call the toll service to check.
• Never interact with the scammer in any way. Every reaction provides them with information, even if it’s only that the phone number is in use.
• If you think the toll fee is feasible because you have indeed travelled in that area, check on the official toll service’s website or call their customer service number.
• The FBI asks that if you receive a suspicious message, contact the FBI Internet Crime Complaint Center at ic3.gov. Be sure to include the phone number from where the text originated, and the website listed within the text.

Indicators of Compromise (IoCs)

Domains involved in toll fee scams:

com-roadioe[.]cc

uoshxkdhkz[.]top

com-zgoupbb[.]top

forfeitzm[.]top

sunpass-verification[.]top

com-tollbilljhy[.]top

com-etc-bbzj[.]vip

com-tollbilltid[.]vip

com-tollbilltwd[.]vip

paytollrbzx[.]vip

com-ticketvb[.]xin

com-emzwepr[.]xin

com-ustolls[.]xin

com-tollbilaz[.]xin

etc-tollad[.]xin

roadetctre[.]xin

Did you know that Malwarebytes for mobile scans your texts for scams and blocks known malicious sites?

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Last week on Malwarebytes Labs:

• Why we’re no longer doing April Fools’ Day
• Intimate images from kink and LGBTQ+ dating apps left exposed online
• “Urgent reminder” tax scam wants to phish your Microsoft credentials
• “Nudify” deepfakes stored unprotected online
• Location, name, and photos of random kids shown to parents in child tracker mix up
• QR codes sent in attachments are the new favorite for phishers
• Popular VPNs are routing traffic via Chinese companies, including one with link to military
• Flaw in Verizon call record requests put millions of Americans at risk

Last week on ThreatDown:

• Fake Booking.com emails target hotels

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Security researcher Evan Connelly discovered an enormous flaw affecting one of the largest telecommunications companies in the world that could allow any single person to view the recent incoming call log for potentially any Verizon phone number.

“In short, anyone could lookup data for anyone,” Connelly said.

A vulnerability in the Verizon Call Filter iOS app allowed anyone to request the call logs of millions of US Verizon customers. The Verizon Call Filter app for iOS allows customers to view a log of their recent calls. This log will show them the phone numbers and an associated timestamp.

To request such a log the app sends a request to a server to fetch the data belonging to the phone number in question.  The network request to the server contains various details such as your phone number and the requested time period for call records. The server then responds with a list of calls and timestamps.

But, as it turns out, there were no checks to make sure that the number the information was requested about and the number that sent the request matched.

So, the researcher was able to craft requests for any given phone number and get the call logs for that number, without the ownership of that number. The consequence: anyone could look up data for any Verizon Wireless customer.

The researcher did not check whether every Verizon Wireless customer was affected by this flaw.

“The issue I discovered impacted at least those who have the Verizon Call Filter service enabled (I did not test a number which had it disabled; I can’t rule out whether or not all Verizon numbers could have been impacted).”

But it looks as if the Verizon Call Filter is enabled by default, so at least a great many Verizon Wireless customers would be impacted.

This is not just a privacy concern. For some people this could be a security hazard. For people in a domestic abuse situation, public figures, or those of interest to resourceful cyberattackers, a history of calls and frequent callers falling in the wrong hands can put people at physical risk or even compromise national security.

An attacker with access to someone’s call history could figure out their daily habits, see who they talk to most often, and guess their personal relationships. There is no available information whether this flaw was ever actively abused.

Thankfully, Verizon took the issue seriously and fixed it promptly.

Timeline:

• 2/22/2025 – Issue discovered and reported to Verizon
• 2/24/2025 – Acknowledgment from Verizon of the report
• 3/23/2025 – Researcher requested an update as the issue appeared fixed
• 3/25/2025 – Confirmation from Verizon that the issue is resolved

Verizon call filter

The Verizon Call Filter is a useful tool against robocalls, since it’s a screening and filtering tool that helps you manage nuisance calls. Verizon uses a Know Your Customer (KYC) scoring system to identify spam call networks and block their calls before they reach your phone. Based on your settings, blocked calls will either go to voicemail or stopped altogether.

If you no longer want to use Call Filter, it’s easy to turn it off. Here’s how:

On iPhone:

1. Open the Call Filter app.
2. Go to Settings.
3. Tap Manage Plan and select Turn Off Call Filter.

Alternatively, you can disable it from your iPhone’s settings by going to Settings > Phone > Call Blocking & Identification and toggling off the Call Filter option.

On Android:

1. Open the Call Filter app (it might already be installed on your device).
2. Tap Account, then Manage Plan.
3. Follow the steps to disable Call Filter.

As an alternative you can use Malwarebytes Mobile Security for iOS or Malwarebytes Mobile Security for Android to block scam calls.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Up to one in five of the most popular mobile VPNs for iOS last year are owned by Chinese companies that do their best to hide the fact. In at least one case, the owner is on a US blacklist.

That’s according to a report from the non-profit Tech Transparency Project (TTP), who investigated the top 100 mobile VPN apps downloaded from Apple’s App Store as documented by mobile intelligence company AppMagic.

Mobile VPNs are apps that connect your smartphone to the internet via different computers around the world. People use them to make it look as though they’re connecting from elsewhere, often to dodge local censorship or to access commercial content not available in their region, or just because they’re concerned about privacy.

The downside is that you must be able to trust the company that operates those computers. After all, they get to see all of your traffic as it passes through those channels.

The TTP warns that a large proportion of the most popular mobile VPN apps in the Apple App Store are owned by Chinese companies. These include Qihoo 360, which is classified as a Chinese military company by the US Department of Defense.

Several mobile VPNs linked to Chinese military

According to the TTP report, Qihoo acquired an app development company called Guangzhou Quanyong. The company developed several mobile apps for Innovative Connecting Pte. Ltd, a Singapore-registered company owned by another company called Lemon Seed, registered in the Cayman Islands.

Innovative Connecting developed an app called Turbo VPN, which was marketed to Spanish-speaking people in the US as a way to circumvent proposed restrictions when accessing Chinese-owned social network TikTok. The company developed several other VPNs in the top 100, including VPN Proxy Master and Thunder VPN. It is also responsible for others that didn’t make it into the top 100: Snap VPN, and Signal Secure VPN.

Chinese company 360 Security Technology, also known as Qihoo 360, purchased Lemon Seed, according to its 2019 annual report.

Not only is Qihoo 360 classified as a Chinese military company in the US, in June 2025 the US government also placed Qihoo 360 on its Entity List, which is a list of companies maintained under the US government’s Export Administration Regulations (EAR).

The Entity List identifies entities that the US believes pose a risk to its national security. It added Qihoo 360 and others to the list citing “reasonable cause to believe that these entities pose a significant risk of becoming involved in activities — the procurement of commodities and technologies for military end-use in China—that are contrary to the national security interests of the United States.”

Three months later, Qihoo 360 sold a package of assets under the banner ‘Project L’, which the TTP investigation believes contained Lemon Seed based on the description of its acquisition date in the public filing.

In spite of the sale, TTP suggests an ongoing link between the two companies after the sale, based on March 2025 filings that list its sole director as Chen Ningyi, who shows up on a Qihoo 360 patent in 2017 and who appears to be a general manager for Qihoo’s mobile security app 360 Mobile Guard.

Shell companies and proxy ownership

Apps developed by Innovative Connecting aren’t the only with possible links to China, according to the report. It traced several back to companies in Hong Kong. The island city has come under increasingly strict Chinese control lately with the passage a year ago of Article 23, a bill applying strict penalties for a broad array of activities deemed anti-Chinese.

The report found several VPN apps registered to Hong Kong companies, often owned by people or entities on the mainland. These included X-VPN, VPNIFY, VPN Bucks, LinkWorldVPN, VPN Proxy OvpnSpider, and Best VPN Proxy AppVPN.

It also found some registered in other parts of the world that appeared to be Chinese products operating through proxies. One, WireVPN – Fast VPN & Proxy, was registered in the UK but is controlled by a single Chinese national via a shell company. It shares a privacy policy with another similarly-named product registered in Belize called Wirevpn – Secure & Fast VPN. Both use language lifted directly from Chinese privacy regulations.

While VPNs are a useful way to achieve some privacy online, this report highlights the importance of due diligence when choosing a technology provider. Not all VPNs are created equal – and just because they’re in Apple’s App Store doesn’t mean that they’re automatically above board.

How to find a VPN you can trust

Consider the jurisdiction:

• As evidenced by the TTP report, the VPN provider’s location matters. Be wary of VPNs based in countries that require intelligence-sharing with their governments

Look for these security features:

• Strong encryption protocols (like 256-bit ChaCha20) are vital.
• A “kill switch” is important; it disconnects your internet connection if the VPN drops, preventing data leaks.
• Look for VPNs that support secure protocols like WireGuard

Read the privacy policy:

• A “no-log” policy is essential. This means the VPN provider should not track, store, or share your browsing history, IP address, or any of your network data
• Carefully read the privacy policy to understand what data is collected and how it’s used.

Consider Malwarebytes Privacy VPN:

Of course we’d say that. But with a 256-bit ChaCha20 encryption, lightning-fast Wireguard protocols, and a strict no-log policy, you can be sure that Malwarebytes Privacy VPN will never track, store, or share any network data.

Recently we’ve been seeing quite a few phishing campaigns using QR codes in email attachments.

The lure and the targets are varied, but the use of a QR code to get someone to visit the phishing site is fast becoming a preferred method for cybercriminals.

There are several reasons why cybercriminals might want to use QR codes:

• The QR code is likely to be scanned with a phone, which are often less well protected against malicious websites or even completely unprotected.
• Phones are also likely personal devices which provide attackers with a direct path to sensitive personal accounts. For example, banking apps will be often be installed on the same device.
• QR codes are impossible for humans to identify as malicious at first glance.
• Links in emails are usually analyzed by email filters, whereas QR codes can be embedded as an image which many email filters will ignore.
• The use of QR codes in other applications like banking apps, may invoke a certain level of trust.

Combined with other known phishing techniques, QR codes provide criminals with a potent tool for collecting usernames and passwords, distributing malware, and other malicious activities.

Since any QR code scanner should show you the URL before following the link, the phishers often combine the use of QR codes with that of URL shorteners to further hide the real destination.

The attackers can even embed the QR codes in professionally designed documents mimicking HR portals, payroll updates, tax reviews, or e-signature services (e.g. DocuSign, Adobe), which increases the perceived legitimacy of the phish. Here’s one example we’ve seen:

“To conveniently access and navigate the contents of the updated Employee Handbook, please scan the QR code provided below. This will direct you to the digital version of the handbook for easy reference and exploration.

{QR code}

Should you have any questions, Please do not hesitate to contact the HR department.”

The employee handbook example above comes from a four-page document showing a handbook which has been allegedly changed, and ends with specific instructions to open the QR code with the camera app of the smartphone:

“Step-by-step guide

1. Open your camera app:

Launch the camera app on your smartphone

2. Point at the QR code:

Align your camera lens with the QR code, ensuring it is fully visible within the frame.

3. Wait for recognition:

Your phone will automatically detect the QR code and display a notification or link on the screen.

4. Access the content:

Tap on the notification or link to open the information associated with the QR code.”

The QR code in this example took anyone that followed the link to a website that redirected based on the email address. Personal email addresses would see generic advertising, but corporate email addresses would be prompted to log in with their Microsoft account.

So, this one was clearly looking to compromise a corporate account, but you can easily imagine how a phisher with another goal in mind could use a list of email addresses obtained in a breach, and with such a list run a targeted campaign.

Malwarebytes customers were protected against this phishing site.

Android warning (in Dutch) What can you do to avoid QR code phishing? Keep your device up to date

Many users have no idea whether their devices are still receiving updates. You can find your device’s Android version number, security update level, and Google Play system level in your Settings app.

You’ll get notifications when updates are available for you, but you can also check for them yourself. For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Scan a QR code with the same security mindset as clicking a link

If you scan a QR code, make sure to use an app that shows you the full URL and asks you first before it visits the URL encoded in the QR code. If you do not trust the URL, don’t allow your device to open the link, and look for another way to get the information or download you want.

Modern Android devices (version 8 and above) have a native QR code scanning capability built into the camera app. Some QR code scanner apps may have a feature that automatically executes actions like opening a website or downloading a file. Disable features like these.

Use anti-malware protection on your devices

Your mobile devices are in need of protection just as much as your computer. Malwarebytes protects devices with Malwarebytes for Android and Malwarebytes for iOS.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Not one but several worried parents that tracked their children by using T-Mobile tracking devices suddenly found that they were looking at the location of random other children. And could not locate their own.

T-Mobile sells a small GPS tracker called SyncUP, which can be used to track, among others, the locations of young children who don’t have cell phones yet. SyncUP uses a combination of GPS technology, Wi-Fi, and T-Mobile’s LTE nationwide network to locate registered devices and comes in the form of a small tag, a car tracker or a kids watch.

According to our friends at 404 Media, several users reported receiving information that came from another tracker, not their own. And from some of the statements it’s very clear that the disclosed locations belonged to other children because of the names and pictures associated with the accounts.

One woman who spoke to 404 Media could see the location address where the random children were, as well as their name and the last time the location was updated. In many cases, the time said “just now” or “one minute ago.”

“I was probably shown more than eight children. I would log in and I couldn’t see my children but I could see a kid in California. I refreshed and then I had no trackers, and then I refreshed again and would see a different child.” 

Car owners using SyncUP Drive, the car tracking device, reported similar problems.

Here are some of the potential issues that this mix up could bring up:

• A big concern about tracking devices is their vulnerability to hacking, potentially exposing personal data. No hacking was needed here. Every time some of the users tried they would get the location of a different tracker.
• Without consent, tracking devices can infringe on individuals’ privacy rights. While you may say this is mainly about tracking without consent, nobody consented to strangers tracking their children.
• GPS tracking must comply with privacy laws like the Electronic Communications Privacy Act (ECPA) and the Driver’s Privacy Protection Act (DPPA) to prevent unauthorized surveillance. Did T-Mobile fail to comply, even if only for a short time?
• Inaccurate tracking, or not being able to track, can compromise personal safety if devices are used for emergency services or monitoring vulnerable individuals.
• Repeated problems can erode the trust in the underlying GPS tracking technology.

This raises the question for parents to ask themselves: What’s worse, not knowing where your child is exactly or running the risk of exposing their location to other people?

Privacy concerns surrounding tracking devices are multifaceted. On one hand, these devices are designed to give users a sense of safety and security by providing accurate location information. However, they also pose risks if not properly secured.

We have reported multiple times about stalkerware users getting exposed by security flaws in the apps they used. While SyncUP may be more secure than some of the stalkerware apps we wrote about, this incident shows it’s not watertight either.

T-Mobile did not disclose the exact problem, but told 404 Media the incident is now resolved:

“Yesterday we fully resolved a temporary system issue with our SyncUP products that resulted from a planned technology update. We are in the process of understanding potential impacts to a small number of customers and will reach out to any as needed. We apologize for any inconvenience.”

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Yesterday, we told you about how millions of pictures from specialized dating apps had been stored online without any kind of password protection.

Now it’s the turn of an AI “nudify” service.

A researcher, famous for finding unprotected cloud storage buckets, has uncovered an unprotected AWS bucket belonging to the nudify service.

The rising popularity of these nudify services apparently has caused a selection of companies without any security awareness to hop on the money train. Millions of people use these services to turn normal pictures into nude images, and it only takes a few minutes.

South Korean AI company GenNomis by AI-NOMIS or somebody acting at their behalf stored 93,485 images and json files with a total size of 47.8 GB in a non-password-protected nor encrypted, but publicly exposed database.

Looking at the service, GenNomis is an AI-powered image generation platform that allows users to transform text descriptions into images, create AI personas, turn images to videos, face-swap images, remove backgrounds, etc., and all that without restrictions. It also provides a marketplace, where users can buy and sell these images as “artwork.”

The researcher saw numerous pornographic images, including what appeared to be disturbing AI-generated portrayals of very young people. Even though the GenNomis guidelines prohibit explicit images of children and any other illegal activities, the researcher found many of them. That doesn’t mean they were available to buy on the platform, but they were at least created.

Some of the deepfakes are hard to discern from real images, and as such may lead to serious privacy, ethical, and legal risks. Not to mention the humiliation for the owners of those images or parts thereof who didn’t consent. Sadly, there are many examples where young people have taken their own lives over sextortion attempts.

The researcher contacted the company about what he had found. He told The Register:

“They took it down immediately with no reply.”

Keep your children safe from nudify services

We’ve seen many cases where social media and other platforms have used the content of their users to train their AI. Some people have a tendency to shrug it off because they don’t see the dangers, but let us explain the possible problems.

In this case, it’s at the extreme end of what the content could be used for.

• Deepfakes: Users of this generative AI could have used the nudify service on publicly available pictures to create explicit deepfakes without consent. AI generated content, like deepfakes, can be used to spread misinformation, damage your reputation or privacy, or defraud people you know.
• Metadata: Users often forget that the images they upload to social media also contain metadata, such as where the photo was taken. This information could potentially be sold to third parties or used in ways the photographer didn’t intend.
• Intellectual property. Never upload anything you didn’t create or own. Artists and photographers may feel their work is being exploited without proper compensation or attribution.
• Bias: AI models trained on biased datasets can perpetuate and amplify societal biases.
• Facial recognition: Although facial recognition is not the hot topic it once used to be, it still exists. And actions or statements done by your images (real or not) may be linked to your persona.
• Memory: Once a picture is online, it is almost impossible to get it completely removed. It may continue to exist in caches, backups, and snapshots.

If you want to continue using social media platforms that is obviously your choice, but consider the above when uploading pictures of you, your loved ones, or even complete strangers.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.