Ransomware crims got a month-long head start on Check Point VPN 0-day that now has a fix
Sometimes it happens. You’re happily playing a game on your phone or laptop when suddenly alarms pop up out of nowhere:
“Your device is infected!”
“Your iCloud is full!”
“Your account is restricted for watching porn!”
Some games can be played for free if you agree to watch ads, and in others you can get extra lives, perks, or boosters by watching ads. That’s fine, as long as you’re given a choice and the ads are legitimate.
Unfortunately, cybercriminals sometimes manage to buy advertising space and use it to defraud gamers.
Let’s look at some examples.
The iCloud storage scam, or its OneDrive equivalent, is a well-known and long-running scam that claims you need to expand your storage or all your files will be deleted. The websites these messages link to come in many forms, but they all ask for personal and payment details to complete the upgrade.

“Your account has been restricted.
We have detected that your device has been hacked after visiting adult websites.
Solution:
1:Click the “OK” button below;2:You will be redirected to App Store;
3:Install and open the app, then run the cleanup program.”
This ad is a scam and uses a classic scare tactic. It falsely claims your device has been hacked and tries to pressure you into clicking “OK” and installing a cleanup app.
Messages like this sometimes claim to be from your ISP, a “Security Department,” or a generic “Safety Center.”

“Apple Security Alert
8 viruses have been detected on your iPhone. Now iOS is damaged by 72%. Further damage to the system will result in device lockup and loss of all data within two minutes.
Please click the button below to remove all viruses.”
This is another fake warning, commonly used by scammers to trick users into clicking links or downloading unnecessary or harmful software. Apple doesn’t send alerts like this, and these messages use vague threats to get your attention.
What kind of app you’re really installing if you follow the instructions depends on your device and your location. If you’re “lucky,” it’s just adware, but you might just as easily end up with an infostealer.
In many cases, you’ll end up with fleeceware, a type of deceptive mobile app where developers lure users in with short free trials that quickly convert into hidden subscription fees, sometimes costing hundreds of dollars per month. These apps often offer some functionality to stay on the barely legal side of things, but at wildly inflated prices.
The best response to these messages is simply to ignore them.
Real system alerts come from the OS, not from inside a game window or browser tab. Here’s a simple test: If you can switch apps and the “warning” disappears with the browser/game, it was not a system‑level alert.
Check the destination URLs before proceeding. Apple, Google, and major ISPs use predictable domains. A familiar-looking URL is not proof that a message is legitimate, but if the URL looks suspicious, it should definitely be treated as a scam.
You may arrive at something that looks like the official App Store or Google Play Store. Be wary of lookalike app stores and unofficial download sites, but if you are on the real store, the app is generally safer to install. However, it’s still worth checking reviews, permissions, and the developer before proceeding.
Visit the official website of the organization the message claims to be from and log in there. If there’s a genuine problem with your account, storage, or device, you’ll find information about it through official channels.
Use an up-to-date, real-time anti-malware solution on your devices that can detect and block malicious apps.
Scammers know more about you than you think.
Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in.
Sometimes it happens. You’re happily playing a game on your phone or laptop when suddenly alarms pop up out of nowhere:
“Your device is infected!”
“Your iCloud is full!”
“Your account is restricted for watching porn!”
Some games can be played for free if you agree to watch ads, and in others you can get extra lives, perks, or boosters by watching ads. That’s fine, as long as you’re given a choice and the ads are legitimate.
Unfortunately, cybercriminals sometimes manage to buy advertising space and use it to defraud gamers.
Let’s look at some examples.
The iCloud storage scam, or its OneDrive equivalent, is a well-known and long-running scam that claims you need to expand your storage or all your files will be deleted. The websites these messages link to come in many forms, but they all ask for personal and payment details to complete the upgrade.

“Your account has been restricted.
We have detected that your device has been hacked after visiting adult websites.
Solution:
1:Click the “OK” button below;2:You will be redirected to App Store;
3:Install and open the app, then run the cleanup program.”
This ad is a scam and uses a classic scare tactic. It falsely claims your device has been hacked and tries to pressure you into clicking “OK” and installing a cleanup app.
Messages like this sometimes claim to be from your ISP, a “Security Department,” or a generic “Safety Center.”

“Apple Security Alert
8 viruses have been detected on your iPhone. Now iOS is damaged by 72%. Further damage to the system will result in device lockup and loss of all data within two minutes.
Please click the button below to remove all viruses.”
This is another fake warning, commonly used by scammers to trick users into clicking links or downloading unnecessary or harmful software. Apple doesn’t send alerts like this, and these messages use vague threats to get your attention.
What kind of app you’re really installing if you follow the instructions depends on your device and your location. If you’re “lucky,” it’s just adware, but you might just as easily end up with an infostealer.
In many cases, you’ll end up with fleeceware, a type of deceptive mobile app where developers lure users in with short free trials that quickly convert into hidden subscription fees, sometimes costing hundreds of dollars per month. These apps often offer some functionality to stay on the barely legal side of things, but at wildly inflated prices.
The best response to these messages is simply to ignore them.
Real system alerts come from the OS, not from inside a game window or browser tab. Here’s a simple test: If you can switch apps and the “warning” disappears with the browser/game, it was not a system‑level alert.
Check the destination URLs before proceeding. Apple, Google, and major ISPs use predictable domains. A familiar-looking URL is not proof that a message is legitimate, but if the URL looks suspicious, it should definitely be treated as a scam.
You may arrive at something that looks like the official App Store or Google Play Store. Be wary of lookalike app stores and unofficial download sites, but if you are on the real store, the app is generally safer to install. However, it’s still worth checking reviews, permissions, and the developer before proceeding.
Visit the official website of the organization the message claims to be from and log in there. If there’s a genuine problem with your account, storage, or device, you’ll find information about it through official channels.
Use an up-to-date, real-time anti-malware solution on your devices that can detect and block malicious apps.
Scammers know more about you than you think.
Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in.
Threat actors are already gearing up for this year’s biggest football (soccer) event, the World Cup 2026. With millions of fans looking for ways to stream matches online, many will turn to IPTV apps to watch live TV broadcasts over the internet. It’s no surprise, then, that cybersecurity researchers have discovered multiple campaigns over the past few months where malware was disguised as fake Android IPTV apps.
In this post, we discuss what IPTV apps are, how criminals use fake versions to spread malware, what this malware is capable of, and, most importantly, how to avoid becoming a victim.
IPTV stands for Internet Protocol Television. This technology delivers TV content over the internet instead of through cable, over-the-air antennas, or satellites. Naturally, the simplest and most common examples of IPTV are the official platforms of TV networks, which can include both websites and dedicated apps.
However, alongside official options, pirate IPTV services also exist. They usually lure users with free or dirt-cheap access to content that can otherwise be hard to find without expensive subscriptions — most notably broadcasts of various sporting events; football matches in particular.
As is typically the case with pirated content, these apps are blocked from official app stores, forcing users to download them from third-party sites. Consequently, the risk of using these services isn’t tied to IPTV technology itself, but rather to the fake apps and modified APK files distributed under the guise of well-known platforms — both official and pirated.
For instance, in February researchers found the Massiv banking Trojan distributed under the guise of fake IPTV apps. Even then, experts noted that this wasn’t the only malware leveraging this tactic — several others were also spotted in the wild. The primary targets of these IPTV-mimicking malicious fakes have mostly been users in Portugal, Spain, France, and Türkiye.
In most cases, the discovered fake IPTV apps lacked the advertised functionality, so users didn’t get access to any content after installing the apps. Instead, the fake app would open the website of a legitimate IPTV service in a built-in browser to mimic normal functioning and avoid raising user suspicion.
Of course, the most interesting activity happened out of the user’s sight. These are some of the features the malware did have:

The Massiv banking Trojan mimics the interface of the Portuguese government app Chave Móvel Digital in a fake pop-up window, looking even more convincing than the official version from Google Play. Source
In March, researchers reported on a new campaign where several fake IPTV apps were used to distribute an even more advanced and feature-rich malware strain: Perseus.
Research into Perseus shows that the malware is based on the source code of an Android banking Trojan called Cerberus, which leaked nearly six years ago. Perseus comes in two different versions: Turkish and English. The English-language version is more advanced and shows clear signs of AI-driven refinement.
Perseus abuses Accessibility Services, a set of Android features originally designed to make life easier for users with severe visual impairments. Fraudsters learned long ago how to leverage this tool to steal data from Android devices — a topic we’ve covered in detail across several of our posts.

An example of a malicious APK disguised as Roja Directa TV, another IPTV app. Source
By abusing Accessibility Services, Perseus gains remote control over the victim’s device. Here’s what it can do:
On top of that, the English-language version of Perseus boasts another notable feature. The malware can hunt for sensitive information like passwords, recovery phrases, and financial data across an entire range of note-taking apps: Google Keep, Xiaomi Notes, Samsung Notes, ColorNote, Evernote, Microsoft OneNote, and Simple Notes.
All of these capabilities help criminals drain football fans’ money not just from various banking services, but from cryptocurrency apps as well.
The World Cup is just around the corner, and millions of fans worldwide will definitely want to tune in to this year’s premier football event. Past experience shows that cybercriminals frequently cash in on major spectacles like this. So, how can you watch the matches safely?
You can’t even watch TV safely anymore these days! Check out other threats facing TV lovers:




The 2026 World Cup presents major cyber risks from ransomware groups, state-aligned actors, and other groups targeting critical infrastructure. Learn more here.
The post 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface appeared first on Unit 42.

Unit 42 explores trends in data theft and extortion, outlining key strategies for organizations as frontier AI models advance.
The post Out of the Crypt: The Evolving Cyber Extortion Economy appeared first on Unit 42.
