SpyBanker WhatsApp banking help-app campaign
Campaign
Summary
Hide ▲
Show ▼
The SpyBanker Android campaign is now targeting Indian banking users, increasing the risk of call hijacking and financial-data theft. The malware is likely spread through WhatsApp as a fake customer help service app. Once installed, it can redirect calls to an attacker-controlled number and harvest SIM details, SMS messages, and banking data. That combination creates a direct fraud path for attackers to intercept account activity and authentication signals.
Related Happenings
FBI public warning on Signal and WhatsApp phishing
Public Sector Action
H score30
First: 20.03.2026 22:45
Last: 20.03.2026 22:45
Sources 1
About this happening:
The **US Department of State** is offering **up to $10 million** through the **Rewards for Justice** program for information that helps identify or locate **UNC5792** and **UNC422...
FBI public warning on Signal and WhatsApp phishing
Public Sector ActionAbout this happening: The **US Department of State** is offering **up to $10 million** through the **Rewards for Justice** program for information that helps identify or locate **UNC5792** and **UNC422...
Latest development: 29.06.2026 12:29
The US government offered up to $10 million for information leading to the identification of UNC5792 and UNC4221, Russian intelligence-linked threat actors targeting Signal and WhatsApp users by posing as automated support accounts and stealing verification codes or Backup Recovery Keys; CISA and the FBI warned that sharing a Backup Recovery Key can let the actor access historical private and group messages and potentially keep access after a new account is created with the same phone number.
SORVEPOTEL WhatsApp malware campaign spreads across Brazil
Campaign
H score31
First: 12.03.2026 19:31
Last: 12.03.2026 19:31
Sources 1
About this happening:
A **WhatsApp** malware campaign in **Brazil** is spreading **SORVEPOTEL**, a **self-propagating Windows malware** that uses **phishing ZIP attachments** and a desktop-only lure to...
SORVEPOTEL WhatsApp malware campaign spreads across Brazil
CampaignAbout this happening: A **WhatsApp** malware campaign in **Brazil** is spreading **SORVEPOTEL**, a **self-propagating Windows malware** that uses **phishing ZIP attachments** and a desktop-only lure to...
Russian state-sponsored hackers' ongoing Signal and WhatsApp phishing campaign
Campaign
H score38
First: 09.03.2026 23:24
Last: 09.03.2026 23:24
Sources 1
About this happening:
An **ongoing Russian intelligence-linked** phishing **campaign** is targeting **Signal** and **WhatsApp** users and has evolved from stealing verification codes and account PINs t...
Russian state-sponsored hackers' ongoing Signal and WhatsApp phishing campaign
CampaignAbout this happening: An **ongoing Russian intelligence-linked** phishing **campaign** is targeting **Signal** and **WhatsApp** users and has evolved from stealing verification codes and account PINs t...
Latest development: 27.06.2026 01:06
FBI and CISA warn that the Russian intelligence services-linked Signal phishing campaign has evolved from stealing verification codes, account PINs, and linked-device access to eliciting victims' Backup Recovery Keys through impersonated Signal support messages. If a target provides the key, attackers can restore Signal's Secure Backups on their own devices and read historical messages, including private and group conversations, while the campaign continues to target high-intelligence-value individuals.
Lotusbail malicious npm package stealing WhatsApp account data and messages
Malware Activity
H score30
First: 22.12.2025 18:08
Last: 22.12.2025 18:08
Sources 1
About this happening:
The **lotusbail** package is a malicious **npm** library that steals **WhatsApp** account data and can leave victims with **persistent unauthorized access**. It masquerades as a l...
Lotusbail malicious npm package stealing WhatsApp account data and messages
Malware ActivityAbout this happening: The **lotusbail** package is a malicious **npm** library that steals **WhatsApp** account data and can leave victims with **persistent unauthorized access**. It masquerades as a l...
Wonderland Android SMS stealer activity targeting Uzbekistan
Malware Activity
H score27
First: 22.12.2025 08:11
Last: 22.12.2025 08:11
Sources 1
About this happening:
The **Wonderland** Android SMS stealer is being spread through **malicious droppers** in attacks targeting **users in Uzbekistan**, enabling **SMS and OTP theft** and bank-card fr...
Wonderland Android SMS stealer activity targeting Uzbekistan
Malware ActivityAbout this happening: The **Wonderland** Android SMS stealer is being spread through **malicious droppers** in attacks targeting **users in Uzbekistan**, enabling **SMS and OTP theft** and bank-card fr...
Timeline
-
14.08.2025 14:06 1 articles · 10mo ago
SpyBanker campaign targets Indian banking users via WhatsApp
Initial DisclosureK7 Security disclosed an Android malware campaign dubbed SpyBanker that targets Indian banking users and is likely distributed through WhatsApp under the guise of a customer help service app. The malware can register CallForwardingService to change the call-forward number to an attacker-controlled mobile number, redirect unattended calls, and collect SIM details, sensitive banking information, SMS messages, and notification data.
Show sources
- New Android Malware Wave Hits Banking via NFC Relay Fraud, Call Hijacking, and Root Exploits — thehackernews.com — 14.08.2025 14:06