Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Telegram-linked Digital Lutera Android payment-fraud campaign

Campaign
First reported
Last updated
Happening score
H score 47
1 unique sources, 1 articles

Summary

Hide ▲

A Telegram-linked Android payment-fraud campaign is actively coordinating access attempts and sharing intercepted login data, increasing the risk of account takeover and fraudulent transfers. The operation uses Digital Lutera with LSPosed and Android APIs to intercept SMS/2FA data, spoof device identities, and undermine SIM-binding. One observed channel contained more than 500 login-related messages, showing the technique is already in active use.

Related Happenings

Android Intrusion Logging forensic logging rollout for spyware investigations

Security Tool/Service
First: 13.05.2026 09:55 Last: 13.05.2026 09:55 Sources 1

About this happening: **Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...

Open Happening

Android 17 expands platform security and privacy protections

Security Tool/Service
First: 12.05.2026 20:00 Last: 12.05.2026 20:00 Sources 1

About this happening: **Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...

Open Happening

TrickMo Android banking trojan variant with TON C2 and network pivots

Malware Activity
First: 12.05.2026 15:50 Last: 12.05.2026 15:50 Sources 1

About this happening: A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...

Open Happening

NGate Android Brazil fake-app and fake-lottery campaign

Campaign
First: 21.04.2026 12:00 Last: 21.04.2026 12:00 Sources 1

About this happening: A **NGate** campaign has been active since **November 2025**, targeting primarily **Android devices in Brazil** and using **fake-app** and **fake-lottery** lures to spread a malic...

Open Happening

Mirax Android banking trojan with residential proxy nodes

Malware Activity
First: 13.04.2026 17:30 Last: 13.04.2026 17:30 Sources 1

About this happening: Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...

Open Happening

Timeline

  1. 17.03.2026 18:30 2 articles · 2mo ago

    Telegram-linked Android payment-fraud campaign

    Campaign Scope Update

    CloudSEK researchers identified an Android OS-level campaign that uses the LSPosed framework to manipulate the runtime environment, hijack legitimate mobile payment apps without modifying APKs, and bypass Google Play Protect. Linked to the Digital Lutera module, the technique abuses Android APIs to intercept SMS messages, spoof device identities, extract 2FA data, and undermine SIM-binding, while Telegram activity shows attackers coordinating access attempts and sharing intercepted login data.

    Show sources
    Open in new tab