BirdCall Android spyware variant
Malware Activity
Summary
Hide ▲
Show ▼
The BirdCall Android spyware variant expanded a known Windows backdoor into a mobile surveillance tool with file exfiltration and device reconnaissance capabilities. It was created around October 2024 and observed in at least seven versions, making the malware family more versatile across platforms. The malware was delivered through trojanized APKs on sqgame[.]net, a game platform, which increased exposure for Android users. Its Android build can collect contacts, call logs, SMS, screenshots, audio, and files, raising the risk of theft and covert monitoring.
Related Happenings
BTMOB Android RAT no-code builder malware activity
Malware Activity
First: 26.05.2026 17:00
Last: 26.05.2026 17:00
Sources 1
About this happening:
The **BTMOB** Android RAT is spreading through **phishing campaigns** across **Brazil and beyond**, raising the risk of **custom payload delivery** and **remote device takeover**....
BTMOB Android RAT no-code builder malware activity
Malware ActivityAbout this happening: The **BTMOB** Android RAT is spreading through **phishing campaigns** across **Brazil and beyond**, raising the risk of **custom payload delivery** and **remote device takeover**....
Android Intrusion Logging forensic logging rollout for spyware investigations
Security Tool/Service
First: 13.05.2026 09:55
Last: 13.05.2026 09:55
Sources 1
About this happening:
**Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...
Android Intrusion Logging forensic logging rollout for spyware investigations
Security Tool/ServiceAbout this happening: **Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...
Android 17 expands platform security and privacy protections
Security Tool/Service
First: 12.05.2026 20:00
Last: 12.05.2026 20:00
Sources 1
About this happening:
**Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
Android 17 expands platform security and privacy protections
Security Tool/ServiceAbout this happening: **Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
PromptSpy backdoor for Android with Gemini API automation
Malware Activity
First: 11.05.2026 16:02
Last: 11.05.2026 16:02
Sources 1
About this happening:
The **PromptSpy** backdoor for **Android** was highlighted for using **Gemini APIs** to automate device interaction, increasing the risk of unauthorized control on infected phones...
PromptSpy backdoor for Android with Gemini API automation
Malware ActivityAbout this happening: The **PromptSpy** backdoor for **Android** was highlighted for using **Gemini APIs** to automate device interaction, increasing the risk of unauthorized control on infected phones...
TrickMo Android banking malware adds TON-based covert command-and-control
Malware Activity
First: 11.05.2026 12:03
Last: 11.05.2026 12:03
Sources 1
About this happening:
The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...
TrickMo Android banking malware adds TON-based covert command-and-control
Malware ActivityAbout this happening: The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...
Timeline
-
05.05.2026 12:04 2 articles · 22d ago
BirdCall Android spyware delivery through sqgame[.]net
Initial DisclosureAPT37, also known as ScarCruft and Ricochet Chollima, delivered a previously undocumented Android variant of BirdCall as trojanized APKs on sqgame[.]net; ESET says the malware was created around October 2024 and has had at least seven versions, while the Android build can collect contacts, call logs, SMS, device identifiers, screenshots, microphone audio, and files, and still lacks several Windows commands including shell execution, traffic proxying, browser and messenger targeting, file deletion and dropping, and process killing.
Show sources
- ScarCruft hackers push BirdCall Android malware via game platform — www.bleepingcomputer.com — 05.05.2026 12:04
- North Korean APT Targets Yanbian Gamers via Trojanized Platform — www.infosecurity-magazine.com — 05.05.2026 18:00