Find notable cyber news and cases, enriched with sources, timelines, and signals.

Google Play Protect adds warnings and app disabling for compromised SDK abuse

Security Tool/Service
First reported
Last updated
Happening score
H score 11
1 unique sources, 1 articles

Summary

Hide ▲

Google Play Protect was updated in July 2026 to warn Android users automatically and disable apps tied to compromised SDKs, limiting abuse of consumer devices through the NetNut proxy network. The change reduces the chance that malicious or repackaged apps can keep running unnoticed on Android devices. It also shrinks the pool of endpoints available for proxy abuse.

Related Happenings

RedWing Android spyware rented through Telegram

Malware Activity
H score21 First: 08.07.2026 18:30 Last: 08.07.2026 18:30 Sources 1

About this happening: The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...

RedWing Android bank-fraud malware rental service

Malware Activity
H score21 First: 07.07.2026 20:10 Last: 07.07.2026 20:10 Sources 1

About this happening: The **RedWing** Android malware service is being rented on **Telegram** to steal **banking logins**, **OTPs**, and device control, raising fraud risk for **banking and cryptocurre...

Android Framework code execution and privilege escalation flaw (CVE-2025-48595)

Vulnerability
H score40 First: 02.06.2026 14:10 Last: 02.06.2026 14:10 Sources 1

About this happening: Google's **June 2026 Android security patches** now cover **CVE-2025-48595**, an **actively exploited Android Framework** flaw that can lead to **code execution** and **privilege...

BTMOB Android MaaS platform expands low-code phishing payload production

Threat Actor Meta
H score21 First: 29.05.2026 00:10 Last: 29.05.2026 00:10 Sources 1

About this happening: **BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...

Grandoreiro and BTMOB banking trojan activity targeting Windows and Android

Malware Activity
H score25 First: 27.05.2026 19:10 Last: 27.05.2026 19:10 Sources 1

About this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...

Timeline

  1. 03.07.2026 03:00 2 articles · 6d ago

    Google Play Protect warns Android users and blocks apps with compromised SDKs used by NetNut

    Mitigation Patch Update

    Google disabled all Google accounts used by NetNut for malware command-and-control, updated Google Play Protect to automatically warn Android users, and disabled apps containing the compromised SDKs to limit further abuse of Android devices in the NetNut proxy network.

    Show sources
  2. 02.07.2026 03:00 1 articles · 7d ago

    Google report links NetNut exit nodes to 316 threat clusters

    Campaign Scope Update

    Google said at least 316 distinct threat clusters used NetNut exit nodes during a single week in June 2026 for password-spraying campaigns, credential stuffing, advertising fraud and sensitive data scraping, showing how the residential proxy network was being abused to hide traffic behind legitimate domestic IP addresses.

    Show sources