Google Play Protect adds warnings and app disabling for compromised SDK abuse
Security Tool/Service
Summary
Hide ▲
Show ▼
Google Play Protect was updated in July 2026 to warn Android users automatically and disable apps tied to compromised SDKs, limiting abuse of consumer devices through the NetNut proxy network. The change reduces the chance that malicious or repackaged apps can keep running unnoticed on Android devices. It also shrinks the pool of endpoints available for proxy abuse.
Related Happenings
RedWing Android spyware rented through Telegram
Malware Activity
H score21
First: 08.07.2026 18:30
Last: 08.07.2026 18:30
Sources 1
About this happening:
The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...
RedWing Android spyware rented through Telegram
Malware ActivityAbout this happening: The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...
RedWing Android bank-fraud malware rental service
Malware Activity
H score21
First: 07.07.2026 20:10
Last: 07.07.2026 20:10
Sources 1
About this happening:
The **RedWing** Android malware service is being rented on **Telegram** to steal **banking logins**, **OTPs**, and device control, raising fraud risk for **banking and cryptocurre...
RedWing Android bank-fraud malware rental service
Malware ActivityAbout this happening: The **RedWing** Android malware service is being rented on **Telegram** to steal **banking logins**, **OTPs**, and device control, raising fraud risk for **banking and cryptocurre...
Android Framework code execution and privilege escalation flaw (CVE-2025-48595)
Vulnerability
H score40
First: 02.06.2026 14:10
Last: 02.06.2026 14:10
Sources 1
About this happening:
Google's **June 2026 Android security patches** now cover **CVE-2025-48595**, an **actively exploited Android Framework** flaw that can lead to **code execution** and **privilege...
Android Framework code execution and privilege escalation flaw (CVE-2025-48595)
VulnerabilityAbout this happening: Google's **June 2026 Android security patches** now cover **CVE-2025-48595**, an **actively exploited Android Framework** flaw that can lead to **code execution** and **privilege...
BTMOB Android MaaS platform expands low-code phishing payload production
Threat Actor Meta
H score21
First: 29.05.2026 00:10
Last: 29.05.2026 00:10
Sources 1
About this happening:
**BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...
BTMOB Android MaaS platform expands low-code phishing payload production
Threat Actor MetaAbout this happening: **BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
H score25
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
**BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityAbout this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Timeline
-
03.07.2026 03:00 2 articles · 6d ago
Google Play Protect warns Android users and blocks apps with compromised SDKs used by NetNut
Mitigation Patch UpdateGoogle disabled all Google accounts used by NetNut for malware command-and-control, updated Google Play Protect to automatically warn Android users, and disabled apps containing the compromised SDKs to limit further abuse of Android devices in the NetNut proxy network.
Show sources
- FBI, Google Take Down NetNut Proxy Network Used by Cyber Threat Actors — www.infosecurity-magazine.com — 03.07.2026 12:35
- FBI, Google Take Down NetNut Proxy Network Used by Cyber Threat Actors — www.infosecurity-magazine.com — 03.07.2026 12:35
-
02.07.2026 03:00 1 articles · 7d ago
Google report links NetNut exit nodes to 316 threat clusters
Campaign Scope UpdateGoogle said at least 316 distinct threat clusters used NetNut exit nodes during a single week in June 2026 for password-spraying campaigns, credential stuffing, advertising fraud and sensitive data scraping, showing how the residential proxy network was being abused to hide traffic behind legitimate domestic IP addresses.
Show sources
- FBI, Google Take Down NetNut Proxy Network Used by Cyber Threat Actors — www.infosecurity-magazine.com — 03.07.2026 12:35