A ‘free’ TradingView Premium hides a stealer, a record DDoS hits Cloudflare, and other cybersecurity news | ForkLog

This week in security: a bogus “TradingView Premium” app hides an Android stealer aimed at crypto traders; a phishing wave drops a versatile info-stealer with clipboard hijacking; extortionists threaten to feed stolen art to AI models; a commercial robot fleet was found open to hijacking; and Cloudflare snuffed out the largest DDoS on record.

Fake “TradingView Premium” app pushes Brokewell variant to Android users

Threat actors abused online ads to pitch a “free” TradingView Premium installer to mobile users, funneling them to a spoofed site that served a malicious APK named tw-update.apk. After installation, the app requested Accessibility permissions and popped a deceptive “system update” screen while quietly granting itself broad privileges. Attackers even mimicked a system prompt to trick victims into entering their lock-screen PIN.

The campaign, active since late July and heavily localized for Russian-speaking audiences, appears focused on cryptocurrency holders. Notably, the lure targeted only smartphones; desktop visitors were shown harmless content. The malware delivered is described as an expanded build of the Brokewell family, equipped for data theft and remote monitoring/control of infected devices.

“Phantom Papa” spear-phishing drops a stealer with crypto address swapping

A separate email campaign in Russian and English has been distributing a stealer dubbed Phantom across sectors including retail, manufacturing, construction, and IT. Lures ranged from sensational subjects (“See my nude pictures and videos”) to business-themed hooks (“Attached copy of payment No.06162025”). The payload typically arrived inside RAR archives containing .img or .iso files; once executed, the malware harvested system details, cookies, saved passwords, payment-card data from browsers, and documents and images.

Exfiltration relied on Telegram bots. Particularly dangerous for crypto users, Phantom’s Clipper module continuously scans the clipboard and active window for hints of crypto activity, then swaps copied wallet addresses with attacker-controlled ones. Another module, “PornDetector,” takes screenshots—and even webcam snapshots—if it detects activity containing terms like “porn,” “sex,” or “hentai.”

Extortion twist: “Pay up or we’ll train AI on your stolen art”

An art-commission marketplace was hit by a data breach claim paired with an unusual threat: pay $50,000 in cryptocurrency or the attackers would leak the data and submit stolen artworks for training AI models. A countdown appeared as pressure mounted, and the site later went offline. The gambit taps into ongoing anxiety among artists over unauthorized AI training, signaling that data extortion is evolving to exploit cultural flashpoints—not just operational disruption or simple data leaks.

Commercial service robots exposed to takeover via lax controls

A security practitioner disclosed serious weaknesses in a popular line of commercial service robots used in restaurants and public venues. The findings suggest that obtaining a valid authorization token—or even creating a pre-sale test account—could grant administrative access to management software. Once in, there were no meaningful secondary checks. An attacker could reroute deliveries, pause or disable fleets, or make disruptive changes like renaming devices, complicating recovery. The episode underscores how quickly physical operations can be affected when connected robots lack robust access controls and segmentation.

Cloudflare absorbs record-breaking DDoS: 11.5 Tbps

Cloudflare reported blocking a wave of hyper-volumetric DDoS attacks in recent weeks, including a record peak at roughly 11.5 Tbps and 5.1 billion packets per second. The biggest burst lasted around 35 seconds and blended traffic from large numbers of compromised IoT devices and cloud instances. While short, the intensity highlights how attackers increasingly leverage scale and diversity of sources to overwhelm targets—making automated, always-on mitigation critical for internet-facing services.

Why this matters

• Malware distribution is getting more polished, with convincing mobile-only lures and believable system prompts that harvest device privileges and PINs.
• Clipboard hijacking remains a top threat for crypto holders; the slightest lapse when copying wallet addresses can lead to irreversible losses.
• Ransom tactics are evolving: the threat of AI training on stolen creative works adds a new pressure point for victims.
• Operational tech and service robots are part of the attack surface; weak identity and access management can translate to real-world disruption.
• DDoS attacks are shorter, sharper, and bigger than ever—defense must be automatic and scalable.

What you can do now

• Only install Android apps from official stores. Be wary of “premium” giveaways and installers hosted on unfamiliar sites.
• Audit Accessibility permissions on your phone and revoke anything you don’t fully trust.
• For crypto, always verify the first and last characters of wallet addresses after pasting; consider using QR codes where possible.
• Block risky attachment types (.iso, .img) at the mail gateway and disable legacy mount handlers on endpoints where feasible.
• Segment robots/IoT from business networks, enforce MFA and least-privilege access, and monitor for anomalous commands.
• If you run public-facing services, deploy anycast DDoS protection with automatic mitigation and rate limiting at the edge.