With a CVSS score of 9.8, this vulnerability poses a severe threat to Windows users worldwide, as it requires no user interaction for exploitation.

Discovered in May 2025 and patched by Microsoft on August 12, 2025, the issue stems from an untrusted pointer dereference in the windowscodecs.dll library, affecting core image processing functions.​

Attackers can embed the malicious JPEG in everyday files like Microsoft Office documents, enabling silent compromise when the file is opened or previewed.

This flaw highlights ongoing risks in legacy graphics handling, where seemingly innocuous image decoding can result in a complete system takeover. As Windows powers billions of devices, unpatched systems remain highly exposed to phishing campaigns or drive-by downloads.​

Zscaler ThreatLabz identified the vulnerability through targeted fuzzing of the Windows Imaging Component, focusing on JPEG encoding and decoding paths in windowscodecs.dll.

The entry point for exploitation lies in the GpReadOnlyMemoryStream::InitFile function, where manipulated buffer sizes allow attackers to control memory snapshots during file mapping.

Fuzzing revealed a crash triggered by dereferencing an uninitialized pointer at jpeg_finish_compress+0xcc, exposing user-controllable data via heap spraying.​

Stack traces from WinDbg analysis pointed to key functions like CJpegTurboFrameEncode::HrWriteSource and CFrameEncodeBase::WriteSource, confirming the flaw in JPEG metadata encoding processes.

This uninitialized resource issue enables arbitrary code execution without privileges, making it exploitable over networks. Microsoft confirmed the vulnerability affects automatic image rendering in applications reliant on the Graphics Component.​

Affected Versions and Patching

The vulnerability impacts recent Windows releases, particularly those using vulnerable builds of windowscodecs.dll. Organizations must prioritize updates to mitigate risks, as exploitation could chain with other attacks for lateral movement in networks.

Exploitation Mechanics and Proof-of-Concept

Exploiting CVE-2025-50165 involves crafting a JPEG that triggers the pointer dereference during decoding, often via embedded files in Office or third-party apps.

For 64-bit systems, attackers bypass Control Flow Guard using Return-Oriented Programming (ROP) chains in sprayed heap chunks of size 0x3ef7. This pivots execution by creating read-write-execute memory with VirtualAlloc and loading shellcode for persistent access.​

Zscaler’s proof-of-concept demonstrates heap manipulation through an example app that allocates, frees, and processes Base64-encoded JPEGs, achieving RIP control.

While no in-the-wild exploits have been reported, the low complexity and wide network reach make it a prime target for ransomware or espionage. CFG is disabled by default in 32-bit versions, easing attacks on older setups.​

Users should immediately apply the August 2025 Patch Tuesday updates via Windows Update, targeting high-value assets first. Disable automatic image previews in email clients and enforce sandboxing for untrusted files. Zscaler has implemented cloud-based protections to block exploit attempts.​

This incident underscores the perils of unpatched graphics libraries in enterprise environments, where JPEGs are ubiquitous in workflows.

As threat actors evolve tactics, timely patching remains the strongest defense against such pixel-perfect poisons. With no observed active exploitation yet, proactive measures can prevent widespread damage.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Windows Graphics Vulnerability Lets Hackers Seize Control with a Single Image appeared first on Cyber Security News.

CVE-2025-13223 is a flaw in the Chromium V8 JavaScript engine that poses significant risks to users worldwide, potentially enabling remote code execution and data breaches.

The vulnerability stems from a type confusion error, classified under CWE-843, which tricks the browser into mishandling data types and corrupts the heap memory. Discovered and patched by Google on November 19, 2025, via its stable channel update, the issue affects Chrome versions before 131.0.6778.72.

Attackers have already leveraged it in the wild, though details on specific campaigns remain limited. CISA added it to its Known Exploited Vulnerabilities (KEV) catalog the same day, mandating federal agencies to apply mitigations by December 10, 2025.

Vulnerability Breakdown and Affected Systems

This zero-day targets the core of Chrome’s rendering engine, making it a prime vector for drive-by downloads and malicious interactions on websites.

While primarily affecting desktop users on Windows, macOS, and Linux, the flaw extends to Chromium-based browsers such as Microsoft Edge and Brave.

No confirmed ties to ransomware exist yet, but experts warn of potential escalation in phishing and supply chain attacks.

CISA urges immediate updates to the latest Chrome version, available through Google’s release notes. In cloud environments, agencies must align with Binding Operational Directive 22-01 and emphasize zero-trust principles. If patches aren’t feasible, discontinuing the product is advised to curb risks.

This incident underscores the relentless pace of browser threats, especially in V8’s complex codebase. With over 3 billion users, Chrome’s dominance amplifies the stakes, as unpatched systems could fuel widespread compromises.

Security researchers highlight the need for vigilant monitoring, as zero-days like this often precede larger campaigns.

As exploitation continues, organizations should scan networks for indicators of compromise and educate users on safe browsing. Google’s swift response mitigates much of the danger, but proactive patching remains key to staying ahead of adversaries.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post CISA Warns of Google Chrome 0-Day Vulnerability Exploited in Attacks appeared first on Cyber Security News.

Every Alert Costs 

When analysts are buried under thousands of notifications, they spend more time triaging noise than responding to real incidents. The result: slower reaction times, missed threats, staff burnout, and ballooning operational costs. 

Every wasted minute translates into a weaker security posture, potential financial loss, and reduced return on your security investments. Alert overload doesn’t just impact your SOC. 

It slows down your entire organization’s ability to respond, recover, and produce revenue.  

What Doesn’t Work 

Organizations often try to tackle alert overload by: 

• Hiring more analysts — which increases headcount costs but doesn’t reduce the noise. 

• Relying on strict filtering rules — which risks missing critical alerts. 

• Adding more tools — which only multiplies data sources and dashboards. 

• Automating without context — which accelerates the wrong decisions. 

These approaches attack the symptoms, not the cause: the lack of context around alerts. Without understanding what triggered an alert and how relevant it is, teams will always be stuck firefighting instead of investigating. 

What Works: Context Powered by Threat Intelligence 

The sustainable way to overcome alert overload is to improve alert quality through contextual threat intelligence. 

When analysts can instantly enrich alerts with reliable, up-to-date data on IOCs, malware families, and infrastructure, they can prioritize faster and make confident decisions. 

This is where ANY.RUN’s Threat Intelligence Lookup comes in — a solution designed to balance the speed of investigation with data completeness, freshness, and accuracy. 

It helps teams quickly understand whether an alert is linked to a known threat, how serious it is, and whether it requires escalation. The outcome: fewer false positives, faster triage, and more efficient use of human and financial resources. 

Threat Intelligence Lookup delivers instant context for IOCs, domains, IPs, hashes, and other artifacts. The data is sourced from 15,000+ SOC environments and millions of malware analysis sessions in ANY.RUN’s Interactive Sandbox, constantly refreshed to reflect real-time global threat activity. 

Benefits for analysts: 

• Immediate access to verified IOC data — no need to switch between platforms. 

• Clear visual indicators of threat relevance and relationships. 

• Faster, more accurate triage decisions. 

Benefits for business: 

• Lower operational costs by reducing wasted analyst hours. 

• Improved detection-to-response ratio, strengthening security ROI. 

• More predictable and measurable SOC performance. 

Try TI Lookup and discover how faster triage turns into measurable cost savings -> Contact ANY.RUN to get 50 trial lookups 

How It Works 

Here is an example of how security teams use TI Lookup to streamline their alert workflows and decision-making. 

Suppose analysts receive an alert on a suspicious domain. TI Lookup provides an instant verdict on the potential indicator along with contextual data:  

domainName:”databap.mom” 

Domain search results: malicious label, linked IOCs, sandbox analyses 

A quick lookup later, your team understands:  

• The domain is a malicious activity indicator; 

• It is associated with the dangerous Lumma stealer; 

• Lumma now targets US and Europe;  

• It has been detected in recent campaigns; 

• It helps to harvest additional IOCs; 

• There are malware sample sandbox analyses featuring this domain that allow to understand the threat’s behavior and TTPs.  

From Overload to Efficiency and Profitability 

When your SOC operates with context-rich data, the entire detection and response cycle accelerates. Analysts stop wasting time on noise. Decision-making becomes data-driven, not reactive. 

That directly translates to measurable business value: 

• Reduced mean time to detect (MTTD) and respond (MTTR). 

• Better analyst productivity without expanding the team. 

• Tangible cost savings from automation that works with — not against — human intelligence. 

In short, eliminating alert overload isn’t just about comfort for the SOC team. It’s a strategic financial decision that strengthens resilience, reduces risk exposure, and safeguards your bottom line. 

Conclusion 

Alert overload can’t be solved by more people or more tools — only by smarter data.

By empowering your SOC with contextual threat intelligence from ANY.RUN’s Threat Intelligence Lookup, you transform chaos into clarity, alerts into insights, and effort into measurable value. 

Accelerate response, control costs, and maximize your team’s performance with TI Lookup. --> Start your trial today.  

The post How to Solve Alert Overload in Your SOC  appeared first on Cyber Security News.

SecurityScorecard’s STRIKE team, in collaboration with ASUS, revealed the operation on November 18, 2025, highlighting how attackers exploited outdated firmware to build a stealthy network infrastructure.

This breach underscores the rising threat to end-of-life consumer devices, with infections concentrated in Taiwan and spreading to the U.S., Russia, and Southeast Asia.​

Researchers first detected Operation WrtHug through a suspicious self-signed TLS certificate shared across compromised devices, featuring an unusually long 100-year expiration date from April 2022.

This certificate, with SHA1 thumbprint 1894a6800dff523894eba7f31cea8d05d51032b4, appeared on 99% of affected ASUS AiCloud services, a feature meant for remote home network access but now exploited as an entry point.

The campaign targets exclusively ASUS WRT models, many of which are end-of-life and unpatched, allowing attackers to inject commands and gain root privileges without altering the device’s outward appearance.

The operation’s scale is alarming, with estimates of 50,000 unique IP addresses involved over the past six months, based on proprietary scans and tools like Driftnet.

Unlike random botnets, WrtHug shows a deliberate geographic focus, infecting 30-50% of devices in Taiwan, a pattern that aligns with geopolitical tensions. Smaller clusters hit South Korea, Japan, Hong Kong, central Europe, and the U.S., but mainland China remains largely untouched, aside from Hong Kong.

Exploited Vulnerabilities

Attackers chained six known flaws in ASUS firmware to propagate the malware, focusing on N-day exploits in AiCloud and OS injection vectors, SecurityScorecard said to CybersecurityNews.

These vulnerabilities, all patched by ASUS, primarily affect outdated routers running lighttpd or Apache web servers.

The table below details the key CVEs, their impacts, and prerequisites:​

These flaws link to CVE-2023-39780, a command injection bug tied to the earlier AyySSHush campaign, suggesting possible actor overlap. Seven IPs show dual compromise, hinting at coordinated efforts.

STRIKE assesses low-to-moderate confidence that China Nexus actors drive WrtHug, mirroring tactics in ORBs like LapDogs and PolarEdge. The focus on Taiwan and router persistence via SSH backdoors points to espionage infrastructure building.

This fits a trend of state-sponsored router hijacks, evolving from brute-force to multi-stage infections.

Targeted models include RT-AC1200HP, GT-AC5300, and DSL-AC68U, often in homes or small offices. While post-exploitation details remain unclear, the setup enables proxying C2 traffic and data exfiltration.

Indicators of Compromise

Monitoring for these IOCs can help detect infections:

Additional IPs: 59.26.66[.]44, 83.188.236[.]86, 195.234.71[.]218

ASUS urges firmware updates and disabling unused features like AiCloud on supported devices. For EoL models, replacement is recommended, alongside network segmentation and TLS certificate monitoring.

Organizations should scan for the IOC certificate and apply CISA’s known exploited catalog patches.

As router attacks escalate in 2025, this incident highlights the need for vigilant SOHO security to thwart nation-state probing. SecurityScorecard calls for industry collaboration to counter such calculated threats.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Massive Hacking Operation WrtHug Compromises Thousands of ASUS Routers Worldwide appeared first on Cyber Security News.

This vulnerability, rooted in the app’s contact discovery feature, persisted despite warnings to Meta dating back to 2017, raising serious concerns about user privacy on the world’s most popular messaging platform.​

The exploit relies on WhatsApp’s built-in mechanism for finding contacts, which reveals whether a user is on the service and public details like profile pictures and status texts when a phone number is entered.

Security researchers from the University of Vienna demonstrated the flaw by systematically querying billions of potential numbers, confirming active accounts at a rate of over 100 million per hour without any restrictions from WhatsApp.

Their study, conducted between December 2024 and April 2025, generated a comprehensive dataset using a tool called libphonegen to create realistic phone numbers across 245 countries.

By leveraging WhatsApp’s XMPP protocol through a modified open-source client, the team accessed not only phone numbers but also encryption keys, timestamps, and public profile information for 56.7% of accounts.​

WhatsApp Vulnerability Exposes 3.5 Billion Users

WhatsApp’s contact discovery tool, designed for convenience, lacks robust rate-limiting, enabling automated scraping on a massive scale. The researchers used just five authenticated accounts on a single university server to probe 63 billion potential numbers, identifying 3.5 billion active ones in under six months.

For 29.3% of users, “about” texts revealed sensitive details such as political views, religious affiliations, or links to other social media profiles.

Alarmingly, the study uncovered 2.9 million cases of public key reuse, including identity and prekeys, which could undermine end-to-end encryption if exploited by malicious actors using unofficial clients.

One extreme example involved 20 U.S. numbers sharing a key of all zeros, suggesting potential fraud or broken implementations.​

This vulnerability echoes earlier warnings; a researcher flagged the issue in 2017, yet Meta delayed fixes for eight years. The exposed data overlaps significantly with prior breaches, like the 2021 Facebook leak of 500 million numbers, where nearly half remained active on WhatsApp, heightening risks for scams and targeted attacks.

Users in countries banning WhatsApp, such as China, Iran, and North Korea, face amplified dangers, including state surveillance or persecution.​

Meta’s Response and Ongoing Risks

Meta acknowledged the findings through its bug bounty program in April 2025 and implemented stricter rate limits in October 2025, claiming the data was already public and messages stayed encrypted.

WhatsApp VP of Engineering Nitin Gupta stated the company was developing anti-scraping measures, and the research helped stress-test them, with no evidence of malicious exploitation found.

The researchers responsibly deleted their dataset and emphasized that private profiles limited exposure, but they criticized Meta for not encountering defenses during the probe.​

Despite the patch, experts warn of lingering threats. Business accounts, comprising 9% of those scraped, often unwittingly expose more data via WhatsApp Business features.

The flaw highlights broader issues in enumeration attacks, where convenience features become privacy pitfalls, potentially fueling phishing, SIM-swapping, or doxxing campaigns. Cybersecurity analysts urge users to set profiles to private, avoid sharing personal details in statuses, and monitor for suspicious activity, especially post-leak.​

This incident underscores the challenges of securing platforms with billions of users, where even “public” data aggregation creates a shadow profile ecosystem.

As WhatsApp dominates messaging in regions like West Africa, where 80% of profiles were public, the risks of identity theft and cyberattacks escalate.

Regulators may scrutinize Meta further following GDPR fines for past lapses, pushing for proactive defenses such as advanced CAPTCHA or behavioral analysis.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post WhatsApp Vulnerability Exposes 3.5 Billion Users’ Phone Numbers appeared first on Cyber Security News.

The issue stemmed from an internal service degradation that triggered HTTP 500 errors, affecting Cloudflare’s dashboard, API, and core network services, leading to partial downtime for millions of users worldwide.​

Cloudflare first acknowledged the problem at 11:48 UTC, stating it was experiencing an internal service degradation with some services intermittently impacted, and committed to restoring functionality as quickly as possible.

By 12:03 UTC, the company was still investigating, followed by an update at 12:21 UTC noting that services were beginning to recover, though customers might see higher-than-normal error rates during remediation. At 12:37 UTC, Cloudflare confirmed it was continuing the investigation, with no full resolution announced by late afternoon UTC.

Compounding the irony, Cloudflare’s own status page became inaccessible during the peak, preventing real-time updates for affected users.​

The outage rippled across the internet, hitting platforms reliant on Cloudflare’s content delivery network (CDN), DDoS protection, and DNS services.

Social media giant X (formerly Twitter) saw patchy availability, with users reporting loading failures and error messages citing Cloudflare’s internal server issues; Downdetector logged over 11,000 reports at its height, with 61% tied to the X mobile app and 28% to the website.

AI services like OpenAI’s ChatGPT and Perplexity AI were inaccessible for many, displaying Cloudflare error pages that urged retries in a few minutes.​

Other impacted services including design tool Canva, music streaming service Spotify, gaming platforms like League of Legends and Discord, e-commerce site Shopify, blogging network Medium, and even crypto exchanges dependent on Cloudflare’s infrastructure.

Film review site Letterboxd and outage tracker Downdetector itself joined the fray, amplifying user frustration as reports surged globally. The disruptions echoed a similar Amazon Web Services outage last month, underscoring the fragility of centralized internet dependencies.​

Scheduled maintenance in datacenters like LAX (Los Angeles, 10:00-14:00 UTC), ATL (Atlanta, 07:00 UTC Nov 18 to 22:00 UTC Nov 19), SCL (Santiago, 12:00-15:00 UTC), and PPT (Tahiti, 12:00-16:00 UTC) may have exacerbated latency, with traffic rerouted potentially contributing to the chaos. Additionally, Cloudflare’s support portal faced separate issues from a third-party provider, hindering case viewing but not response handling.​

As of 6:24 PM IST, recovery efforts were ongoing according to the status page, with many sites regaining stability but lingering errors reported in regions like Europe, North America, and Asia. Cloudflare emphasized its focus on mitigation, promising further details post-resolution, while users turned to alternatives amid the digital blackout.​

On October 20, 2025, AWS experienced a prolonged disruption in its US-EAST-1 region, which is crucial for numerous applications. This outage lasted over 15 hours and affected services such as Slack, Atlassian, and Snapchat.

Following this, on October 29, Azure faced a global outage due to an inadvertent DNS configuration change. This issue impacted Azure Front Door and CDN, leading to connection timeouts and resolution problems worldwide, with critical status reported across all regions.

Cloudflare Update [Nov 18, 2025 – 14:34 UTC] – We’ve deployed a change which has restored dashboard services. We are still working to remediate broad application services impact.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Cloudflare Global Outage Breaks Internet – Major Platforms on the Internet Go Down appeared first on Cyber Security News.

The patch, rolled out in Chrome Stable version 142.0.7444.175 for Windows and Linux, and 142.0.7444.176 for Mac, fixes two high-severity type confusion bugs in the V8 JavaScript engine.

The most alarming is CVE-2025-13223, reported on November 12, 2025, by Clément Lecigne of Google’s Threat Analysis Group (TAG).

Google confirmed an exploit for this flaw is already circulating, potentially allowing remote attackers to execute arbitrary code on victims’ systems without interaction.

Type confusion vulnerabilities, a staple in browser exploits, occur when the V8 engine misinterprets data types, leading to memory corruption. This can enable attackers to bypass Chrome’s sandbox protections, steal sensitive information, or install malware.

The second fix, CVE-2025-13224, was identified earlier on October 9, 2025, by Google’s internal Big Sleep fuzzing tool, highlighting the company’s proactive defense layers, reads the advisory.

TAG’s involvement suggests possible ties to advanced persistent threats (APTs), as the group often tracks state-sponsored operations using such flaws for espionage or supply chain attacks.

This incident underscores Chrome’s dominance as a target, as over 65% of global browsers run the engine, making timely patches essential.

Google credits tools like AddressSanitizer and libFuzzer for early detection, but the rapid exploitation timeline, from report to wild use in under a week, raises questions about attribution. Users should enable automatic updates and avoid suspicious links.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Chrome Type Confusion Zero-Day Vulnerability Actively Exploited in the Wild appeared first on Cyber Security News.

Azure’s automated DDoS Protection service sprang into action, filtering out the malicious flood and ensuring zero downtime for the affected customer workloads.

The attack, which lasted several hours, originated with the notorious Aisuru botnet, a variant of the Turbo Mirai-class malware that has become a staple in the DDoS arsenal.

Aisuru primarily infects vulnerable Internet of Things (IoT) devices, such as home routers and security cameras, commandeering them into massive zombie armies.

In this case, the botnet mobilized over 500,000 unique source IP addresses spanning residential internet service providers (ISPs) across the United States and other regions.

The attacks consisted of high-rate User Datagram Protocol (UDP) floods targeting a specific public IP address, using minimal source IP spoofing and randomized ports to evade easy detection and traceback.

Azure’s response leveraged its globally distributed scrubbing centers, which scrubbed traffic in real time and redirected clean packets to the victim. “Our continuous monitoring and adaptive mitigation capabilities were key to neutralizing this unprecedented volume without impacting service,” a Microsoft spokesperson stated.

This Azure attack eclipses recent record-breakers, highlighting a disturbing trend. Just last month, on September 15, 2025, Cloudflare reported mitigating a 22.5 Tbps attack, fueled by a Mirai derivative infecting smart home devices.

Earlier in the year, in March 2025, Google Cloud defended against a 10.2 Tbps multi-vector attack originating from Asia-Pacific botnets that combined SYN floods and DNS amplification.

Going back to 2024, AWS documented an 8.9 Tbps strike on a U.S.-based e-commerce site, traced to compromised routers in Eastern Europe.

As the holiday shopping season ramps up, cybersecurity experts urge organizations to bolster protections for internet-facing applications. “Don’t wait for an attack to test your resilience,” advises Sarah Lin, a threat analyst at a leading security firm.

Regular DDoS simulations can expose vulnerabilities in operational readiness, from traffic routing to failover mechanisms. With botnets like Aisuru growing unchecked, proactive defense remains the only shield against these digital sieges.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Record-Breaking 15 Tbps DDoS Attack From 500,000+ Devices Hits Azure Network appeared first on Cyber Security News.

Researcher Kim shared the details in a blog post on October 20, 2025, emphasizing that the findings stem from her reverse engineering efforts and urging readers to verify independently.

The vulnerability hinges on a maliciously crafted “downloads.28.sqlitedb” database, which tricks the itunesstored daemon into downloading and placing a secondary database, “BLDatabaseManager.sqlite,” into a shared system group container.

While itunesstored operates under strict sandbox limits, the subsequent stage leverages bookassetd a daemon handling iBooks downloads with broader permissions.

MobileGestalt Exploit

This allows writes to mobile-owned paths like /private/var/mobile/Library/FairPlay/, /private/var/mobile/Media/, and even system caches such as /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist.

In a demo on an iPhone 12 running iOS 16.0.1, Kim modified the MobileGestalt cache to spoof the device as an iPod touch (model iPod9,1), proving the exploit’s reach.

The process requires preparing the target file in a modified EPUB format, zipped without compressing the mimetype file, and hosting supporting assets like iTunesMetadata.plist on a server.

Attackers must then use tools like 3uTools or afcclient to inject the databases into /var/mobile/Media/Downloads/, followed by targeted reboots to trigger the downloads.

Expected behavior halts writes to unauthorized paths, but the flaw permits modifications unless the destination is root-controlled.

Kim lists numerous writable locations, including caches and media directories, potentially enabling persistence, configuration tampering, or data exfiltration.

The exploit requires physical or tethered access to place the database, but once set up, it could facilitate more sophisticated attacks on jailbroken or compromised devices.

Apple has not yet commented, and Kim notes the issue may be patched imminently. She provides basic files on GitHub for educational use, stressing that the research is for learning only and not for illegal activities.

As iOS evolves with tighter sandboxing, this POC underscores ongoing challenges in daemon isolation. Security teams should monitor for related indicators, like anomalous database entries in download logs.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post New MobileGestalt Exploit for iOS 26.0.1 Enables Unauthorized Writes to Protected Data appeared first on Cyber Security News.

The software in question, AppCloud, developed by the mobile analytics firm IronSource, has been embedded in devices sold primarily in the Middle East and North Africa (MENA) region.

Security researchers and privacy advocates warn that it quietly collects sensitive user data, fueling fears of surveillance in politically volatile areas.

AppCloud tracks users’ locations, app usage patterns, and device information without seeking ongoing consent after initial setup. Even more concerning, attempts to uninstall it often fail due to its deep integration into Samsung’s One UI operating system.

Reports indicate the app reactivates automatically following software updates or factory resets, making it virtually unremovable for average users. This has sparked outrage among consumers in countries such as Egypt, Saudi Arabia, and the UAE, where affordable Galaxy models are popular entry points into Android.

The issue came to light through investigations by SMEX, a Lebanon-based digital rights group focused on MENA privacy. In a recent report, SMEX highlighted how AppCloud’s persistence could enable third-party unauthorized data harvesting, posing significant risks in regions with histories of government overreach.

“This isn’t just bloatware, it’s a surveillance enabler baked into the hardware,” said a SMEX spokesperson. The group called on Samsung to issue a global patch and disclose the full scope of data shared with ironSource.

Social media platforms have amplified the controversy, with viral posts claiming international bans on affected devices. However, official statements from Samsung and regulatory bodies like the FCC deny any such prohibitions, labeling the rumors as misinformation.

Samsung has yet to respond directly to SMEX’s allegations, but a company spokesperson reiterated their commitment to user privacy standards.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Unremovable Spyware on Samsung Devices Comes Pre-installed on Galaxy Series Devices appeared first on Cyber Security News.