The internet never sleeps and halts, and neither do cyber threats and its malicious actors. This week, sneaky apps tricked millions, hackers pulled off a clever email scam, and a big ransomware attack hit critical systems. Meanwhile, Google is making a massive security move, and Telegram’s CEO is caught up in legal trouble. Here’s everything you need to know about the latest in cybersecurity!

Malicious ‘Vapor’ Apps on Google Play Reach 60 Million Installs

A massive Android malware operation has been uncovered, with over 300 malicious apps downloaded 60 million times from Google Play.

The threat was exposed by IAS Threat Lab, who actually named the malware “Vapor.” After them, it was Bitdefender who expanded on their findings. Basically, these apps are disguised as useful tools like fitness trackers and QR code scanners and work in two ways–either bombarding users with ads or attempting to steal credentials and credit card information.

Google has removed the apps, but the threat actors have already shown that they can simply bypass security checks, meaning similar attacks can surface in the future. The Vapor apps were carefully designed to evade detection. The apps made themselves invisible by disabling their launcher activity and renaming themselves to appear as system applications. Some of these forced full-screen ads over other apps, and others displayed fake login screens for Facebook and YouTube, tricking users into entering credentials.

So, how can you stay protected against such threats in the future? You should avoid downloading apps from unknown developers and monitor the permissions on app requests. Also, keep an eye out for apps with hidden icons, intrusive ads, or ones that ask for sensitive information.

Phishing Scam Targets Coinbase Users with Fake Email

There’s also a new phishing scam targeting Coinbase users, tricking them into setting up wallets with a recovery phrase controlled by attackers.

The email falsely claims that Coinbase is moving to self-custodial wallets due to a lawsuit and the phishing links lead to the real Coinbase Wallet page, which is why many people do not suspect anything is wrong until it’s too late. Once they set up the fake wallet and transfers funds into it, the attackers can instantly take control.

What makes this attack even more deceptive is its ability to bypass spam filters. The email appears to come from Coinbase but actually uses an address linked to Akamai’s SendGrid service. That’s why it even passes SPF, DMARC, and DKIM security checks. Akamai has acknowledged the issue and is investigating, but the threat remains active.

Coinbase has warned users, reminding them that they will never send a recovery phrase and that any email claiming to do so is a scam. If you wish to stay safe against this and similar threats, you should make it a rule never to use a recovery phrase provided to you via email or any website.

CISA Reports Medusa Ransomware Attack on 300+ Critical Infrastructure Organisations

The FBI, CISA, and MS-ISAC have issued a joint warning, urging organizations to strengthen their defenses because Medusa ransomware has been wreaking havoc, hitting over 300 critical infrastructure organizations in the U.S. as of last month.

Medusa was originally a closed ransomware operation but has now evolved into a RaaS (Ransomware-as-a-Service) model, allowing affiliates to carry out attacks. The group recruits IABs (Initial Access Brokers) from cybercriminal forums and offers payments between $100 and $1 million for access to potential victims. They have been responsible for high-profile breaches, including an attack on Minneapolis Public Schools in 2023 and a failed $8 million ransom attempt against Toyota Financial Services. Its attacks have surged by 42% between 2023 and 2024, nearly doubling in early 2025.

Organizations should keep all software and systems updated, segment networks to prevent lateral movement and block remote access from untrusted sources. Taking these steps can reduce the risk of falling victim to one of the most aggressive ransomware threats in recent years.

New Arcane Infostealer Spreads Through YouTube and Discord Using Game Cheats

A newly identified malware called Arcane is actively stealing a vast amount of user data, including credentials for VPN accounts, gaming platforms, messaging apps, and sensitive information stored in web browsers.

Kaspersky researchers shared a report on this and confirmed that Arcane has no direct connection to the long-circulating Arcane Stealer V despite the similarity in names. It was first noticed back in November 2024 and has undergone multiple changes, including alterations to its core payload. The malware spreads through deceptive YouTube videos that promote game cheats and cracked software. Basically, the victims are tricked into downloading password-protected archives that contain an obfuscated script. When they execute it, it downloads another archive housing malicious executables.

You may become a victim of identity theft, financial fraud, and even extortion with this threat; that’s why it’s best to make it a habit to avoid downloading unauthorized software, particularly game cheats and pirated programs.

Hackers Steal $6.1 Million in Cyberattack on Blockchain Gaming Platform WEMIX

It seems threat actors have taken a liking to the gaming community because the Blockchain platform WEMIX fell victim to a cyberattack, resulting in the theft of 8,654,860 WEMIX tokens—valued at approximately $6.1 million.

The breach (which occurred on February 28, 2025) was confirmed by WEMIX CEO Kim Seok-Hwan during a press conference this week, where he explained that this was a strategic decision to protect users and prevent further financial damage. The organization did take immediate action to contain the breach and report it to law enforcement. Still, the attackers had already liquidated most of the stolen tokens, impacting the market significantly.

The hackers gained access to WEMIX by stealing authentication keys associated with NILE, the platform’s NFT service. Then, the attackers lurked in the system for two months, carefully planning their moves. When they finally acted, they attempted fifteen unauthorized withdrawals—succeeding in thirteen of them. The stolen tokens were swiftly laundered through cryptocurrency exchanges, making recovery difficult.

Cyberattacks on crypto-based ecosystems are becoming increasingly sophisticated so you should avoid storing large amounts of assets on exchange platforms and go with hardware wallets for added security.