Malicious Ads Hijack GitHub and Phone‑Cleaning Apps Leak Your Data

Microsoft Threat Intelligence discovered a malicious advertising campaign at the end of 2024 that used pirated video streaming sites to embed malicious ad redirectors, generating pay‑per‑click revenue while delivering malware.

The redirectors route traffic through one or two additional malicious redirects, eventually leading to sites hosting malware or tech‑support scams, which then redirect to GitHub.

GitHub hosted the first‑stage payload; once installed it drops two more payloads. One payload collects system configuration data such as memory size, graphics capabilities, screen resolution, OS version, and user paths.

The third‑stage payloads vary but commonly perform further malicious actions, including command‑and‑control communication to download additional files, data theft, and defense‑evasion techniques.

Attackers built four to five redirect layers, each immediately followed by a GitHub “injector” to install more malicious programs aimed at stealing information such as stored browser credentials.

Microsoft noted that the malicious repositories have been removed and provided extensive indicators and other valuable information to aid in tracking and stopping the activity.

Shocking: Phone cleaning apps collect and sell users’ data

A Surfshark report found that the ten most popular phone‑cleaning apps on the Apple App Store share user data with third parties.

Shared data includes user and device IDs, location, product interaction, purchase history, usage history, and more, which data brokers could use to build detailed advertising profiles.

Surfshark warned that once shared, this data may fall into the hands of hundreds of partners who can use it for their own purposes.

While experienced developers view these apps as junk, the information on how to clean iPhone and Android devices can help users avoid installing privacy‑invasive applications.