How the attack works
A sprawling cybercrime campaign is tricking Android users into giving criminals the digital keys to their accounts. According to new technical reporting, attackers plant fake ads and phishing messages that steer victims to “support” chats. Once there, they persuade targets to install a remote access or screen-sharing app. With a live view of the device, the scammers guide victims through logins and quietly harvest one-time passcodes in real time, defeating two-factor authentication that’s supposed to stop intruders. The twist: because the victim is the one typing, many banks and platforms don’t flag the session as suspicious. The result is high-speed account takeovers and quick transfers before customers realize what happened.

Why it’s hard to stop—and what helps
Traditional defenses struggle because no exploit is required: users grant the access themselves. Google has tightened policies around screen-sharing tools on Play and warns against sideloading, but fraudsters rotate apps, domains and brand names. Security teams recommend device-bound passkeys and in-app 2FA prompts that never reveal numeric codes on screen. Banks are adding “session risk” checks—pausing high-value moves if screen sharing is detected or if accessibility services are active. For consumers, red flags include unknown numbers urging urgent action, demands to install remote tools, and requests to read back authentication codes. If you’ve shared your screen with a stranger, assume compromise: revoke app permissions, change passwords, enable passkeys, and contact your bank’s fraud desk immediately. The campaign underscores a broader truth: social engineering, not software flaws, is the weakest link—and criminals are getting better at weaponizing it.