Tushar Mehta / Android Authority
TL;DR
- Attackers are spreading CloudZ RAT via a fake ScreenConnect update that quietly installs malware.
- The malware can steal browser credentials and even pull data from Microsoft Phone Link using a plugin, putting synced phone and PC data at risk.
- If your PC is compromised, anything shared with your phone, including messages and OTPs, could be exposed. Installing software from trusted sources is the only way to stay cautious.
The researchers found an ongoing attack, active since January, in which hackers are installing a remote access tool called CloudZ RAT on Windows machines. It all starts in a way that barely raises suspicion. Victims are led to install what appears to be a routine ScreenConnect update, something most people wouldn’t think twice about, but it isn’t legitimate. The installer is fake; instead of updating anything, it installs a hidden program that pulls the actual malware.
Once CloudZ is up and running, it starts behaving like a typical remote access trojan. It unlocks its configuration, connects to a remote server controlled by the attacker, and waits for instructions. From there, it can begin extracting sensitive data, including saved browser credentials, without raising obvious red flags.
Don’t want to miss the best from Android Authority?
This is where things take a more concerning turn. The malware downloads an additional plugin, reportedly called “Pheno,” that specifically targets Phone Link. It scans the app, collects related data, and stores it in a temporary folder. CloudZ then picks up that data and sends it back to the attacker’s server. What stands out here is how a feature meant to sync your devices can expose information across them if one side is compromised.
So, the connection between your phone and PC is only as secure as the weakest link. If your computer is infected, anything shared between the two devices, including messages or one-time passwords, could be intercepted.
And no, this does not mean you need to stop using Phone Link, but it does mean you should not treat it as risk-free. The bigger takeaway here is tough to overlook: attacks like these work because they blend in with things that look completely legitimate. A fake update is often all it takes.
It helps to download software only from trusted sources and keep continuous threat detection enabled through antivirus programs, so suspicious activity gets flagged early. If you do suspect an infection, it is important to act quickly. Disconnect the affected device and avoid syncing it with other devices. There is no single fix that guarantees safety in cases like this, but staying cautious and aware can go a long way in avoiding trouble in the first place.
Thank you for being part of our community. Read our Comment Policy before posting.