Google is testing a new security feature as part of Android Advanced Protection Mode (AAPM) that prevents certain kinds of apps from using the accessibility services API.
The change, incorporated in Android 17 Beta 2, was first reported by Android Authority last week.
AAPM was introduced by Google in Android 16, released last year. When enabled, it causes the device to enter a heightened
Published a research report auditing how popular AI agent projects (OpenClaw, AutoGen, CrewAI, LangGraph, MetaGPT, AutoGPT, etc.) handle authorization.
Key findings:
- 93% use unscoped API keys as the only auth mechanism
- 0% have per-agent cryptographic identity
- 100% have no per-agent revocation — one agent misbehaves, rotate the key for all
- In multi-agent systems, child agents inherit full parent credentials with no scope narrowing
Real incidents included: 21k exposed OpenClaw instances leaking credentials, 492 MCP servers with zero auth, 1.5M API tokens exposed in Moltbook breach.
China's National Computer Network Emergency Response Technical Team (CNCERT) has issued a warning about the security stemming from the use of OpenClaw (formerly Clawdbot and Moltbot), an open-source and self-hosted autonomous artificial intelligence (AI) agent.
In a post shared on WeChat, CNCERT noted that the platform's "inherently weak default security configurations," coupled with its
Cybersecurity researchers have flagged a new iteration of the GlassWorm campaign that they say represents a "significant escalation" in how it propagates through the Open VSX registry.
"Instead of requiring every malicious listing to embed the loader directly, the threat actor is now abusing extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive
A suspected China-based cyber espionage operation has targeted Southeast Asian military organizations as part of a state-sponsored campaign that dates back to at least 2020.
Palo Alto Networks Unit 42 is tracking the threat activity under the moniker CL-STA-1087, where CL refers to cluster, and STA stands for state-backed motivation.
"The activity demonstrated strategic operational patience and
Meta has announced plans to discontinue support for end-to-end encryption (E2EE) for chats on Instagram after May 8, 2026.
"If you have chats that are impacted by this change, you will see instructions on how you can download any media or messages you may want to keep," the social media giant said in a help document. "If you're on an older version of Instagram, you may also need to update the
This week in scams, the Pokémon Trainer pursuit to “catch ’em all” is being hijacked by criminals posting fake trading card listings online; duping buyers, including young collectors, out of hundreds of dollars.
Meanwhile, threatening email extortion scams claiming your personal data has been stolen are flooding inboxes around the world. And a viral “wedding photo” of Tom Holland and Zendaya shows how AI-generated images can blur the line between real and fake online.
Here’s what to know.
Pokémon Card Scams Surge on Online Marketplaces
The booming market for collectible Pokémon cards has become a new target for scammers.
According to reporting from The Straits Times, Singapore police recently arrested a 25-year-old man suspected of running a series of e-commerce scams involving Pokémon trading cards. Victims reportedly lost more than $135,000 after paying for limited-edition cards that never arrived.
Authorities say the suspect allegedly advertised pre-orders for rare cards on the online marketplace Carousell. After receiving payment through bank transfers or digital payment apps, the seller either became unreachable or claimed there were delivery problems.
Police say at least 35 reports tied to the suspect have been filed since October 2025, and more broadly there have been over 600 reported Pokémon card e-commerce scams totaling more than $1.1 million in losses during that same period.
Why this matters:
Collectibles create the perfect storm for online scams. Limited releases, hype, and rising resale values make buyers feel pressure to act quickly before items “sell out.” Scammers take advantage of that urgency.
How to Stay Safe When Buying Collectibles Online
If you’re buying trading cards or other collectibles online:
Buy from authorized retailers or well-established marketplaces
Avoid sellers who require direct bank transfers or payment apps upfront
Use platforms with buyer protection or escrow payment systems
Be cautious of sellers who suddenly move the conversation to WhatsApp, Telegram, or other messaging apps
When demand spikes for a product, whether it’s sneakers, concert tickets, or Pokémon cards, scams usually follow.
The “Your Data Was Stolen” Email Extortion Scam
Another scam spreading widely right now arrives in a much more intimidating format: a threatening email claiming hackers have stolen your personal data.
According to reporting from Fox News, many people are receiving messages that claim the sender has access to their passwords, files, or financial information. The message then demands payment in Bitcoin to prevent the data from being sold on the dark web.
At first glance, these emails can feel frightening. They often use dramatic language like:
“I have your complete personal information”
“Your files and devices are compromised”
“Pay within 48 hours or your data will be leaked”
But in most cases, there’s one major problem with the claim.
There’s no proof.
Security experts note that these messages usually include no screenshots, no passwords, and no evidence of a real breach. Instead, scammers send the same message to thousands of email addresses at once, hoping a small percentage of recipients will panic and pay.
Often, the scammers obtained your email address from old data breach lists circulating online, which makes the message feel more believable.
What to Do If You Receive One of These Emails
If you receive a threatening extortion email:
Do not reply
Do not send money
Mark the message as spam or phishing
Delete it
Reporting the message helps email providers improve spam filters and prevent similar scams from reaching others.
The biggest tactic here is fear. Once you slow down and evaluate the message, the scam usually falls apart.
That Viral Tom Holland and Zendaya “Wedding Photo”? AI
A viral image circulating on social media this week claimed to show Tom Holland and Zendaya’s wedding, sparking massive speculation online.
But many viewers quickly suspected the image wasn’t real.
According to reporting on Yahoo Entertainment, the photo appeared to originate from a fan account on X (formerly Twitter) that claimed the image had been “confirmed” by major outlets like Vogue and Cosmopolitan. However, no such confirmation existed, and soon the official label was added marking the content as AI-generated.
A screenshot of the viral AI-generated image.
Celebrity rumors already spread quickly online. Add generative AI to the mix, and fabricated images can travel even faster.
While a fake celebrity wedding photo may seem harmless, the same technology can easily be used in more serious ways.
AI-generated visuals are already being used to create:
Fake celebrity endorsements
Fabricated news events
Scam ads featuring public figures
Fraudulent investment promotions
The line between real and synthetic content is getting harder to spot.
How to Spot Potential AI Images
If a viral image seems surprising or dramatic:
Check whether credible news outlets or verified accounts are reporting it
Look for visual inconsistencies in hands, text, or background details
Reverse image search the photo to see where it first appeared
Verify through official sources before sharing
When something looks shocking online, that’s often exactly why it spreads. McAfee’s built-in Scam Detector can help you spot AI-generated audio and video.
McAfee’s Safety Tips This Week
A few simple habits can help reduce your risk across all three of these scenarios:
Be cautious when buying high-demand collectibles online
Never send money in response to threatening emails
Treat viral images and breaking celebrity news with healthy skepticism
Use strong, unique passwords and enable two-factor authentication
Verify surprising claims through trusted sources before reacting
Scams today don’t always look like scams. They often look like exciting deals, urgent warnings, or AI depictions of people you trust.
The best defense is slowing down before clicking, paying, or sharing.
We’ll Be Back Next Week
From collectible card fraud to email extortion campaigns and AI-generated viral content, the tactics scammers use may change, but the strategy is the same: manipulate emotion and urgency.
Stay skeptical, verify before you trust, and we’ll be back next week with another breakdown of the scams making headlines, and what they mean for your security.
Login
