Magic Mouse: Unmasking a New Threat in the Mobile App Landscape

As we become increasingly reliant on mobile apps for every aspect of our lives–from banking to communication–mobile phones have emerged as prime targets for fraudsters, given the wealth of sensitive data they store. While India's digital-first economy is a phenomenon of rapid innovation and unprecedented access, this very initiative has exposed us to sophisticated scams that exploit mobile-first vulnerabilities.

Security researchers recently uncovered a new large-scale SMS phishing scam, dubbed ‘Magic Mouse’, which has been on a stealing spree with more than 6,00,000 credit card numbers stolen in a month! The scam poses a growing threat to consumers worldwide as it incorporates tactics and techniques used by the now-defunct Magic Cat scam of 2024 and is set to outpace its predecessor. 

The Anatomy of a Scam: A Cat and Mouse Game

The Magic Cat phishing scam, as unmasked by cybersecurity experts earlier in the year, allowed multiple scammers to send fake delivery and government notices by text message, in order to lure them onto phishing sites to harvest their payment details. 

Though the Magic Mouse scam uses the same phishing kits developed by Magic Cat, the threat actor appears to be a distinct operation. The kits used by Magic Mouse allow the operation to conduct social engineering attacks, replicate actual webpages of well-known technology firms, consumer brands, government services and delivery partners, and trick unsuspecting consumers into revealing their payment details. 

Despite the massive scale of these attacks and the vast amount of money stolen, the global law enforcement response remains limited, with tech and finance companies being hauled up for not implementing stronger safeguards that can put a stop to such scams. 

Protecting the Digital-First Economy: A Call to Vigilance

The success of a mobile scam hinges on its ability to exploit a user's trust to gain deep access to their device. Considering most of these apps request a range of permissions, miscreants capitalise on it by deploying tools that can bypass mobile app defences, leading to fraud. 

Mobile phishing scams account for up to 54 per cent of threats on iOS systems in the US, with business compromise due to mobile and cyber fraud amounting to an eye-watering $16.6 billion in 2024, according to the FBI’s Internet Crime Report.

So what is the solution? User awareness is the first and most crucial line of defence. It is recommended that individuals always scrutinise the permissions requested by any app, rely on trusted app sources and never click on suspicious links. 

Business leaders and security experts, on the other hand, need to reevaluate their organisation’s fraud prevention strategy and threat detection capabilities by considering a larger attack surface with vulnerabilities that may exist on employee, customer and third-party mobile devices. Organisations must understand that digital trust is what makes an organisation a leader in the secure digital-first economy, and it all begins with a robust mobile defence strategy.

Cybersecurity firms are offering mobile app security platforms that align with global regulatory compliance, ensuring seamless security for both Android and iOS users. Some of these platforms come with advanced solutions such as Runtime Application Self-Protection (RASP) and Extended Threat Detection and Response (XDR) that empower both businesses and individuals by detecting and preventing mobile threats in real-time, safeguarding their digital trust and protecting them from falling victim to scams.