Roblox hit with class action over alleged secret tracking of kids’ data; lawsuit claims privacy law violations and…

Roblox hit with class action over alleged secret tracking of kids’ data; lawsuit claims privacy law violations and unauthorized data sharing.

Roblox, a platform known for its popularity among children and teens, is now the focus of a class action lawsuit that accuses the company of covertly harvesting data from its youngest users.

Filed in a California federal court by plaintiffs Michael and Salena Garcia, the suit claims Roblox has been quietly monitoring players without proper consent. According to the 45-page complaint, Roblox uses hidden tracking tools to collect a wide range of data, from keystrokes and chat messages to mouse activity and search queries.

The lawsuit also alleges that the company links these interactions to individual devices using unique identifiers. This allows Roblox to build detailed behavioural profiles of players, which the plaintiffs say are used for targeted content and shared with third-party advertisers.

Roblox has been secretly collecting detailed personal data and intercepting user activity through hidden tracking code built into its site and apps, without users or their parents knowing.

> _“This data surveillance begins the moment a user visits or launches Roblox, even before account login or consent, and continues across platforms (web, iOS, Android, macOS, Windows) via persistent identifiers and fingerprinting techniques.”_
> 
> _Source: Class Action Complaint, Garcia v. Roblox Corporation, U.S. District Court, Northern District of California, 2024._

This legal move puts Roblox in the same spotlight as other tech companies facing criticism over data privacy practices affecting children. While the company promotes itself as a safe space for play and creativity, the complaint suggests a different story unfolding behind the scenes.

Kern Smith, Vice President of Global Solutions at mobile security firm Zimperium, warns that mobile security often takes a back seat in discussions about child safety online. “Parents focus heavily on what their kids are doing in the game, but the device and the app itself are also areas of concern,” he said.

“When a mobile app is widely used, it becomes a bigger target for phishing, malware, and data breaches. If a phone or tablet is compromised, it opens the door for attackers to access sensitive data or manipulate app behaviour.”

The lawsuit shows the public worry about how companies collect and use data from minors. Under federal law, including the Children’s Online Privacy Protection Act (COPPA), companies must obtain verifiable parental consent before collecting personal data from children under 13. The Garcias claim that Roblox sidesteps these requirements through silent tracking that parents never see.

For now, the case remains in the early stages, but it indicates legal pressure on platforms serving young audiences. If the court finds the claims valid, Roblox could face serious consequences, not only in the form of financial penalties but also tougher oversight of its data handling practices.

Parents concerned about their child’s digital safety are advised to monitor not only app content but also the security of the devices their kids use. Tools that offer real-time threat detection and malware protection can help reduce risks tied to invisible data collection.

Roblox Corporation has not issued a public statement in response to the lawsuit as of publication.

Roblox Lawsuit Claims Hidden Tracking Used to Monetize Kids Data

Google announced it will equip Chrome with an AI driven method to detect and block Tech Support Scam websites

Google has expressed plans to use Artificial Intelligence (AI) to stop tech support scams in Chrome.

With the launch of Chrome version 137, Google plans to use the on-device Gemini Nano large language model (LLM) to recognize and block tech support scams.

Users already have the ability to chose Enhanced Protection under **Settings > Privacy and security > Security > Safe Browsing.**

Safe Browsing settings

Google’s reasoning, and we agree, is that LLMs are fairly good at understanding and classifying the varied, complex nature of websites. Meaning that, since many malicious sites have a very short lifespan, it is more effective to learn and recognize their behavior rather than keep adding a host of domain names to a block-list (something which Google has frustrated with the introduction of Manifest V3, by the way).

Tech support scams typically follow a certain pattern that should be simple to learn:

*   They make your browser tab full screen
*   Display the number they want you to call all over the place
*   Show the visitor fake ongoing scans and alerts

These are just a few of the characteristics I’d teach the LLM. I’m not speaking for Google here. They just mention they’ll be looking at usage of the Keyboard Lock API.

On that, the Keyboard Lock API is a web technology that allows websites to “capture” keyboard input, meaning they can prevent certain key combinations (or all keys) from working as they normally do in your browser or operating system. Originally, this tool was designed for legitimate purposes, like making web games or remote desktop apps more immersive by stopping accidental key presses from interrupting the experience. But tech support scammers exploit the Keyboard Lock API to make it harder for victims to escape their scam pages. This means that when a visitor tries to close the scam page or switch to another program, nothing happens, making them feel trapped on the site. Which also makes them think their system is actually infected.

Google explains why it went for the on-device method, saying it allows them to see the threats at the same moment the users see them and in the same way the users see them.

> “We’ve found that the average malicious site exists for less than 10 minutes, so on-device protection allows us to detect and block attacks that haven’t been crawled before.”

**How it works**

When the user lands on a suspicious page, which is decided by the on-device LLM, based on specific triggers like the Keyboard Lock API, Chrome provides the LLM with the contents of the page that the user is on and queries it to extract security signals, such as the intent of the page. This information is then sent to a Safe Browsing server for a final verdict.

If Safe Browsing decides the website is malicious, Chrome will block the content and show the user a big warning screen, called an “interstitial.”

Image courtesy of Google

By making the target think their system is infected, tech support scammers try to gain remote access or obtain payment information. Google says:

> “Tech Support scams are an increasingly prevalent form of cybercrime, characterized by deceptive tactics aimed at extorting money or gaining unauthorized access to sensitive data.”

Malwarebytes’ Browser Guard data over the last month shows that 30% of the fraudulent websites we blocked through the browser extensions are tech support scams.

30% of the three fraud categories are TSS

So, it’s nice of Google to let Chrome help us take care of some of those, but Chrome is not the only browser. We’re even hearing stories from users that ran into a website telling them their Windows machine was infected while they were using the Safari browser on their iPad.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Google Chrome will use AI to block tech support scam websites 

Google on Thursday announced it's rolling out new artificial intelligence (AI)-powered countermeasures to combat scams across Chrome, Search, and Android.
The tech giant said it will begin using Gemini Nano, its on-device large language model (LLM), to improve Safe Browsing in Chrome 137 on desktops.
"The on-device approach provides instant insight on risky websites and allows us to offer

Google Rolls Out On-Device AI Protections to Detect Scams in Chrome and Android

Meta has won almost $170m in damages from Israel-based NSO Group, maker of the Pegasus spyware.

Meta has won almost $170m in damages from Israel-based NSO Group, maker of the Pegasus spyware. The ruling comes after a six-year legal case against the company after Meta accused it of misusing its servers to spy on users.

According to the original complaint against NSO Group, filed in October 2019, the spyware vendor used WhatsApp servers to send malware to around 1400 mobile phones. The purpose was to gain access to the messages on those devices, which were typically used by attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials.

NSO Group reverse engineered WhatsApp’s software and developed its own software and servers to send messages to victims via the WhatsApp service that contained malware. That malware installed itself on the victims’ smartphones using a zero-click attack, meaning that the victim didn’t have to take any action such as opening an link or even answering a call for the compromise to happen; it was enough simply for the message to arrive.

A judge ruled in December that NSO Group had repeatedly dodged requests to provide its code for review, and granted Meta partial summary judgment over the vendor. That set up conditions for a trial to determine damages that started in late April.

NSO Group reportedly argued that Facebook lost nothing as part of the attack, arguing that it should pay the minimum amount in damages. However, the jury awarded Meta $444,719 in compensatory damages and $167,254,000 in punitive damages.

NSO Group is no stranger to controversy. The US federal government blacklisted it in 2021 for enabling foreign governments to spy on a range of people in acts of “transnational repression”. The same year, investigative website The Pegasus Project alleged that the company targeted over 180 journalists around the world. The European Data Protection Supervisor recommended an EU ban on the technology in 2022, although this has not yet happened.

The ruling drew praise from Amnesty International, which had filed a court brief as part of the case outlining the human rights implications of the attacks on Meta. The organization commented:

> “This decision should serve as a wake-up call to governments to take proactive, concrete steps to regulate the surveillance industry, to enforce safeguards on their surveillance practices, and to comprehensively ban tools that are inherently incompatible with human rights obligations and standards, such as Pegasus,”

One takeaway stands out for our readers: end-to-end encryption is important for privacy, but it is not enough on its own.

As Meta pointed out in its complaint, NSO couldn’t decrypt WhatsApp messages in transit to users because they are encrypted when they’re sent from one device and stay unreadable until they’re decrypted by the receiving device. However, that doesn’t stop someone from reading the messages after they’re decrypted by the receiving device—someone who compromises your smartphone or PC has control over all of the data on it, including those decrypted messages.

For consumers, this means applying more layer of protection in the form of regular updates, security software, and cybersecurity awareness. Never open links, files, or videos from someone you don’t know. Be skeptical even if they’re from someone you do know—we recommend checking with them over a different channel first to ensure it was really them that sent it.

In this case, even that would not have enough, because NSO Group was able to infect phones without the victim even answering the call. Attacks this sophisticated often target people with sensitive roles such as journalists, activists, and government workers. Google has an advanced protection program for people like this, while Apple launched lockdown mode for high-risk users. Facebook has its own initiative.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 WhatsApp hack: Meta wins payout over NSO Group spyware 

CBP says it has “disabled” its use of TeleMessage following reports that the app, which has not cleared the US government’s risk assessment program, was hacked.

The United States Customs and Border Protection agency confirmed on Wednesday that it uses at least one communication app made by the service TeleMessage, which creates clones of popular apps like Signal and WhatsApp with the addition of an archiving mechanism for compliance with records-retention rules.

“Following the detection of a cyber incident, CBP immediately disabled TeleMessage as a precautionary measure,” CBP spokesperson Rhonda Lawson tells WIRED. “The investigation into the scope of the breach is ongoing.”

President Donald Trump's now former national security adviser Mike Waltz was photographed last week using TeleMessage Signal during a cabinet meeting, and the photo seemed to show that he was communicating with other high-ranking officials, including Vice President JD Vance, US director of national intelligence Tulsi Gabbard, and what appears to be US secretary of state Marco Rubio.

In the days since the photo was published, TeleMessage has reportedly suffered a series of breaches that illustrate concerning security flaws. Analysis of the app's Android source code also appears to indicate fundamental flaws in the service's security scheme. As these findings emerged, TeleMessage—an Israeli company that completed an acquisition last year by the US-based company Smarsh—imposed a service pause on its products pending investigation.

“TeleMessage is investigating a potential security incident. Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation,” a Smarsh spokesperson told WIRED in a statement on Monday. “Out of an abundance of caution, all TeleMessage services have been temporarily suspended. All other Smarsh products and services remain fully operational.”

WIRED contacted CBP about its potential use of the software after some data stolen from TeleMessage in one of the recent breaches indicated that CBP was potentially a customer.

US senator Ron Wyden called for the Department of Justice to investigate TeleMessage in a letter on Tuesday, alleging that the service is “a serious threat to US national security.” TeleMessage is a federal contractor, but the consumer apps it offers are not approved for use under the US government's Federal Risk and Authorization Management Program, or FedRAMP. In his letter, Wyden referenced that “several federal agencies” use TeleMessage, asserting that the company “sold dangerously insecure communications software to the White House and other federal agencies.”

There is still no complete public accounting of US government officials and agencies that have used the software.

Customs and Border Protection Confirms Its Use of Hacked Signal Clone TeleMessage

A new analysis of TM Signal’s source code appears to show that the app sends users’ message logs in plaintext. At least one top Trump administration official used the app.

The communication app TeleMessage Signal, used by at least one top Trump administration official to archive messages, has already reportedly suffered breaches that illustrate concerning security flaws and resulted in its parent company imposing a service pause this week pending investigation. Now, according to detailed new findings from the journalist and security researcher Micah Lee, TM Signal's archiving feature appears to fundamentally undermine Signal's flagship security guarantees, sending messages between the app and a user's message archive without end-to-end encryption, thus making users' communications accessible to TeleMessage.

Lee conducted a detailed analysis of TM Signal's Android source code to assess the app's design and security. In collaboration with 404 Media, he had previously reported on a hack of TM Signal over the weekend, which revealed some user messages and other data—a clear sign that at least some data was being sent unencrypted, or as plaintext, at least some of the time within the service. This alone would seem to contradict TeleMessage's marketing claims that TM Signal offers “End-to-End encryption from the mobile phone through to the corporate archive.” But Lee says that his latest findings show that TM Signal is not end-to-end encrypted and that the company could access the contents of users' chats.

“The fact that there are plaintext logs confirms my hypothesis,” Lee tells WIRED. “The fact that the archive server was so trivial for someone to hack, and that TM Signal had such an incredible lack of basic security, that was worse than I expected.”

TeleMessage is an Israeli company that completed its acquisition last year by the US-based digital communications archiving company Smarsh. TeleMessage is a federal contractor, but the consumer apps it offers are not approved for use under the US government's Federal Risk and Authorization Management Program, or FedRAMP.

Smarsh did not return WIRED's requests for comment about Lee's findings. The company said on Monday, “TeleMessage is investigating a potential security incident. Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation.”

Lee's findings are likely significant for all TeleMessage users but have particular significance given that TM Signal was used by President Donald Trump's now-former national security adviser Mike Waltz. He was photographed last week using the service during a cabinet meeting, and the photo appeared to show that he was communicating with other high-ranking officials, including Vice President JD Vance, US Director of National Intelligence Tulsi Gabbard, and what appears to be US Secretary of State Marco Rubio. TM Signal is compatible with Signal and would expose messages sent in a chat with someone using TM Signal, whether all participants are using it or some are using the genuine Signal app.

Lee found that TM Signal is designed to save Signal communication data in a local database on a user's device and then send this to an archive server for long-term retention. The messages, he says, are sent directly to the archive server, seemingly as plaintext chat logs in the cases examined by Lee. Conducting the analysis, he says, “confirmed the archive server has access to plaintext chat logs.”

Data taken from the TeleMessage archive server in the hack included chat logs, usernames and plaintext passwords, and even private encryption keys.

In a letter on Tuesday, US senator Ron Wyden called for the Department of Justice to investigate TeleMessage, alleging that it is “a serious threat to US national security.”

“The government agencies that have adopted TeleMessage Archiver have chosen the worst possible option,” Wyden wrote. “They have given their users something that looks and feels like Signal, the most widely trusted secure communications app. But instead, senior government officials have been provided with a shoddy Signal knockoff that poses a number of serious security and counterintelligence threats. The security threat posed by TeleMessage Archiver is not theoretical.”

The Signal Clone Mike Waltz Was Caught Using Has Direct Access to User Chats

A relatively new app called Raw that aims to rewrite the rules of dating is the latest to trip over its coattails by exposing user data to anyone who asked for it.

Any app that hands over user data is a concern, but leaky dating apps are especially worrying given the sensitivity of the data involved. A relatively new app called Raw that aims to rewrite the rules of dating is the latest to trip over its coattails by exposing user data to…well, anyone who asked for it.

Launched in 2023, Raw is a dating app that aims to solve some of the traditional problems in online dating, including fake or egregiously touched-up photos, and ghosting (where one person goes silent on each other). The company’s app shares user locations and asks them to post daily photos of themselves to create a more authentic matching experience.

The service collects customer data including what you’d expect for a dating app, such as name, birth date, gender identity, and photos, along with your geolocation and IP address. It stores at least some of its data on servers in the US.

Its privacy policy tells people that it uses end-to-end encryption, or, according to its GenZ-speak on its consumer FAQ:

> “Your information is cloaked in encryption and guarded like a princess in a castle by our devs. We don’t sell or share your info in any way – your privacy is a promise we don’t break.”

That text is in all caps on the site so the company’s intentions must be deadly serious, but unfortunately it didn’t follow through according to TechCrunch, which did some impressive sleuthing. The news site ran a copy of the app on a virtualized Android device, which is a copy of the Android operating system running in software. It created a new user account on the app, and watched what happened when another copy of the app requested that user’s profile data. The publication saw the server return the profile data without requiring any authentication.

Like most online services, Raw answers requests for data via an application programming interface (API). This is a service designed for software (in this case, its smartphone app) to request user profile data from its servers. The app does that by sending an 11-digit user ID to an online address.

TechCrunch worked out that anyone could grab information from a profile by accessing the API in a browser, and all they need is the 11-digit user ID. They could also vacuum lots of peoples’ data _en masse_ by just changing the user ID numbers.

Raw hadn’t mentioned the issue on its site at the time of writing. CEO Marina Anderson told TechCrunch that the issue had been resolved and that regulators had been notified. The news site also reported that she hadn’t arranged for a third-party audit for the app.

The company has ambitions beyond better matches. It is planning to release a wearable device called the Raw Ring, with sensors that read wearers’ vital signs and an audio tracker that listens to them. Raw is marketing the Black Mirror-esque device as an anti-infidelity tool that “analyzes voice and emotional cues for changes that tell the real story”. The sign-up button to register your interest in the device urges you to “Join the Flirt-Free Zone”.

This idea gives us the chills even without the data leak, as there’s a long, dark history of surveillance tech online that those in controlling relationships can use to monitor their partners. Not only that, there are also many cases of such apps exposing peoples’ sensitive data.

The Raw Ring, which stores its data in the cloud, promises end-to-end data encryption, although the TechCrunch story gives us pause. We wonder how many people will wear this willingly after the company’s technological faux-pas?

We mailed Anderson and Raw with these and other questions. If they reply we’ll update this story.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 &#8220;Your privacy is a promise we don&#8217;t break&#8221;: Dating app Raw exposes sensitive user data 

Google has patched 47 Android vulnerabilities in its May update, including an actively exploited FreeType vulnerability.

Google has patched 47 vulnerabilities in Android, including one actively exploited zero-day vulnerability in its May 2025 Android Security Bulletin.

Zero-days are vulnerabilities that are exploited before vendors have a chance to patch them—often before they even know about them.

The May updates are available for Android 13, 14, and 15. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

If your Android phone shows patch level 2025-05-05 or later then you can consider the issues as fixed. The difference with patch level 2025-05-01 is that the higher level provides all the fixes from the first batch and security patches for closed-source third-party and kernel subcomponents, which may not necessarily apply to all Android devices.

Keeping your device as up to date as possible protects you from known vulnerabilities and helps you to stay safe.

**The zero-day**

The actively exploited zero-day patched with this update was flagged by Facebook in March and found in the FreeType library. FreeType is an open-source software library that Android devices use to display text by rendering fonts. In essence, it turns font files into the letters and characters that you see on your screen. It is designed to be small, fast, and flexible, supporting many font formats and used widely across billions of devices and applications.

The vulnerability, tracked as CVE-2025-27363, allows attackers to execute remote code (RCE) by exploiting how FreeType processes certain TrueType GX and variable font files. Because FreeType mishandles values in the device’s memory, it creates an out-of-bounds write vulnerability. When a program accesses memory outside its allocated area—either by reading or writing beyond the bounds—it can cause crashes, run arbitrary code, or expose sensitive information. This happens when the data size exceeds the allocated memory, when data writes target incorrect memory locations, or when the program miscalculates data size or position.

FreeType versions newer than 2.13.0 fix this vulnerability. Since FreeType operates as a native library embedded within system components that render fonts, typical Android users cannot easily check which version their device uses. Therefore, the best defense is to install the latest system updates and run active anti-malware protection.

Facebook warned that attackers “may have exploited the vulnerability in the wild,” and Google confirmed the vulnerability “may be under limited, targeted exploitation,” though neither disclosed further details.

It’s reasonable to assume that simply opening a document or app containing a malicious font could compromise your device—without requiring any additional user action or permissions.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android fixes 47 vulnerabilities, including one zero-day. Update as soon as you can! 

Google has released its monthly security updates for Android with fixes for 46 security flaws, including one vulnerability that it said has been exploited in the wild.
The vulnerability in question is CVE-2025-27363 (CVSS score: 8.1), a high-severity flaw in the System component that could lead to local code execution without requiring any additional execution privileges.
"The most severe of

Google Fixes Actively Exploited Android System Flaw in May 2025 Security Update

TM SGNL, a chat app by US-Israeli firm TeleMessage used by Trump officials, halts operations after a breach…

TM SGNL, a chat app by US-Israeli firm TeleMessage used by Trump officials, halts operations after a breach exposed messages and backend data.

A data breach has exposed security flaws and sensitive information in TM SGNL, a chat app developed by the Israeli-US company TeleMessage. The firm is known for providing modified versions of encrypted messaging apps such as Signal, WhatsApp, Telegram, and WeChat, to the US government.

This alleged breach, first reported by 404 Media, involved a hacker gaining access to archived messages, including direct and group chats. As a result, the company has temporarily suspended its operation.

The hack raises serious concerns about the security of communications at the highest levels of the US government, particularly as former National Security Advisor Mike Waltz was recently seen using TM SGNL during a cabinet meeting with President Trump.

This sparked immediate scrutiny since unlike Signal, TM SGNL is not available on public app stores. At the time of writing, TeleMessage’s official website remains online, but all references to the app, its services, and related activity have been removed.

Reportedly, Smarsh, TeleMessage’s corporate owner, is currently rebranding the service as Capture Mobile. However, the Wayback Machine shows the website’s archive pages and installation guide for both iOS and Android devices.

****The Hacker Remains Anonymous****

The hacker, who remains anonymous, claimed to have breached TeleMessage’s backend infrastructure in a mere “15-20 minutes,” highlighting the ease of access. The stolen data includes message contents, contact information of government officials, usernames and passwords for TeleMessage’s backend panel, and indications of client agencies and companies.

The companies include Customs and Border Protection (CBP) and cryptocurrency giant Coinbase. However, it was confirmed that the hacker did not obtain messages from Trump cabinet officials or Waltz himself.

Internal screenshot from the TeleMessage app which the hacker shared with 404 Media

****Analysis Reveals Critical Flaws in TM SGNL****

Software engineer Micah Lee, who managed to analyse the app’s source code uncovered serious vulnerabilities, including hardcoded credentials. While the nature of the hardcoded credentials was not specified, their presence indicates a serious security flaw.

Furthermore, TeleMessage modifies Signal to add message archiving capabilities, a feature likely used by government officials for record-keeping compliance. However, this modification involves storing decrypted messages on a cloud server, creating a potential security risk.

The main issue is that messages are only encrypted within the app and not end-to-end secured during archiving. They are decrypted and stored in plaintext on TeleMessage’s servers, which are vulnerable to unauthorized access.

The hacker confirmed that the breached server was the same Amazon Web Services (AWS) server used for message archiving, confirming the vulnerability.

A Signal spokesperson reiterated that the company “cannot guarantee the privacy or security properties of unofficial versions of Signal,” further emphasizing the risks associated with modified apps like TM SGNL

The incident highlights the continued use of apps like Signal and TM SGNL by government officials, despite the availability of secure communication systems, raising questions about their choice and the risky assumptions they make about smartphone app security. It also highlights the need for a thorough reassessment of government officials’ communication tools, particularly those involving sensitive information and record-keeping regulations.

Tag

#android