Surge in Android Malware and Pre-Installed Threats Targeting Mobile Users
Multiple security researchers have reported a significant escalation in Android-targeted threats, including the discovery of new malware families, pre-installed trojans, and spyware on both counterfeit and budget smartphones. The Triada trojan continues to be found pre-installed on counterfeit Android devices, granting attackers full device control and enabling credential theft, botnet enrollment, and unauthorized access to sensitive apps. In parallel, certain budget Samsung phones have reportedly shipped with an unremovable system app, AppCloud, described as spyware that collects sensitive user data and cannot be removed without voiding the warranty. These findings highlight the persistent risks associated with purchasing devices from untrusted sources and the growing sophistication of supply chain threats.
The overall threat landscape for Android users has intensified in 2025, with a marked increase in malware, adware, and potentially unwanted program (PUP) detections. Attackers are shifting from nuisance apps to more covert tools capable of harvesting data, intercepting messages, and facilitating account takeovers. The rise in SMS-based attacks and the integration of advanced capabilities, such as one-time passcode theft, underscore the need for heightened vigilance and robust mobile security practices. Security experts emphasize the importance of verifying device integrity, using only official firmware, and implementing strict security policies to mitigate these evolving threats.
Sources
Related Stories
Emergence of Sturnus Android Banking Malware and General Mobile Spyware Threats
A new Android banking malware named **Sturnus** has been identified by security researchers, exploiting Android’s accessibility features to stealthily monitor user activity, intercept chats, and recreate fake banking app interfaces to steal sensitive financial data. The malware is distributed via malicious APK files outside the Google Play Store and can prevent its own uninstallation, raising the risk for users who sideload apps. Google has stated that no apps containing Sturnus have been found on the Play Store and that Google Play Protect provides automatic protection against known variants, but users are still advised to exercise caution when installing apps from untrusted sources. More broadly, spyware remains a significant threat to mobile device users, with various forms capable of tracking, recording, and stealing data from both iOS and Android phones. Spyware can be disguised as legitimate applications or delivered through phishing, and may include nuisanceware that focuses on ad revenue or more dangerous variants like stalkerware. Users are encouraged to watch for unusual device behavior, unknown apps, or data spikes, and to use antivirus tools, keep devices updated, and avoid untrusted app sources to mitigate these risks.
3 months ago
Surge in Mobile Malware Activity and Targeted Threats in Q4 2025
A significant increase in mobile malware activity was observed in Q4 2025, with Doctor Web reporting that adware trojans such as Android.MobiDash and Android.HiddenAds remained the most prevalent threats, though their detection rates declined. Conversely, banking trojans, particularly from the Android.Banker family, saw a 65.52% rise in activity, targeting users by intercepting SMS one-time codes and mimicking legitimate banking apps. The review also highlighted the widespread use of unwanted software like CloudInject, which adds dangerous permissions and obfuscated code to apps, as well as riskware programs modified with NP Manager. Additionally, Doctor Web identified new threats such as the Android.Backdoor.Baohuo.1.origin, distributed via modified Telegram X apps to steal credentials, and the unique Trojan.ChimeraWire, which manipulates website popularity metrics. Globally, India experienced a 38% year-over-year increase in mobile malware attacks, accounting for 26% of all mobile malware traffic worldwide, according to Zscaler. Hundreds of malicious apps, many disguised as productivity tools, infiltrated trusted platforms like the Google Play Store, with over 42 million downloads. Attackers focused on high-value industries, with retail, hospitality, and manufacturing sectors being primary targets. The escalation in Android malware transactions and the strategic targeting of consumer-facing and operations-heavy environments underscore the evolving tactics of threat actors and the growing risks to mobile device users and organizations worldwide.
2 months ago
Android Mobile Malware Campaigns Targeting SMS/OTP and Identity Data
Multiple reports highlight evolving **Android** threats that abuse SMS/telephony access and advanced evasion to enable fraud, surveillance, and account takeover. CloudSEK described a shift from repackaged apps to **runtime manipulation** using the *LSPosed* framework, where a malicious module (e.g., **Digital Lutera**) hooks `SmsManager` and `TelephonyManager` to undermine India’s **UPI SIM-binding** controls. The technique can intercept registration tokens and 2FA, spoof device identity/phone number, and exfiltrate data to **Telegram**; it also uses **Socket.IO** for real-time C2 and can remotely inject fabricated SMS entries into the device’s “Sent” database to make bank backends believe a SIM is present on a different device, enabling scalable payment fraud and account takeover. Separately, Acronis TRU (reported by Hackread) identified a **fake Red Alert** rocket-warning app distributed via SMS lures impersonating Israel’s Home Front Command; the trojanized app displays legitimate alerts to reduce suspicion while requesting extensive permissions to steal **GPS location**, **SMS/OTP**, contacts, installed-app inventory, and on-device account details, then exfiltrates data to a remote server, including via **certificate spoofing** and UI tricks to appear Play Store-installed. Zimperium reported a new Android RAT, **SurxRAT**, that can download and run **LLM modules** from third-party repositories to automate phishing and social engineering and to interact with apps/UI for credential theft and data exfiltration, reinforcing the need for behavior-based mobile detection, tighter app controls, and stronger integrity enforcement (e.g., *Play Integrity API* with `MEETS_STRONG_INTEGRITY`) where applicable.
1 weeks ago