Surge in Android Malware and Pre-Installed Threats Targeting Mobile Users
Multiple security researchers have reported a significant escalation in Android-targeted threats, including the discovery of new malware families, pre-installed trojans, and spyware on both counterfeit and budget smartphones. The Triada trojan continues to be found pre-installed on counterfeit Android devices, granting attackers full device control and enabling credential theft, botnet enrollment, and unauthorized access to sensitive apps. In parallel, certain budget Samsung phones have reportedly shipped with an unremovable system app, AppCloud, described as spyware that collects sensitive user data and cannot be removed without voiding the warranty. These findings highlight the persistent risks associated with purchasing devices from untrusted sources and the growing sophistication of supply chain threats.
The overall threat landscape for Android users has intensified in 2025, with a marked increase in malware, adware, and potentially unwanted program (PUP) detections. Attackers are shifting from nuisance apps to more covert tools capable of harvesting data, intercepting messages, and facilitating account takeovers. The rise in SMS-based attacks and the integration of advanced capabilities, such as one-time passcode theft, underscore the need for heightened vigilance and robust mobile security practices. Security experts emphasize the importance of verifying device integrity, using only official firmware, and implementing strict security policies to mitigate these evolving threats.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Mobile threat reporting shows Android attacks escalated in 2025
Security reporting on 2025 Android activity found sharp growth in adware, potentially unwanted programs, malware, phishing apps, OTP stealers, and predatory finance apps. The reporting also noted a resurgence of older threats such as Triada alongside more organized attack toolkits targeting credentials, messages, and financial data.
Researchers warn budget Samsung phones ship with hidden AppCloud software
Researchers reported that some budget Samsung A-series and M-series phones were shipping with a hidden system app called AppCloud that users could not remove without voiding the warranty. The software was characterized as spyware and raised concerns about collection of sensitive user data.
Triada persists as a pre-installed threat on counterfeit Android phones
By 2025, the Triada Android Trojan was being observed pre-installed on counterfeit or fake smartphones, giving attackers deep control over infected devices and access to sensitive data. The malware could also enroll compromised phones into a botnet, underscoring supply-chain risks in untrusted Android devices.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Pre-Installed “Triada” Trojan Underscores Risks of Counterfeit Android Devices
zimperium.com
Open sourceBudget Samsung Phones Shipped with “Unremovable Spyware,” Researchers Warn
zimperium.com
Open sourceAndroid threats in 2025: When your phone becomes the main attack surface
malwarebytes.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Emergence of Sturnus Android Banking Malware and General Mobile Spyware Threats
A new Android banking malware named **Sturnus** has been identified by security researchers, exploiting Android’s accessibility features to stealthily monitor user activity, intercept chats, and recreate fake banking app interfaces to steal sensitive financial data. The malware is distributed via malicious APK files outside the Google Play Store and can prevent its own uninstallation, raising the risk for users who sideload apps. Google has stated that no apps containing Sturnus have been found on the Play Store and that Google Play Protect provides automatic protection against known variants, but users are still advised to exercise caution when installing apps from untrusted sources. More broadly, spyware remains a significant threat to mobile device users, with various forms capable of tracking, recording, and stealing data from both iOS and Android phones. Spyware can be disguised as legitimate applications or delivered through phishing, and may include nuisanceware that focuses on ad revenue or more dangerous variants like stalkerware. Users are encouraged to watch for unusual device behavior, unknown apps, or data spikes, and to use antivirus tools, keep devices updated, and avoid untrusted app sources to mitigate these risks.
Mar 21, 2026
Surge in Mobile Malware Activity and Targeted Threats in Q4 2025
A significant increase in mobile malware activity was observed in Q4 2025, with Doctor Web reporting that adware trojans such as Android.MobiDash and Android.HiddenAds remained the most prevalent threats, though their detection rates declined. Conversely, banking trojans, particularly from the Android.Banker family, saw a 65.52% rise in activity, targeting users by intercepting SMS one-time codes and mimicking legitimate banking apps. The review also highlighted the widespread use of unwanted software like CloudInject, which adds dangerous permissions and obfuscated code to apps, as well as riskware programs modified with NP Manager. Additionally, Doctor Web identified new threats such as the Android.Backdoor.Baohuo.1.origin, distributed via modified Telegram X apps to steal credentials, and the unique Trojan.ChimeraWire, which manipulates website popularity metrics. Globally, India experienced a 38% year-over-year increase in mobile malware attacks, accounting for 26% of all mobile malware traffic worldwide, according to Zscaler. Hundreds of malicious apps, many disguised as productivity tools, infiltrated trusted platforms like the Google Play Store, with over 42 million downloads. Attackers focused on high-value industries, with retail, hospitality, and manufacturing sectors being primary targets. The escalation in Android malware transactions and the strategic targeting of consumer-facing and operations-heavy environments underscore the evolving tactics of threat actors and the growing risks to mobile device users and organizations worldwide.
Mar 21, 2026
Android Mobile Malware Campaigns Targeting SMS/OTP and Identity Data
Multiple reports highlight evolving **Android** threats that abuse SMS/telephony access and advanced evasion to enable fraud, surveillance, and account takeover. CloudSEK described a shift from repackaged apps to **runtime manipulation** using the *LSPosed* framework, where a malicious module (e.g., **Digital Lutera**) hooks `SmsManager` and `TelephonyManager` to undermine India’s **UPI SIM-binding** controls. The technique can intercept registration tokens and 2FA, spoof device identity/phone number, and exfiltrate data to **Telegram**; it also uses **Socket.IO** for real-time C2 and can remotely inject fabricated SMS entries into the device’s “Sent” database to make bank backends believe a SIM is present on a different device, enabling scalable payment fraud and account takeover. Separately, Acronis TRU (reported by Hackread) identified a **fake Red Alert** rocket-warning app distributed via SMS lures impersonating Israel’s Home Front Command; the trojanized app displays legitimate alerts to reduce suspicion while requesting extensive permissions to steal **GPS location**, **SMS/OTP**, contacts, installed-app inventory, and on-device account details, then exfiltrates data to a remote server, including via **certificate spoofing** and UI tricks to appear Play Store-installed. Zimperium reported a new Android RAT, **SurxRAT**, that can download and run **LLM modules** from third-party repositories to automate phishing and social engineering and to interact with apps/UI for credential theft and data exfiltration, reinforcing the need for behavior-based mobile detection, tighter app controls, and stronger integrity enforcement (e.g., *Play Integrity API* with `MEETS_STRONG_INTEGRITY`) where applicable.
Mar 21, 2026