Android Sideloading Campaigns Spread Asin Spyware and Banking Malware via Fake Apps
Researchers reported multiple Android-focused campaigns that rely on sideloaded apps from fraudulent websites, social media, and messaging channels rather than exploits in official app stores. ESET identified a previously undocumented spyware family, Asin, distributed since early 2025 through fake sites impersonating a government news outlet, a PDF tool, and a conflict-mapping service. The apps offered decoy functionality while covertly collecting data in the background, and victims had to manually install APKs and approve permissions; samples were linked to domains including c-pdf[.]net and syriadefensemap[.]com, with activity still observed into 2026 on Xiaomi Redmi Note 13 Pro-series devices running Android 15.
A separate mobile threat trend used unofficial IPTV and football streaming apps to target users seeking pirated broadcasts in Spain and Italy, especially around major matches such as the UEFA Champions League final. ThreatFabric said apps masquerading as services like RojaDirecta were used to deliver banking malware including Massiv and Perseus, sometimes hidden inside functional apps with tools such as Zombinder. Once installed, the malware could abuse Accessibility Services for credential theft, MFA bypass, remote control, and full device takeover, underscoring how attackers are exploiting user demand for news, utilities, war tracking, and free sports streams to compromise Android devices.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Asin campaign remains active into 2026 with new samples and device evidence
ESET found evidence that the Asin spyware operation continued into 2026, including samples tied to domains such as c-pdf[.]net and syriadefensemap[.]com. Researchers also identified detections on Xiaomi Redmi Note 13 Pro-series devices running Android 15, including apps masquerading as Syria Defense Map.
Asin Android spyware campaigns first observed targeting Arabic-speaking users
ESET reported that the previously undocumented Android spyware family Asin was first observed in early 2025 targeting Arabic-speaking users. The malware was distributed through fake websites impersonating a government news source, a PDF utility, and a war-mapping service, with some sites promoted via Facebook and Telegram.
Researchers observe malicious IPTV app surge in Spain before Champions League final
Before the recent UEFA Champions League final between PSG and Arsenal, researchers observed a noticeable increase in unofficial IPTV Android apps in Spain carrying malware, including apps masquerading as RojaDirecta. Similar campaigns were also tracked in Italy, with attackers relying on users to sideload pirated streaming apps from websites, ads, and social media.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Android Spyware Asin Targets Arabic Users via Fake News, PDF and War Map Apps
thehackernews.com
Open sourceAndroid Spyware ‘Asin’ Uses Fake News and Utility Apps to Target Arabic-Speaking Users - CySecurity News - Latest Information Security and Hacking Incidents
cysecurity.news
Open sourceOwn Goal? Piracy as an Attack Vector to Target Football Fans - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceOwn Goal? Piracy as an Attack Vector to Target Football Fans
threatfabric.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Android Malware and Spyware Campaigns Using Trusted Platforms and Social Engineering Lures
Two separate Android-focused threat operations were reported, both relying on social engineering to drive manual installation of malicious apps. Bitdefender documented a campaign that abuses **Hugging Face** as a trusted hosting/CDN distribution point for an Android credential-stealing payload targeting popular financial and payment services. Victims are lured into installing a dropper app named **TrustBastion** via scareware-style ads; after installation it displays a fake Google Play “mandatory update” flow, then contacts infrastructure associated with `trustbastion[.]com` which redirects to a Hugging Face dataset repository hosting the final APK. The actor used **server-side polymorphism** to generate new payload variants roughly every 15 minutes, resulting in thousands of variants and rapid repository churn (reported as >6,000 commits over ~29 days); after takedown, the operation reportedly resurfaced under a new name (“**Premium Club**”) with refreshed branding. ESET separately identified an Android spyware campaign tracked as **GhostChat** that uses **romance-scam** tactics to target individuals in Pakistan. The malicious app is disguised as a chat/dating service but primarily functions as a surveillance tool; it presents “locked” female profiles with passcodes (hardcoded in the app) to create a sense of exclusivity, then routes victims into WhatsApp chats tied to Pakistani numbers likely controlled by the operator. The app was distributed via unofficial sources (not Google Play) and is blocked by Google Play Protect by default; ESET also linked the same actor to a broader surveillance effort including a **ClickFix** compromise chain and a WhatsApp device-linking attack, using websites impersonating Pakistani government organizations as lures.
Mar 21, 2026
Android RAT Campaigns Use CraxsRAT, Klopatra, and SpyNote to Hijack Devices
Multiple Android malware operations have been documented using remote access trojans to seize control of victims’ phones, steal sensitive data, and support financial fraud. Reporting on **CraxsRAT** describes a malware family built to give operators broad device access, while separate research identified **Klopatra**, an Android RAT disguised as the IPTV and VPN app **“Modpro IP TV + VPN,”** infecting more than 3,000 devices in Europe and enabling hidden remote control through a black-screen VNC feature. Klopatra also supports banking overlay attacks, gesture simulation, clipboard theft, keystroke capture, and screen monitoring, allowing attackers to conduct credential theft and fraudulent transactions while the device appears inactive. A third investigation found attackers targeting high-value individuals in South Asia with Android malware built on **SpyNote**, delivered through WhatsApp under multiple app names and tied to shared command-and-control infrastructure. That malware was designed to hide itself after installation and collect location data, contacts, SMS messages, call records, device information, files, screenshots, and keystrokes, particularly when accessibility permissions were granted. Across the reported cases, the malware showed strong evasion and persistence features, including obfuscation, anti-debugging, emulator detection, and attempts to disable security tools, underscoring how modern Android RATs are being adapted for espionage, credential theft, and banking abuse.
Jun 5, 2026
Perseus Android Malware Steals Secrets from Note-Taking Apps via Fake Streaming APKs
**Perseus** is a newly reported Android banking trojan distributed through fake **IPTV/streaming apps** sideloaded from unofficial sources, with observed targeting focused on **Turkey** and **Italy**. Researchers said the malware enables broad device compromise, including **overlay attacks**, credential theft, keylogging, screenshot capture, and near real-time monitoring of user activity. The malware is linked to older Android banking malware lineage, with ThreatFabric reporting that it appears to build on the **Phoenix** codebase derived from the leaked **Cerberus** family. A notable capability is Perseus's deliberate targeting of **note-taking applications** such as *Google Keep*, *Evernote*, and *Simple Notes* to extract stored content that may include passwords, financial information, and crypto recovery phrases. The campaign uses users' familiarity with sideloading piracy-related streaming apps to reduce suspicion, and one lure cited was **Roja Directa TV**. Researchers also reported that the dropper can bypass **Android 13+** sideloading restrictions and resembles infrastructure previously used to deliver other Android malware families, while an English-language variant showed more refined debugging and logging features, suggesting ongoing development and operational maturity.
Mar 20, 2026