Adware, Trojans and Crypto Theft Lead Q2 Threats

A series of malicious apps and stealthy spyware is targeting Android users worldwide, with new data showing how cybercriminals keep finding ways to slip threats onto devices and even official app stores.

According to new findings from Dr.Web Security Space, adware is still the most common threat on mobile devices, but what is noticeable this time is how attackers keep finding new tricks to spread it.

Adware Still Tops the Charts

Adware Trojans continued to dominate, led by the Android.HiddenAds family. Although detections dropped by just over 80%, HiddenAds variants are still the most active group, often masquerading as harmless apps and vanishing from home screens once installed. Android.MobiDash adware trojans saw a jump of over 11%, proving that intrusive ads are still a reliable money maker for threat actors, revealed Dr.Web’s report.

Fake Apps Fraud

Android.FakeApp malware ranked third on the threat list, with activity dropping by a quarter. These malicious apps frequently pose as finance tools, games or utilities but instead, redirect users to gambling or phishing sites. Fake finance apps tricked Turkish and French-speaking users, promising easy income control or investment advice while silently pushing them to fraudulent sites.

Banking Trojans Make a Comeback

While some banking trojans like Android.BankBot and Android.SpyMax declined, Android.Banker surged by over 70% compared to the previous quarter. This spike highlights how cybercriminals keep targeting financial data with new variants, despite global awareness campaigns urging users to stick to official app stores.

Crypto Theft Hidden in Firmware

One of the most alarming revelations is a large-scale crypto theft campaign discovered in April. Attackers slipped a trojan named Android.Clipper.31 into a modified version of WhatsApp and even embedded it in the firmware of low-cost Android phones.

This trojan secretly swaps legitimate crypto wallet addresses for the attackers’ own and sends user images to a remote server, hunting for wallet seed phrases hidden in screenshots or photos.

Spyware Targets Military Personnel

Another concerning discovery made by Dr.Web and reported by Hackread.com in April 2025, was spyware hidden inside a fake version of Alpine Quest, a mapping app. Distributed through a bogus Telegram channel and a local app catalogue, Android.Spy.1292.origin was designed to gather sensitive data from Russian military personnel, including location files, messages and phone book contacts.

Threats Found on Google Play

Despite tighter controls, Dr.Web’s researchers continue to find dozens of malicious or unwanted apps on Google Play (Apple App Store is not a secure place either). Recent finds include adware modules disguised in cryptocurrency news apps and finance-themed fake apps that redirect users to shady sites instead of offering any real service.

This new wave of cybersecurity threats simply goes on to show that Android’s open nature still makes it a favourite target for criminals pushing ads, spyware and banking malware. Even official app stores are not completely safe, therefore, users must keep their devices protected with up-to-date security software and stay cautious with any new app, no matter how harmless it appears.