Malware Attacks on Android Devices Surge in Q2, Driven by Banking Trojans and Spyware

Dr.Web Security Space for mobile devices reported that malware activity on Android devices increased significantly in the second quarter of 2025.

Adware trojans, particularly from the Android.HiddenAds family, remained the most prevalent threat, despite an 8.62% decrease in user encounters.

These trojans often disguise themselves as harmless apps or hide within system directories, concealing their presence by removing icons from the home screen.

Closely following, Android.MobiDash adware trojans saw an 11.17% increase in attack frequency, embedding intrusive ad-displaying modules into applications.

Meanwhile, Android.FakeApp malicious programs, often used in fraudulent schemes like loading online casino sites, ranked third, though their detection dropped by 25.17%.

A significant concern was the sharp 73.15% rise in Android.Banker banking trojan activity compared to the previous quarter, highlighting a growing risk to users’ financial security.

However, other banking trojan families, such as Android.BankBot and Android.SpyMax, saw declines of 37.19% and 19.14%, respectively, indicating a shift in malicious focus.

Cryptocurrency Theft

April marked the emergence of highly sophisticated threats targeting specific user groups.

Dr.Web analysts uncovered a large-scale cryptocurrency theft campaign involving Android.Clipper.31, a trojan embedded in modified WhatsApp versions and pre-installed in the firmware of certain budget Android smartphones.

This malware intercepts messages in the messenger app, swaps legitimate Tron and Ethereum crypto wallet addresses with fraudulent ones, and disguises the substitution to deceive users.

Additionally, it uploads images in jpg, png, and jpeg formats to remote servers to extract mnemonic phrases for victims’ wallets, posing a severe risk to cryptocurrency holders.

Simultaneously, a spyware campaign targeted Russian military personnel through Android.Spy.1292.origin, hidden in a modified Alpine Quest mapping app and distributed via fake Telegram channels and app catalogs.

This trojan exfiltrates sensitive data, including user accounts, contacts, geolocation, and files, with a particular focus on confidential documents and location logs from messengers, demonstrating the strategic intent behind such attacks.

Google Play Threats

The proliferation of threats on Google Play continued to escalate, with Dr.Web detecting dozens of malicious apps, including Android.FakeApp variants posing as financial tools and games.

Examples include Android.FakeApp.1863, disguised as “TPAO” targeting Turkish users, and Android.FakeApp.1859, marketed as “Quantum MindPro” for French-speaking audiences, both loading fraudulent websites.

Fake games like “Pino Bounce” (Android.FakeApp.1840) redirected users to online casinos, while adware like Adware.Adpush.21912, hidden in “Coin News Promax,” displayed deceptive notifications leading to malicious links.

These incidents underscore the persistent challenge of securing official app stores. Dr.Web also identified various unwanted software, such as Program.FakeMoney.11, which lures users with false promises of earnings, and riskware tools like Tool.SilentInstaller.14.origin, capable of launching APK files without installation.

To safeguard Android devices, experts strongly recommend deploying robust anti-virus solutions like Dr.Web for Android, emphasizing proactive protection against this evolving threat landscape.

As cybercriminals refine their tactics, user vigilance and advanced security measures remain critical to mitigating risks.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free