A concerning trend has emerged in the realm of mobile security, as a variety of malicious applications and stealthy spyware continue to target Android users globally. Recent findings from Dr.Web Security Space reveal that cybercriminals are adept at discovering new methods to infiltrate devices, including those found in official app stores.
Adware Still Tops the Charts
Adware remains the predominant threat on mobile devices, with the Android.HiddenAds family leading the charge. Although detections have decreased by over 80%, variants of HiddenAds remain the most active, often disguising themselves as innocuous applications and disappearing from home screens post-installation. Meanwhile, the Android.MobiDash adware trojans have seen a notable increase of over 11%, underscoring the ongoing profitability of intrusive advertisements for cybercriminals, as highlighted in Dr.Web’s report.
Fake Apps Fraud
Ranking third on the threat list is the Android.FakeApp malware, which has experienced a 25% decline in activity. These deceptive applications frequently masquerade as finance tools, games, or utilities, only to redirect users to gambling or phishing websites. Particularly, fake finance apps have targeted Turkish and French-speaking users, luring them with promises of effortless income management or investment guidance while covertly directing them to fraudulent platforms.
Banking Trojans Make a Comeback
While some banking trojans like Android.BankBot and Android.SpyMax have seen a decline, the Android.Banker variant has surged by over 70% compared to the previous quarter. This increase highlights the persistent efforts of cybercriminals to exploit financial data with new variants, despite ongoing global awareness campaigns encouraging users to utilize only official app stores.
Crypto Theft Hidden in Firmware
One of the more alarming discoveries involves a large-scale crypto theft operation identified in April. Attackers managed to embed a trojan named Android.Clipper.31 within a modified version of WhatsApp and even integrated it into the firmware of low-cost Android devices. This trojan operates by secretly replacing legitimate cryptocurrency wallet addresses with those of the attackers, while also transmitting user images to a remote server in search of wallet seed phrases concealed within screenshots or photographs.
Spyware Targets Military Personnel
Another troubling finding reported by Dr.Web and Hackread.com in April 2025 is the presence of spyware concealed within a counterfeit version of the Alpine Quest mapping application. Distributed via a fraudulent Telegram channel and a local app catalog, Android.Spy.1292.origin is specifically designed to collect sensitive information from Russian military personnel, including location data, messages, and contact lists.
Threats Found on Google Play
Despite enhanced security measures, researchers at Dr.Web continue to uncover numerous malicious or unwanted applications on Google Play (the Apple App Store is not immune either). Recent discoveries include adware modules camouflaged as cryptocurrency news applications and finance-themed fake apps that mislead users to dubious websites instead of providing legitimate services.
This ongoing wave of cybersecurity threats illustrates that the open nature of Android continues to attract criminals intent on distributing ads, spyware, and banking malware. Even official app stores cannot guarantee complete safety, emphasizing the necessity for users to safeguard their devices with up-to-date security software and to exercise caution when downloading new applications, regardless of their seemingly harmless nature.
