According to a recent report by cloud security firm Zscaler, the Android ecosystem has witnessed a troubling surge in malicious applications, with hundreds of harmful apps downloaded over 40 million times from Google Play between June 2024 and May 2025. This alarming trend coincides with a 67% year-over-year increase in malware targeting mobile devices, particularly in the forms of spyware and banking trojans.
Telemetry data indicates a significant shift in tactics among cybercriminals, moving from traditional card fraud to more sophisticated mobile payment exploitation. Techniques such as phishing, smishing, SIM-swapping, and payment scams are now prevalent, reflecting a broader trend towards social engineering attacks. Zscaler attributes this shift to enhanced security measures, including chip-and-PIN technology and the growing adoption of mobile payment systems.
“To execute these attacks, cybercriminals are deploying phishing trojans and malicious applications specifically designed to capture sensitive financial information and login credentials,” Zscaler explains. The report highlights a notable increase in banking malware, which has reached 4.89 million transactions in 2025. However, the growth rate has slowed to 3%, a significant decline from the previous year’s 29% increase.
Source: Zscaler
In terms of malicious applications, Zscaler’s findings reveal a rise from 200 malware apps discovered last year to 239 this year, which collectively amassed 42 million downloads. A particularly striking trend is the emergence of adware as the most significant threat within the Android ecosystem, now accounting for approximately 69% of all detections—nearly double the figure from the previous year. The notorious Joker info-stealer, which dominated with 38% last year, has now fallen to second place with a mere 23% share.
Spyware has also seen a dramatic increase, soaring by 220% year-over-year, with families such as SpyNote, SpyLoan, and BadBazaar leading the charge in surveillance, extortion, and identity theft. Geographically, India, the United States, and Canada are the most affected, accounting for 55% of all attacks. Notably, there have been staggering spikes in attacks targeting Italy and Israel, with increases ranging from 800% to 4000% year-over-year.
Source: Zscaler
Highlighted malware
Zscaler’s annual report identifies three malware families that have significantly impacted Android users. The first is Anatsa, a banking trojan that frequently infiltrates Google Play through productivity and utility apps, achieving hundreds of thousands of downloads each time. Since its discovery in 2020, Anatsa has evolved continuously, with its latest variant capable of stealing data from over 831 financial institutions and cryptocurrency platforms, expanding its reach to countries like Germany and South Korea.
The second malware of concern is Android Void (Vo1d), a backdoor malware that targets Android TV boxes. This malware has infected at least 1.6 million devices running outdated Android Open Source Project (AOSP) versions, predominantly in India and Brazil.
Lastly, Xnotice, a new Android remote access trojan (RAT), has emerged, particularly targeting job seekers in the oil and gas sector, especially in Iran and Arabic-speaking regions. Xnotice spreads through applications disguised as job application or exam registration tools, often distributed via fraudulent employment portals. This malware seeks to capture banking credentials through overlays, multi-factor authentication (MFA) codes, and SMS messages, while also possessing the capability to take screenshots.
Source: Zscaler
To mitigate the risks posed by Android malware, even those found on Google Play, users are encouraged to implement several security measures. These include applying security updates regularly, trusting only reputable publishers, disabling unnecessary Accessibility permissions, avoiding the download of non-essential apps, and conducting routine Play Protect scans.
Additionally, Zscaler’s report highlights trends concerning IoT devices, noting that routers remain the most targeted this year. Cybercriminals have exploited command injection vulnerabilities to incorporate routers into botnets or repurpose them as proxies for malware delivery. The majority of IoT attacks occurred in the U.S., followed by Hong Kong, Germany, India, and China, indicating a broader geographical targeting of devices.
To bolster defenses against these threats, Zscaler recommends that organizations adopt zero-trust technology for critical networks and enhance the security of IoT and cellular gateways by monitoring for anomalies and implementing protections at the firmware level. Furthermore, mobile endpoint defenses should include monitoring SIM-level traffic for irregularities, safeguarding against phishing attacks, and enforcing strict application control policies.
