malicious Android apps Archives

AppWizard

December 5, 2025

New Android malware threat can wipe your bank account

A new malware called Albiriox has emerged, posing significant risks to Android users by allowing remote control of devices and the ability to drain bank accounts without passwords. Albiriox is often hidden within counterfeit Google Play Store pages for financial applications on external sites. Users who download these apps may unknowingly install the malware, which activates the "install unknown apps" permission, enabling further harmful software installation. Once active, Albiriox can mimic user actions to access sensitive information and finances. Users are advised to avoid downloading financial applications from unofficial sources and to remain cautious even with apps from the official Play Store, as some malicious apps have been reported to record user data.

AppWizard

November 5, 2025

6 Android apps reportedly recording users’ conversations

Recent investigations have identified a series of malicious Android applications capable of spying on users by extracting messages from platforms like WhatsApp and Signal, and recording conversations without consent. One such app, WaveChat, can capture background audio even when the microphone is not in use. These apps deploy a remote access trojan (RAT) called VajraSpy and are primarily targeting users in India and Pakistan, with only about 1,400 downloads noted. A total of 12 spyware apps were identified, including six available on the Google Play Store. These include Privee Talk, MeetMe*, Let’s Chat, Quick Chat, Rafaqat رفاق, and Chit Chat. Users are advised to be cautious about app permissions and to download applications only from reputable sources. ESET researchers also discovered two spyware apps posing as the Android Signal app, targeting users in the United Arab Emirates. One malicious app exploited the popularity of a Pakistani cricket player, although he is not involved in the malicious activity. The development of these spyware apps is attributed to Patchwork APT.

AppWizard

November 4, 2025

Malicious Android apps on Google Play downloaded 42 million times

The Android ecosystem has seen a significant rise in malicious applications, with over 40 million harmful apps downloaded from Google Play between June 2024 and May 2025. There has been a 67% year-over-year increase in malware targeting mobile devices, particularly spyware and banking trojans. Cybercriminals are shifting tactics from card fraud to mobile payment exploitation, employing phishing, smishing, SIM-swapping, and payment scams. Banking malware transactions reached 4.89 million in 2025, with a slowed growth rate of 3%. Malicious applications increased from 200 to 239, totaling 42 million downloads, with adware now accounting for 69% of all detections. Spyware has surged by 220% year-over-year, with India, the U.S., and Canada being the most affected countries. Notable malware families include Anatsa, which targets financial institutions, Android Void (Vo1d), which affects Android TV boxes, and Xnotice, which targets job seekers. IoT devices, particularly routers, are also being exploited, with the majority of attacks occurring in the U.S. Zscaler recommends implementing security measures such as regular updates, trusting reputable publishers, and adopting zero-trust technology for organizations.

AppWizard

November 3, 2025

These 12 malicious Android apps are recording your conversations — delete them right now

Twelve Android applications have been found to covertly record user audio in the background, functioning as vehicles for spyware called VajraSpy. This spyware is spread through social engineering tactics on platforms like Facebook Messenger and WhatsApp. Signs of device compromise include unexplained battery drain, unexpected data usage, persistent background activity, frequent microphone prompts, and strange notifications. To protect against such threats, users should be cautious with app permissions, monitor for unusual behavior, use reputable antivirus applications, and limit the number of installed apps.

AppWizard

October 30, 2025

More Than 700 Malicious Android Apps Using NFC Relay to Exfiltrate Banking Credentials

Cybersecurity researchers at zLabs have identified over 760 malicious Android applications that exploit Near Field Communication (NFC) and Host Card Emulation (HCE) technologies to steal payment data and facilitate fraudulent transactions. Since April 2024, these applications have evolved into a coordinated global operation targeting financial institutions in countries such as Russia, Poland, the Czech Republic, Slovakia, and Brazil. The threat actors have established around 70 command-and-control servers and use Telegram bots for data exfiltration. The malicious apps impersonate about 20 legitimate entities, focusing on Russian banks and international institutions like Santander and Google Pay. They utilize various strategies to compromise payment credentials, including scanner and tapper tools, and employ simplified interfaces resembling legitimate banking portals. The malware activates a Host Card Emulation service during NFC payment events for real-time data relay. To evade detection, the threat actors use name masquerading, code obfuscation, and software packing techniques. This campaign represents a significant escalation in NFC-based financial fraud, highlighting the risks associated with NFC payment privileges.

AppWizard

September 17, 2025

224 Malicious Android Apps on Google Play With 38 Million Downloads Delivering Malicious Payloads

A mobile ad fraud operation called "SlopAds" infiltrated the Google Play Store with 224 malicious applications, which collectively achieved over 38 million downloads across 228 countries. The operation utilized advanced steganography and obfuscation techniques to deliver fraudulent advertising payloads while avoiding detection. SlopAds activated its fraud system selectively based on specific advertising campaigns, generating around 2.3 billion fraudulent bid requests daily, primarily from the United States (30%), India (10%), and Brazil (7%). The malicious apps exploited Firebase Remote Config to retrieve encrypted data for downloading a primary fraud module named "FatModule." This module was concealed within PNG image files, allowing it to bypass traditional security measures. The FatModule included anti-analysis features to evade detection by security researchers. Google has since removed all identified SlopAds applications from the Play Store and implemented protections through Google Play Protect.

AppWizard

September 17, 2025

38 Million Downloads Across 224 Malicious Android Apps on Google Play Deliver Harmful Payloads

Researchers from HUMAN’s Satori Threat Intelligence and Research Team discovered a digital advertising fraud operation called “SlopAds,” which involves 224 Android applications that have over 38 million downloads across 228 countries. SlopAds employs a multi-layered obfuscation strategy to deploy fraud modules that siphon ad revenue. The applications connect to Firebase Remote Config to retrieve an encrypted configuration that conceals URLs for PNG images containing fragments of an APK, which are reassembled to create the core fraud component known as FatModule. SlopAds generates approximately 2.3 billion bid requests daily, primarily targeting users in the United States (30%), India (10%), and Brazil (7%). Google Play Protect alerts users and blocks known SlopAds applications, and Google has removed these applications from the Play Store. Users who installed these apps from off-market sources remain vulnerable until they uninstall them.

AppWizard

August 26, 2025

77 Malicious Android Apps With 19M Installs Targeted 831 Banks Worldwide

Zscaler’s ThreatLabz team identified 77 malicious applications on the Google Play Store with over 19 million installations, which target financial institutions and compromise user data. A new variant of the Anatsa banking trojan, also known as TeaBot, now targets over 831 banks globally, up from 650, and has expanded its reach to countries like Germany and South Korea. Many of these apps disguise themselves as document readers, with some exceeding 50,000 downloads. The malware downloads the Anatsa payload after installation and uses Android’s Accessibility Services to automate malicious activities, including stealing financial information and facilitating fraudulent transactions. The malware employs techniques to evade detection, such as obfuscating its code and using corrupted ZIP archives. The most prevalent Android malware identified was Joker, found in nearly 25% of the analyzed applications, known for stealing contacts and device data. A smaller subset of apps contained “maskware,” which engages in credential theft and personal data collection.

AppWizard

August 25, 2025

Malicious Android apps with 19M installs removed from Google Play | The Cyber Security Hub™

LinkedIn uses both essential and non-essential cookies to enhance user experience. Essential cookies are necessary for site functionality, while non-essential cookies personalize the experience by delivering relevant advertisements. Users can manage their cookie preferences by accepting or rejecting non-essential cookies and can modify these preferences at any time through their settings.

AppWizard

August 25, 2025

Malicious Android apps with 19M installs removed from Google Play

Zscaler's ThreatLabs team discovered 77 malicious Android applications on Google Play that collectively garnered over 19 million downloads. The Anatsa (Tea Bot) banking trojan was identified as the main threat, evolving to target 831 banking and cryptocurrency apps. More than 66% of the malicious apps contained adware, while nearly 25% were infected with Joker malware, which can perform intrusive actions like sending texts and accessing sensitive information. A variant of Joker, named Harly, disguises itself within legitimate applications. Anatsa employs various evasion tactics, including using a decoy app to download its payload post-installation and altering package names to complicate detection. Following the findings, Google removed the identified malicious apps from the Play Store, and users are advised to ensure their Play Protect service is active and to take precautions if infected.