The second quarter of 2025 brought new intensity to the Android malware landscape, as documented by Dr.Web Security Space’s threat statistics for mobile devices.
Adware trojans continued to account for the majority of infections, maintaining their lead as the most common mobile threats.
Among them, the Android.HiddenAds family was the most prominent, though user encounters declined by 8.62% compared to the previous quarter.
Despite this slight drop in activity, these trojans remained highly active, leveraging deceptive practices such as hiding application icons and masquerading as legitimate, popular apps to remain undetected.
Android.MobiDash adware trojans followed closely, exhibiting an 11.17% rise in attack frequency.
Their activity is largely attributed to their integration into applications as special software modules, designed to display intrusive ads and monetize user engagement by any means necessary.
Meanwhile, Android.FakeApp malicious programs often used in fraud schemes ranked third but saw a notable 25.17% decrease in detection, potentially indicating evolving threat actor strategies or improved user awareness.
Resurgence of Banking Trojans
The banking malware segment, however, experienced a dramatic shift. Detections of Android.Banker banking trojans skyrocketed by 73.15%, pointing to renewed vigor in campaigns targeting sensitive financial data and user credentials.
Conversely, certain other banking malware families saw diminished activity: Android.BankBot detections dropped by 37.19% and Android.SpyMax saw a 19.14% reduction.
This divergence suggests that threat actors are either refining their techniques or redeploying resources to more lucrative or less-defended vectors.
A high-profile campaign uncovered in April highlighted the increasing complexity and ambition of Android cybercrime.
Dr.Web analysts revealed that the Android.Clipper.31 trojan had been embedded into the firmware of several budget smartphone models and disguised within a modified WhatsApp messenger application.
This trojan intercepted both messages and images, searching specifically for Tron and Ethereum wallet addresses, which it would then surreptitiously replace with those controlled by scammers.
To further conceal its presence, Android.Clipper.31 obfuscated the substitutions to ensure users continued to see the correct wallet details, complicating detection and raising concerns about future firmware-level attacks.
Another notable incident involved the Android.Spy.1292.origin spyware trojan, camouflaged in a modified version of Alpine Quest mapping software and distributed via a fake Telegram channel and other Russian app catalogs.
This targeted attack focused on Russian military personnel, exfiltrating a wide array of confidential data including user accounts, phone numbers, contact lists, geolocation data, and document files to threat actors.
Such incidents underscore the expanding scope of Android malware, which now extends beyond adware and banking fraud to conduct sophisticated espionage.
Threats Expand on Google Play
The quarter also saw a significant rise in threats distributed via Google Play. Several dozen new threats were identified in official Play Store apps, ranging from fake financial utilities and games to cryptocurrency news applications laden with adware modules such as Adware.AdPush.3.origin and Adware.Adpush.21912.
These deceptive applications frequently leveraged social engineering tactics, promising financial rewards or useful functionality while instead delivering intrusive ads or redirecting users to online casinos and fraudulent sites.
Numerous other malicious and unwanted programs were flagged, including disguised anti-virus apps that reported false threats, apps secretly recording video or audio, and tools exploiting legitimate frameworks to gain dangerous permissions.
Modifications via utilities like CloudInject and NP Manager further complicated the ecosystem, enabling both benign and malicious applications to evade security measures and digital signature verification.
Q2 2025 stands out as a defining period for Android malware, marked by evolving strategies and heightened sophistication across both adware and banking trojan campaigns.
With more threats infiltrating official app stores and firmware-level attacks on the rise, users are strongly advised to maintain vigilant app installation practices and employ robust anti-malware solutions such as Dr.Web for Android, as proactive defense remains the most effective barrier against these growing threats.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant updates
