Android Malware Evolves, Targets Ads and Banking

Malware activity on mobile devices evolved in 2Q25, with adware Trojans gaining prominence. The data, compiled by Dr.Web Security Space for Android, reveals a sustained prevalence of malware designed to display intrusive advertising, cementing a critical trend in mobile cybersecurity.

"Adware Trojans from the Android.HiddenAds family maintained their position as the most common malware, albeit with an 8.62% decrease in frequency of detection by users. However, Android.MobiDash Trojans experienced an 11.17% increase in incidence, indicating an adaptation and diversification in attackers' tactics," reads Dr.Web's analysis.

This problem becomes increasingly relevant considering the rising integration of mobile devices into business workflows and operational infrastructure. The proliferation of adware Trojans, while seemingly a minor threat, represents an entry point for more sophisticated malware and targeted attacks against such devices. Likewise, the decline of Android.HiddenAds and the rise of Android.MobiDash demonstrate a diversification of infection strategies, indicating that malware operators are adjusting their distribution and obfuscation methods to maintain effectiveness.

Trojans such as Android.Banker type of malware are designed to intercept banking credentials and facilitate financial fraud, which increased its activity by 73.15% compared to the 2025 first quarter. These programs represent a direct threat to the financial security of companies and their employees, reports Dr.Web. At the same time, the reduction in detection of Android.BankBot (39.19%) and Android.SpyMax (19.14%) suggests a shift in the arsenal of cybercriminals, who are opting for more effective or less detectable variants.

"This data is crucial for developing corporate security policies that address the most active and emerging threats in real time," the analysis reads.

Relevant Malware Campaigns

2Q25 witnessed several significant malware campaigns. In April, a large-scale operation aimed at stealing cryptocurrency from Android smartphone users was detected. The Android.Clipper.31 Trojan was identified embedded in a modified version of WhatsApp and in the firmware of some inexpensive Android smartphone models. This Trojan intercepts messages to identify and substitute Tron and Ethereum wallet addresses for those of the attackers, hiding this substitution from users. In addition, Android.Clipper.31 extracts images in .jpg, .png and .jpeg formats to search for mnemonic phrases for cryptocurrency wallet recovery, revealing sophistication in the targeting and execution of the attack.

In April, the Android.Spy.1292.origin spy Trojan was also discovered. This Trojan, which specifically targets Russian military personnel, was distributed via a modified version of Alpine Quest mapping software and a fake Telegram channel. Android.Spy.1292.origin collected and transmitted sensitive data to attackers, including user accounts, cell phone numbers, phonebook contacts, device geolocation information, and files stored in memory. The Trojan's ability to exfiltrate specific documents sent through popular messengers, as well as Alpine Quest location log files, highlights the targeted nature and high sensitivity of the compromised data.

Google Play, the official Android app store, also served as a threat distribution vector during this time. Dr.Web identified several dozen malicious programs, including Android.FakeApp Trojans disguised as finance-related apps. These apps, instead of delivering the promised functionality, redirected users to fraudulent websites. Specific examples include Android.FakeApp.1863, hidden in the "TPAO" app for Turkish users, and Android.FakeApp.1859 ("Quantum MindPro") targeted at a French-speaking audience. Games also served as a disguise for these fake programs, loading websites of online casinos and gambling houses.

In addition, the unwanted Adware.Adpush.21912 ad-displaying software was detected, embedded in the "Coin News Promax" application, which contained informative material about cryptocurrencies. Adware.Adpush.21912 displayed notifications that, when clicked, loaded links specified by a C2 server into WebView, highlighting the persistence of illicit monetization campaigns using deceptive advertising.

"This new wave of cybersecurity threats simply goes on to show that Android's open nature still makes it a favourite target for criminals pushing ads, spyware, and banking malware," reads a Hack Read article. "Even official app stores are not completely safe, therefore, users must keep their devices protected with up-to-date security software and stay cautious with any new app, no matter how harmless it appears."