42 Million Downloads: Malicious Android Apps Found on Google Play
▼ Summary
– Hundreds of malicious Android apps on Google Play were downloaded over 40 million times, with adware now accounting for 69% of detections and spyware rising 220% year-over-year.
– Banking malware grew significantly over three years, reaching 4.89 million transactions in 2025, but its growth rate slowed to 3% from 29% the previous year.
– India, the United States, and Canada received 55% of all attacks, with Italy and Israel seeing massive spikes ranging from 800% to 4000% year-over-year increases.
– Notable malware families include Anatsa banking trojan, Android Void backdoor infecting 1.6 million devices, and Xnotice RAT targeting job seekers in the oil & gas industry.
– To defend against threats, users should apply security updates, avoid non-essential apps, and organizations should implement zero-trust technology and harden IoT gateways.
A recent security report reveals a troubling surge in malicious Android applications infiltrating the official Google Play store, amassing over 42 million downloads in a single year. This widespread distribution of harmful software highlights a significant escalation in mobile cyber threats, with spyware and banking trojans posing the most severe risks to users globally. Security researchers note a sharp increase in attacks focusing on mobile payment systems, as criminals pivot away from traditional card fraud toward more sophisticated social engineering tactics.
Telemetry data indicates that threat actors are increasingly exploiting mobile payments through phishing campaigns, smishing (SMS phishing), SIM-swapping schemes, and various payment scams. This strategic shift is largely driven by enhanced security measures like chip-and-PIN technology and the massive global adoption of mobile payment platforms. Cybercriminals now deploy specialized phishing trojans and malicious applications specifically designed to harvest financial information and login credentials, according to security analysts.
Banking malware has demonstrated substantial growth over the past three years, reaching nearly 4.89 million transactions in 2025. However, the growth rate has notably slowed to just 3% during the observed period, down significantly from 29% the previous year. The current investigation identified 239 malicious applications on Google Play, compared to 200 found in the prior year’s analysis, representing a concerning increase in both quantity and distribution scale.
Adware has emerged as the dominant threat within the Android ecosystem, now accounting for approximately 69% of all security detections, nearly double last year’s figures. The previously dominant Joker info-stealer has dropped to second place with 23% of detections, down from 38% the previous year. Spyware demonstrated the most dramatic year-over-year increase at 220%, with families including SpyNote, SpyLoan, and BadBazaar driving this surge through surveillance, extortion, and identity theft operations.
Geographically, India, the United States, and Canada collectively absorbed 55% of all mobile attacks. Security teams observed astronomical spikes in attacks targeting Italy and Israel, with year-over-year increases ranging from 800% to an astonishing 4000%.
Three particularly impactful malware families dominated the threat landscape. The Anatsa banking trojan continues to periodically infiltrate Google Play through productivity and utility applications, typically garnering hundreds of thousands of downloads with each successful penetration. Since its discovery in 2020, Anatsa has continuously evolved, with its latest variant capable of stealing data from over 831 financial institutions, cryptocurrency platforms, and expanding into new regions including Germany and South Korea.
Android Void (Vo1d) represents a sophisticated backdoor malware specifically targeting Android TV boxes, having infected at least 1.6 million devices running outdated Android Open Source Project versions, primarily concentrated in India and Brazil. The Xnotice remote access trojan marks a newer threat vector, targeting job seekers within the oil and gas industry through applications disguised as job application or exam registration tools, distributed via fake employment portals, with particular focus on Iran and Arabic-speaking regions.
This advanced malware captures banking credentials through overlay attacks, intercepts multi-factor authentication codes, monitors SMS messages, and can secretly capture device screenshots. Security experts recommend multiple defensive measures including promptly applying security updates, exclusively trusting established publishers, rejecting or disabling Accessibility permissions, avoiding non-essential application downloads, and regularly conducting Play Protect scans.
The report also identifies concerning trends in IoT security, with routers remaining the most frequently targeted devices this year. Attackers typically exploit command injection vulnerabilities to incorporate routers into botnets or convert them into proxies for malware distribution. The United States experienced the highest volume of IoT attacks, followed by emerging hotspots including Hong Kong, Germany, India, and China, indicating attackers are broadening their geographical targeting.
Organizations should implement zero-trust architecture for critical networks while hardening IoT and cellular gateways through continuous anomaly monitoring and firmware-level protections. For mobile endpoint security, recommended measures include monitoring SIM-level traffic for irregularities, implementing robust phishing protection, and enforcing strict application control policies across all corporate devices.
(Source: Bleeping Computer)
