CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Malicious Android apps on Google Play downloaded 42 million times

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Between June 2024 and May 2025, 239 malicious Android apps on Google Play were downloaded over 42 million times. These apps primarily targeted mobile payments and financial information using various social engineering techniques. The manufacturing and energy sectors saw significant increases in mobile attacks, with the energy sector recording a 387% annual increase. The geographic impact highlighted substantial increases in attacks targeting India, the United States, and Canada, with notable spikes in Italy and Israel. IoT devices, particularly routers, were also heavily targeted, with Mirai and Gafgyt malware variants accounting for 75% of all blocked IoT requests. The shift to social engineering attacks reflects improved security standards in traditional payment methods. Zscaler observed a 67% year-over-year growth in mobile malware, with banking malware reaching 4.89 million transactions in 2025. Three notable malware families—Anatsa, Android Void, and Xnotice—were highlighted for their impact on Android users.

Timeline

  1. 04.11.2025 22:26 2 articles · 6d ago

    239 Malicious Android Apps on Google Play Downloaded 42 Million Times

    The manufacturing and energy sectors were most frequently targeted by threat actors, with the energy sector recording a 387% annual increase in mobile attacks. The most common malware-laden apps were productivity and workflow apps published under the 'Tools' category. The US, India, and Canada accounted for the majority of malicious mobile traffic, with threat volumes surging 38% year on year in India. Mirai and Gafgyt malware variants accounted for 75% of all blocked IoT requests, with the US being the top target for IoT threats.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Datzbro Android Trojan Targeting Elderly via AI-Generated Facebook Events

A new Android banking trojan named Datzbro is targeting elderly users through AI-generated Facebook events. The malware, discovered in August 2025, conducts device takeover (DTO) attacks and performs fraudulent transactions. It exploits social engineering tactics to trick victims into downloading malicious APK files from fraudulent links. The threat actors behind Datzbro focus on users in Australia, Singapore, Malaysia, Canada, South Africa, and the U.K. The malware leverages Android's accessibility services to perform remote actions, record audio, capture photos, and steal credentials. It also includes features to hide malicious activities and steal device lock screen PINs and passwords associated with Alipay and WeChat. Datzbro is believed to be the work of a Chinese-speaking threat group, with its command-and-control (C2) backend being a Chinese-language desktop application. The malware has been distributed freely among cybercriminals after a compiled version of the C2 app was leaked.

Open in new tab

SlopAds Fraud Ring Exploits 224 Android Apps for Ad Fraud

A sophisticated ad fraud operation, SlopAds, exploited 224 Android apps to generate 2.3 billion daily ad bids. The apps, downloaded 38 million times across 228 countries, used steganography and hidden WebViews to create fraudulent ad impressions and clicks. The fraud was conditional, activating only if the app was installed via an ad click. Google removed the offending apps from the Play Store and updated Google Play Protect to warn users. The operation leveraged AI-themed services and a complex command-and-control infrastructure. The fraudulent behavior was designed to evade detection by blending malicious traffic into legitimate campaign data. The SlopAds campaign was discovered by HUMAN's Satori Threat Intelligence team, which identified the apps as 'AI slop' due to their mass-produced appearance and AI-themed services. The apps used Firebase Remote Config to download an encrypted configuration file containing URLs for the ad fraud malware module, cashout servers, and a JavaScript payload. The campaign included numerous command-and-control servers and more than 300 related promotional domains, suggesting the threat actors planned further expansion.

Open in new tab

AI-Enhanced Malware Campaign Targeting Multiple Sectors

The AI-enhanced malware campaign, dubbed EvilAI, continues to target organizations globally, with infections confirmed in multiple regions including Europe, the Americas, and the Asia, Middle East, and Africa (AMEA) region. The malware, disguised as legitimate productivity and AI-enhanced apps, has infected hundreds of victims across manufacturing, government, healthcare, technology, and retail sectors. The campaign uses various propagation methods, including newly registered websites, malicious ads, SEO manipulation, and promoted download links on forums and social media. The malware performs extensive reconnaissance, disables security products, and uses obfuscation techniques to avoid detection, acting as an initial access broker for future exploit activity. The campaign, first identified in September 2025, has been observed using AI tools to distribute malware. The malware is concealed within seemingly legitimate apps, leveraging digital signatures and realistic features to evade detection. The threat actors behind the campaign are highly capable, using sophisticated techniques to make the malware appear authentic. The malware uses NeutralinoJS to execute JavaScript code and siphon sensitive data, employing Unicode homoglyphs to bypass detection. The presence of multiple code-signing publishers suggests a shared malware-as-a-service provider or a code-signing marketplace.

Open in new tab

Malicious Android Apps with 19M Installs Removed from Google Play

Seventy-seven malicious Android apps, with over 19 million installs, were removed from Google Play. These apps delivered multiple malware families, including Anatsa (Tea Bot) banking trojan, Joker, Harly, and maskware. The apps were discovered by Zscaler's ThreatLabs team and included adware, credential theft, and other malicious functionalities. The malware targeted various banking and cryptocurrency apps, expanding its scope to include Germany and South Korea. The apps used various evasion techniques, including malformed APK archives, runtime DES-based string decryption, and emulation detection. Users are advised to enable Play Protect and take additional steps to secure compromised accounts.

Open in new tab