Dr.Web reports Android malware surge in Q2 with adware, banking trojans and crypto theft hidden in fake apps, firmware and spyware targeting users.

A series of malicious apps and stealthy spyware is targeting Android users worldwide, with new data showing how cybercriminals keep finding ways to slip threats onto devices and even official app stores.

According to new findings from Dr.Web Security Space, adware is still the most common threat on mobile devices, but what is noticeable this time is how attackers keep finding new tricks to spread it.

****Adware Still Tops the Charts****

Adware Trojans continued to dominate, led by the Android.HiddenAds family. Although detections dropped by just over 80%, HiddenAds variants are still the most active group, often masquerading as harmless apps and vanishing from home screens once installed. Android.MobiDash adware trojans saw a jump of over 11%, proving that intrusive ads are still a reliable money maker for threat actors, revealed Dr.Web’s **report**.

****Fake Apps Fraud****

Android.FakeApp malware ranked third on the threat list, with activity dropping by a quarter. These malicious apps frequently pose as **finance tools, games or utilities** but instead, redirect users to gambling or phishing sites. Fake finance apps tricked Turkish and French-speaking users, promising easy income control or investment advice while silently pushing them to fraudulent sites.

****Banking Trojans Make a Comeback****

While some banking trojans like Android.BankBot and Android.SpyMax declined, Android.Banker surged by over 70% compared to the previous quarter. This spike highlights how cybercriminals keep targeting financial data with new variants, despite global awareness campaigns urging users to stick to official app stores.

****Crypto Theft Hidden in Firmware****

One of the most alarming revelations is a large-scale crypto theft campaign discovered in April. Attackers slipped a trojan named Android.Clipper.31 into a modified version of WhatsApp and even embedded it in the firmware of low-cost Android phones.

This trojan secretly **swaps legitimate crypto wallet addresses** for the attackers’ own and sends user images to a remote server, hunting for wallet seed phrases hidden in screenshots or photos.

****Spyware Targets Military Personnel****

Another concerning discovery made by Dr.Web and **reported by Hackread.com** in April 2025, was spyware hidden inside a fake version of Alpine Quest, a mapping app. Distributed through a bogus Telegram channel and a local app catalogue, Android.Spy.1292.origin was designed to gather sensitive data from Russian military personnel, including location files, messages and phone book contacts.

****Threats Found on Google Play****

Despite tighter controls, Dr.Web’s researchers continue to find dozens of **malicious or unwanted apps on Google Play** (Apple App Store is **not** a secure place either). Recent finds include adware modules disguised in cryptocurrency news apps and finance-themed fake apps that redirect users to shady sites instead of offering any real service.

This new wave of cybersecurity threats simply goes on to show that Android’s open nature still makes it a favourite target for criminals pushing ads, spyware and banking malware. Even official app stores are not completely safe, therefore, users must keep their devices protected with up-to-date security software and stay cautious with any new app, no matter how harmless it appears.

Malware Surge Hits Android: Adware, Trojans and Crypto Theft Lead Q2 Threats

Plus: Iran-linked hackers threaten to release Trump campaign emails, Chinese hackers still in US telecoms networks, and an abusive deepfake website plans an expansion.

In recent years, North Korea has deployed thousands of so-called IT workers to infiltrate Western businesses, get paid salaries, and send money back to support the regime. As the schemes have become more successful, they have grown increasingly elaborate and employed new tactics to evade detection.

But this week, the United States Justice Department revealed one of its biggest operations to tackle IT workers to date. The DOJ says it has identified six Americans who allegedly helped enable the schemes and has arrested one of them. Law enforcement officials searched 29 “laptop farms” in 16 states and seized more than 200 computers, as well as web domains and financial accounts.

Meanwhile, a group of young cybercriminals has been causing chaos around the world, leaving grocery stores empty and temporarily grounding some flights in the wake of their crippling cyberattacks. After a quiet period in 2024, the Scattered Spider hackers have returned this year and are ruthlessly targeting retailers, insurers, and airlines.

Also this week, we’ve detailed how LGBTIQ+ organizations in El Salvador are helping activists chronicle attacks against their community and better protect themselves against state surveillance.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Cell-site simulators, often known as stingrays or IMSI catchers, are some of the most stealthy and powerful surveillance tools in operation today. The devices, which impersonate cell towers and intercept communications, can collect call metadata, location information, and other traffic about what you do on your devices. They’ve increasingly been used by law enforcement and immigration officials.

However, according to reporting from Android Authority and Ars Technica, upcoming hardware advances has led to Google upping its efforts to combat the potential snooping. Starting in Android 16, compatible devices will be able to identify when networks request device identifiers, such as device or SIM IDs, and issue alerts when you are connecting to a non-encrypted cell network. Examples of alerts show warnings that “calls, messages, and data are vulnerable to interception” when connected to insecure networks. There will also be notifications when you move back to an encrypted network. An option to turn on these notifications appears on a mobile network security settings page alongside the option to avoid 2G networks, which could help block some IMSI catchers from connecting to your device. However, while the settings will reportedly be available in Android 16, it may take some time for Android devices to widely use the required hardware.

**Iran-Linked Hackers Threaten to Release 100 GB of Trump Campaign Emails**

Ahead of the presidential election last November, Iran-linked hackers attacked Donald Trump’s presidential campaign and stole scores of emails in an apparent bid to influence the election results. Some of the emails were distributed to journalists and the Biden campaign. This week, following the Israel-Iran conflict and US intervention with “bunker-buster” bombs, the hackers behind the email compromise reemerged, telling Reuters that they may disclose or sell more of the stolen emails.

The cybercriminals claimed they had stolen 100 GB of emails, including some from Susie Wiles, the White House chief of staff. The cache of emails also allegedly includes those from Lindsey Halligan, a Trump lawyer, adviser Roger Stone, and adult film star Stormy Daniels. The hackers, who have used the name Robert, told Reuters they wanted to “broadcast this matter.” It is unclear whether they will act upon the threats.

In response, US officials claimed that the threat from the hackers was a “calculated smear campaign” by a foreign power. “A hostile foreign adversary is threatening to illegally exploit purportedly stolen and unverified material in an effort to distract, discredit, and divide,” Marci McCarthy, a spokesperson for the Cybersecurity and Infrastructure Security Agency, said in a statement.

**Chinese Hackers Lay “Dormant” in US Telecoms Networks, FBI Says**

Over the past few years, Chinese hacker group Salt Typhoon has been on a hacking rampage against US telecoms networks, successfully breaking into at least nine firms and gaining access to Americans’ texts and calls. Brett Leatherman, the recently appointed leader of the FBI’s cyber division, tells Cyberscoop that the Chinese hackers are now “largely contained” and lying “dormant” in the networks. The groups have not been kicked out of networks, Leatherman said, since the longer they are in the systems there are more ways they can find to “create points of persistence.” “Right now, we’re very focused on resilience and deterrence and providing significant support to victims,” Leatherman said.

**Explicit Deepfake Website Leaks User Information, Has Expansion Plans Revealed**

Deepfake platforms that allow people to create nonconsensual, often illegal, harmful images of women without clothes on have boomed in recent years. Now a former whistleblower and leaked documents from one of the largest so-called “nudify” apps, Clothoff, claims the service has a multimillion-euro budget and is planning an aggressive expansion where it will create nonconsensual explicit images of celebrities and influencers, according to reporting by German publication Der Spiegel. The alleged expansion has a marketing budget of €150,000 (around $176,000) per country to promote the images of celebrities and influencers, according to the report. It says more than “three dozen people” work for Clothoff, and the publication identified some of the potential key operators of the platform. Documents exposed online also revealed customer email addresses. A spokesperson who claimed to represent Clothoff denied there were more than 30 people as part of the central team and told Der Spiegel it does not have a multimillion-euro budget.

Android May Soon Warn You About Fake Cell Towers

Google has been ordered by a court in the U.S. state of California to pay $314 million over charges that it misused Android device users' cellular data when they were idle to passively send information to the company.
The verdict marks an end to a legal class-action complaint that was originally filed in August 2019.
In their lawsuit, the plaintiffs argued that Google's Android operating system

Google Ordered to Pay $314M for Misusing Android Users' Cellular Data Without Permission

A mobile ad fraud operation dubbed IconAds that consisted of 352 Android apps has been disrupted, according to a new report from HUMAN.
The identified apps were designed to load out-of-context ads on a user's screen and hide their icons from the device home screen launcher, making it harder for victims to remove them, per the company's Satori Threat Intelligence and Research Team. The apps have

Massive Android Fraud Operations Uncovered: IconAds, Kaleidoscope, SMS Malware, NFC Scams

Stalkerware app Catwatchful has been leaking customer and victim information. It is one in a long line of such apps to do this.

If an app markets itself as being for “child monitoring”, a customer might expect that their data and those of the person you’re monitoring is handled with the utmost care and respect. However, as we’ve seen many times before, stalkerware (which is what monitoring software is known as) apps have a tendency to be low quality and lack security.

Stalkerware refers to apps and other monitoring software that enable someone to secretly spy on another person’s private life via their mobile device or computer. Many stalkerware apps market themselves as parental monitoring tools, but they can be—and often are—used to stalk and spy on a person. Sadly, the most common users of stalkerware are domestic violence abusers, who load these programs onto their partner’s device without their knowledge.

To prove our point about lacking security, researcher Eric Daigle found that an Android app called Catwatchful has exposed the data of thousands of its customers, along with its administrator.

Catwatchful claims it is “invisible and cannot be detected”, and uploads the victim’s photos, messages, and real-time location data to a dashboard for the person monitoring to see. It also can remotely tap into audio recorded by the phone’s microphone, as well as access both front and rear phone cameras.

Make no mistake, this is nasty stuff.

And now it turns out that the data hasn’t been stored securely. The exposed database, which the researcher shared with TechCrunch, contained the phone data from 26,000 victims’ devices as well as the email addresses and plain text passwords of more than 62,000 customers.

Stalkerware apps continue to pose a serious threat to privacy and security. Over the past years, several cases have revealed how these apps not only violate victims’ privacy but also expose sensitive data due to poor security practices. Recent leaks revealed that apps like Spyzie, Cocospy, and Spyic exposed millions of victims’ private information, including messages, photos, and locations. The attackers also obtained the email addresses of more than three million customers. Because the flaw was so easy to exploit, researchers kept the details under wraps to prevent further damage. After the breach, these apps disappeared from the internet, likely trying to avoid legal consequences rather than fixing security.

Another case involved Spyhide, where a security researcher uncovered a decade of surveillance on tens of thousands of Android devices. The app’s poorly secured backend let attackers access call logs, messages, and location data from tens of thousands of victims.

The infamous mSpy monitoring app has suffered multiple leaks, with millions of records including personal documents and monitored activity exposed. Even high-profile users were found among its customers. Despite repeated breaches, mSpy’s security remains weak, putting victims at ongoing risk.

These cases highlight a harsh reality: Stalkerware companies put profits before privacy, leaving victims and users vulnerable to further harm. As these apps operate in legal grey areas, it’s important to stay alert about the dangers they bring.

**Considering using a monitoring app?**

If you are thinking about installing such an app, and you are reading this:

1.  Don’t!
2.  Remember that using an app like this without the person’s permission is illegal in almost every country, unless it’s done with consent of the government itself.
3.  We have never heard of anyone who was able to solve a problem by using stalkerware. Usually resorting to stalkerware only makes it worse.
4.  Consider the consequences of the person finding out what you did. The lack of security and repeated breaches of these apps demonstrate that it is a distinct possibility.
5.  Listen to this podcast.

Malwarebytes, as one of the founding members of the Coalition Against Stalkerware makes it a priority to detect and remove stalkerware from your device. It is good to keep in mind however that by removing the stalkerware you will alert the person spying on you that you know the app is there.

**Check your exposure**

Unfortunately, breaches are an everyday occurrence. If you want to see how much of your personal data has been exposed online, Malwarebytes has a free tool that you can use to check. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

If you are looking for a way to remove stalkerware from your device, Malwarebytes Premium Security and Malwarebytes Mobile Security can help.

 Catwatchful &#8220;child monitoring&#8221; app exposes victims&#8217; data 

Blind Eagle hackers linked to Russian host Proton66 to target banks in Latin America using phishing and RATs. Trustwave urges stronger security.

Trustwave SpiderLabs, a leading cybersecurity research team, has confidently connected the cyber threat group known as Blind Eagle (also called APT-C-36) with Proton66, a Russian company that provides bulletproof hosting services.

Blind Eagle is an active threat actor notorious for targeting organizations across Latin America, with a particular focus on financial institutions in Colombia. Reportedly, this link results from SpiderLabs’ continuous monitoring of Proton66’s infrastructure for several months.

****The Attack Infrastructure****

According to SpiderLabs’ investigation, shared with Hackread.com, their analysts made this connection by examining assets tied to Proton66, which led them to an interconnected network of domains and IP addresses. This infrastructure, which became notably active in the summer of 2024 (with specific domain registrations observed starting August 12, 2024), relies heavily on free Dynamic DNS (DDNS) services.

Image via Trustwave SpiderLabs

Its initial attack method exclusively uses Visual Basic Script (VBS) files. These scripts act as loaders for commonly available Remote Access Trojans (RATs), which are malicious software that allows attackers to control a compromised computer remotely.

Further analysis showed that some VBS code samples overlapped with previously identified samples generated by a service called Vbs-Crypter, used to hide and package malicious VBS payloads.

Despite the potential high value of their targets, the threat actors behind Blind Eagle showed surprisingly little effort to conceal their operational infrastructure. Researchers found numerous open directories containing identical malicious files, and in some cases, even complete phishing pages designed to impersonate well-known Colombian banks like Bancolombia, BBVA, Banco Caja Social, and Davivienda. These fake websites were crafted to steal user login details and other sensitive financial information.

Davivienda’s phishing page ( Image via Trustwave SpiderLabs)

****Targeting and Protection****

The phishing sites replicated legitimate banking login portals using standard web components. Alongside these fake pages, the infrastructure also hosted VBS scripts that served as the first stage of malware delivery. These scripts included code designed to gain administrative privileges on a victim’s computer and then download further payloads, typically commodity RATs such as Remcos or AsyncRATs.

Once a system is infected, these RATs establish a connection back to a C2 server, allowing the attackers to manage compromised hosts, steal data, and execute further commands. Trustwave even observed a botnet management panel with a Portuguese-language interface, showing a dashboard of infected machines, primarily in Argentina.

Trustwave previously confirmed that Proton66’s infrastructure is being exploited for malicious activities, including campaigns from SuperBlack ransomware operators and Android malware distribution.

As Hackread.com reported, the infrastructure is a hub for cyber threats, including the distribution of Android malware via hacked WordPress sites and targeted attacks deploying specific malware like XWorm and Strela Stealer. Trustwave also noted potential connections to Chang Way Technologies, indicating Proton66’s role as a key enabler for cybercriminal operations.

The company warns that organizations in Latin America, particularly those in the financial sector, must increase their protection. This includes strengthening email filtering systems, educating staff to recognize localized phishing attempts, and proactively monitoring for threat indicators and infrastructure specific to the region.

Blind Eagle Linked to Russian Host Proton66 in Latin America Attacks

Agents with the Federal Bureau of Investigation (FBI) briefed Capitol Hill staff recently on hardening the security of their mobile devices, after a contacts list stolen from the personal phone of the White House Chief of Staff Susie Wiles was reportedly used to fuel a series of text messages and phone calls impersonating her to U.S. lawmakers. But in a letter this week to the FBI, one of the Senate's most tech-savvy lawmakers says the feds aren't doing enough to recommend more appropriate security protections that are already built into most consumer mobile devices.

Agents with the **Federal Bureau of Investigation** (FBI) briefed Capitol Hill staff recently on hardening the security of their mobile devices, after a contacts list stolen from the personal phone of the White House Chief of Staff **Susie Wiles** was reportedly used to fuel a series of text messages and phone calls impersonating her to U.S. lawmakers. But in a letter this week to the FBI, one of the Senate’s most tech-savvy lawmakers says the feds aren’t doing enough to recommend more appropriate security protections that are already built into most consumer mobile devices.

A screenshot of the first page from Sen. Wyden’s letter to FBI Director Kash Patel.

On May 29, **The Wall Street Journal** reported that federal authorities were investigating a clandestine effort to impersonate Ms. Wiles via text messages and in phone calls that may have used AI to spoof her voice. According to The Journal, Wiles told associates her cellphone contacts were hacked, giving the impersonator access to the private phone numbers of some of the country’s most influential people.

The execution of this phishing and impersonation campaign — whatever its goals may have been — suggested the attackers were financially motivated, and not particularly sophisticated.

“It became clear to some of the lawmakers that the requests were suspicious when the impersonator began asking questions about Trump that Wiles should have known the answers to—and in one case, when the impersonator asked for a cash transfer, some of the people said,” the Journal wrote. “In many cases, the impersonator’s grammar was broken and the messages were more formal than the way Wiles typically communicates, people who have received the messages said. The calls and text messages also didn’t come from Wiles’s phone number.”

Sophisticated or not, the impersonation campaign was soon punctuated by the murder of Minnesota House of Representatives Speaker **Emerita Melissa Hortman** and her husband, and the shooting of Minnesota State Senator **John Hoffman** and his wife. So when FBI agents offered in mid-June to brief U.S. Senate staff on mobile threats, more than 140 staffers took them up on that invitation (a remarkably high number considering that no food was offered at the event).

But according to **Sen. Ron Wyden** (D-Ore.), the advice the FBI provided to Senate staffers was largely limited to remedial tips, such as not clicking on suspicious links or attachments, not using public wifi networks, turning off bluetooth, keeping phone software up to date, and rebooting regularly.

“This is insufficient to protect Senate employees and other high-value targets against foreign spies using advanced cyber tools,” Wyden wrote in a letter sent today to **FBI Director Kash Patel**. “Well-funded foreign intelligence agencies do not have to rely on phishing messages and malicious attachments to infect unsuspecting victims with spyware. Cyber mercenary companies sell their government customers advanced ‘zero-click’ capabilities to deliver spyware that do not require any action by the victim.”

Wyden stressed that to help counter sophisticated attacks, the FBI should be encouraging lawmakers and their staff to enable anti-spyware defenses that are built into Apple’s iOS and Google’s Android phone software.

These include Apple’s Lockdown Mode, which is designed for users who are worried they may be subject to targeted attacks. Lockdown Mode restricts non-essential iOS features to reduce the device’s overall attack surface. Google Android devices carry a similar feature called Advanced Protection Mode.

Wyden also urged the FBI to update its training to recommend a number of other steps that people can take to make their mobile devices less trackable, including the use of ad blockers to guard against malicious advertisements, disabling ad tracking IDs in mobile devices, and opting out of commercial data brokers (the suspect charged in the Minnesota shootings reportedly used multiple people-search services to find the home addresses of his targets).

The senator’s letter notes that while the FBI has recommended all of the above precautions in various advisories issued over the years, the advice the agency is giving now to the nation’s leaders needs to be more comprehensive, actionable and urgent.

“In spite of the seriousness of the threat, the FBI has yet to provide effective defensive guidance,” Wyden said.

**Nicholas Weaver** is a researcher with the **International Computer Science Institute**, a nonprofit in Berkeley, Calif. Weaver said Lockdown Mode or Advanced Protection will mitigate many vulnerabilities, and should be the default setting for all members of Congress and their staff.

“Lawmakers are at exceptional risk and need to be exceptionally protected,” Weaver said. “Their computers should be locked down and well administered, etc. And the same applies to staffers.”

Weaver noted that Apple’s Lockdown Mode has a track record of blocking zero-day attacks on iOS applications; in September 2023, **Citizen Lab** documented how Lockdown Mode foiled a zero-click flaw capable of installing spyware on iOS devices without any interaction from the victim.

Earlier this month, Citizen Lab researchers documented a zero-click attack used to infect the iOS devices of two journalists with Paragon’s Graphite spyware. The vulnerability could be exploited merely by sending the target a booby-trapped media file delivered via iMessage. Apple also recently updated its advisory for the zero-click flaw (CVE-2025-43200), noting that it was mitigated as of iOS 18.3.1, which was released in February 2025.

Apple has not commented on whether CVE-2025-43200 could be exploited on devices with Lockdown Mode turned on. But HelpNetSecurity observed that at the same time Apple addressed CVE-2025-43200 back in February, the company fixed another vulnerability flagged by Citizen Lab researcher **Bill Marczak**: CVE-2025-24200, which Apple said was used in an extremely sophisticated _physical_ attack against specific targeted individuals that allowed attackers to disable USB Restricted Mode on a locked device.

In other words, the flaw could apparently be exploited only if the attacker had physical access to the targeted vulnerable device. And as the old infosec industry adage goes, if an adversary has physical access to your device, it’s most likely not your device anymore.

I can’t speak to Google’s Advanced Protection Mode personally, because I don’t use Google or Android devices. But I have had Apple’s Lockdown Mode enabled on all of my Apple devices since it was first made available in September 2022. I can only think of a single occasion when one of my apps failed to work properly with Lockdown Mode turned on, and in that case I was able to add a temporary exception for that app in Lockdown Mode’s settings.

My main gripe with Lockdown Mode was captured in a March 2025 column by TechCrunch’s **Lorenzo Francheschi-Bicchierai**, who wrote about its penchant for periodically sending mystifying notifications that someone has been blocked from contacting you, even though nothing then prevents you from contacting that person directly. This has happened to me at least twice, and in both cases the person in question was already an approved contact, and said they had not attempted to reach out.

Although it would be nice if Apple’s Lockdown Mode sent fewer, less alarming and more informative alerts, the occasional baffling warning message is hardly enough to make me turn it off.

Senator Chides FBI for Weak Advice on Mobile Security

We've seen several spikes in Android threats since the start of 2025. Here's how to protect yourself.

The Android threat landscape in the first half of 2025 has entered a new phase. An era marked not just by volume, but by coordination and precision. Attackers are no longer simply throwing malware at users and hoping for results. They’re building ecosystems .

Recent Malwarebytes threat research data reveals a sharp rise in mobile threats across the board, with malware targeting Android devices up 151%.

We’ve seen a 147% increase in spyware, a broad category of apps that collect user data without consent, with a notable spike in Feb and March. In fact, the February/March levels represent nearly a 4x multiplication of the baseline. 

Perhaps even more alarming is a 692% spike in SMS-based malware between April and May, a jump that we can’t just chalk up to coincidence. It could be due to seasonal scams like those we always see around tax season, which hit consumers hard this year, or widespread campaigns like toll fee scams, which also come in surges.

These numbers reflect a shift in strategy: Attackers are scaling operations, fine-tuning delivery, and exploiting both human psychology and systemic weak points. Take Spyloan, for example, a threat that lures targets with incredible loan conditions (low rates, no pre-check) but ends up stealing from desperate people. We saw a significant spike in May of this predatory app, which could well signal a resurgence for the summer. We’ll continue to monitor this uptick.

Banking Trojans and spyware are now outpacing more traditional nuisances like adware and riskware, and what’s changed is the level of sophistication. Threat actors are actively distributing malware through both official and unofficial app channels, often cloaking malicious apps behind layers of legitimacy.

Fake financial tools, predatory loan apps, and cleverly disguised “updates” aren’t just slipping through the cracks, they are being engineered with that objective in mind. Peaks in their activity often coincide with periods of personal stress, like tax season or holiday travel, suggesting a methodical approach to targeting.

As Sr. Director, Research and Development, Online Platforms at Malwarebytes, Shahak Shalev explains:

> Attackers know we trust our mobile devices implicitly—we bank on them, authenticate with them, store our entire digital lives on them. Now attackers are amping up the volume and sophistication of mobile threats. When spyware jumps 147% in five months, that tells us attackers are moving beyond simple scams to building sustainable criminal enterprises. They’re playing the long game now — developing monetization strategies for every type of data they can harvest; every user behavior they can exploit. The February spike shows this isn’t random, it’s methodical business development in the cybercrime space. 

Smishing (SMS phishing) has quickly become one of the most effective tools in the attacker’s playbook. Using AI-generated text and increasingly well-crafted lures, these campaigns are harder to spot than ever. And while smishing is rising fast, it’s not alone. We’re also seeing a growing number of PDF phishing attacks, where malicious documents act as entry points for broader compromise.

But perhaps the most systemic issue is lack of updates, with over 30% of Android devices remaining stuck on outdated operating systems. These devices are sitting ducks, because they are unable to receive critical security patches, yet are still being actively used. Combine this with counterfeit or gray-market devices that come preloaded with malware, and you’ve got a recipe for widespread exposure.

What we’re seeing isn’t a collection of one-off scams. It’s infrastructure. The Android threat landscape has matured into a network of monetization schemes that thrive on scale, persistence, and user trust. Attackers aren’t just after quick wins—they’re building operations that last.

The takeaway? Mobile security can’t be an afterthought. Individuals and organizations alike need to treat Android threats with the same seriousness as traditional desktop attacks. That means prioritizing device hygiene, avoiding sideloaded apps (where you download an app not from the Google Play store), staying current with patches where possible, and educating users about the social engineering tactics that increasingly underpin these attacks.

**How to protect your Android device**

Google Play Protect is a built in security feature from Android that automatically protects users against apps that engage in malicious behavior. That’s great, but we still see malware campaigns that are spread, partially or as a whole, through the Google Play Store.

To keep your devices free from Android malware:

*   Get your apps from the Google Play store whenever you can.
*   Be careful about the permissions you allow a new app. Does it really need those permissions for what it’s supposed to do? Permissions like “Display over other apps” should particularly raise a red flag, because they can be used to intercept login credentials.
*   Don’t allow notifications as much as possible. Dubious ad sites often request permission to display notifications. Allowing this will increase the number of ads as they push them to the device’s notification bar.
*   Use up-to-date and active security software on your Android.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android threats rise sharply, with mobile malware jumping by 151% since start of year 

Kaspersky uncovers SparkKitty, new spyware in Apple App Store & Google Play. Steals photos, targets crypto info, active since early 2024 via malicious apps.

Cybersecurity researchers at Kaspersky have reported a new spyware operation, dubbed SparkKitty, that has infected apps available on both the official Apple App Store and Google Play.

This spyware aims to steal all images from users’ mobile devices, with a suspected focus on finding cryptocurrency information. The campaign has been active since early 2024, mainly targeting users in Southeast Asia and China.

SparkKitty spyware infiltrates devices through applications that look harmless, often disguised as modified versions of popular apps like **TikTok**. In the case of the malicious TikTok versions, they even included a fake TikToki Mall online store within the app that accepted cryptocurrency for consumer goods, often requiring an invitation code for access.

Installation process on iPhone showing how the malicious TikTok app uses a configuration profile (Source: Kaspersky)

****Targeting iOS Devices****

According to Kaspersky’s **report**, for iOS devices, the attackers use a special Enterprise provisioning profile from Apple’s Developer Program. This allows them to install certificates on iPhones that make the malicious apps appear trustworthy, bypassing the usual App Store review process for direct distribution.

Furthermore, threat actors embedded their malicious code by modifying open-source networking libraries like AFNetworking.framework and Alamofire.framework, and also disguised it as libswiftDarwin.dylib.

****Targeting Android Devices****

On the Android side, Kaspersky found SparkKitty spyware hidden in various cryptocurrency and casino applications. One such app, a messaging tool with crypto features, was downloaded over 10,000 times from **Google Play** before being removed.

Another infected Android app spread outside official stores had a similar version that slipped into the App Store. Both directly included the malicious code within the app itself, not just as a separate component.

Once installed, SparkKitty spyware’s main goal is to access and steal all photos from a device’s gallery. While it broadly collects images, it appears linked to older spyware called SparkCat, which used Optical Character Recognition (**OCR**), a technology that _reads_ text from images – to specifically find and steal details like cryptocurrency wallet recovery phrases from screenshots.

Some versions of SparkKitty also use OCR for this purpose, leveraging the Google **ML Kit library** for this function, particularly in apps distributed via shady web pages resembling scams and **Ponzi schemes**.

SparkKitty spyware apps on Google Play (left) and App Store (right)

****Connected Campaigns and Targets****

Kaspersky believes SparkKitty spyware is directly connected to the earlier SparkCat campaign, **discovered** in January 2025, sharing similar distribution methods through both official and unofficial app marketplaces. Both threats also seem focused on cryptocurrency theft. The attackers behind SparkKitty spyware specifically targeted users in Southeast Asia and China, often through modified gambling and adult games, as well as the **fake TikTok apps**.

While downloading apps from third-party stores is always risky, this discovery shows that even trusted sources like official app stores can no longer be considered fully reliable. Users in the affected regions, and indeed globally, should remain cautious about app permissions and consider the legitimacy of any app asking for unusual access, especially to photo galleries.

SparkKitty Spyware on App Store and Play Store, Steals Photos for Crypto Data

Like its predecessor, SparkCat, the new malware appears to be going after sensitive data — such as seed phrases for cryptocurrency wallets — in device photo galleries.

Tag

#android