Q2 Sees Surge in Android Malware – Banking Trojans and Spyware on the Rise

The latest detection statistics from Dr.Web Security Space for mobile devices reveal troubling trends in Android malware for the second quarter of 2025.

Adware Trojans remain the most prevalent threat, but banking trojans and sophisticated spyware campaigns have significantly increased, exposing users to new risks.

Adware Trojans Still Dominate, But Banking Threats Surge

Adware variants continue to comprise the majority of malware on Android devices. The notorious Android.HiddenAds family, which often hides inside seemingly harmless applications, topped the threat chart, although incidents dropped by 8.62%.

Next in prevalence was Android.MobiDash trojans, whose activity rose sharply by 11.17%. These adware trojans stealthily integrate into apps, bombard users with intrusive ads, and often hide their icons to avoid detection.

Meanwhile, banking trojans made an alarming comeback. Android. Banker trojans saw a 73.15% spike in activity compared to the previous quarter, targeting sensitive banking information and credentials.

In contrast, some established families like Android.BankBot and Android.SpyMax was detected less frequently, with incidents dropping 37.19% and 19.14%, respectively.

Cryptocurrency Heists and Military Espionage

April brought two highly sophisticated malware discoveries. The first was Android.Clipper.31, a trojan engineered to steal cryptocurrency.

Embedding itself in modified WhatsApp versions and even in the firmware of specific budget Android smartphones, it hijacks messages to swap legitimate Tron and Ethereum wallet addresses with those of cybercriminals.

Users see only the correct address, never realizing their assets have been redirected. The trojan also uploads all images to a remote server, scouring them for mnemonic wallet phrases.

The second notable threat, Android.Spy.1292. initially targeted Russian military personnel. Disguised within a modified Alpine Quest mapping app, this spyware covertly harvested confidential data, including contacts, geolocation info, and sensitive documents.

Distribution channels included fake Telegram channels and unofficial app catalogs, highlighting the lengths attackers are willing to go in cyber-espionage campaigns.

Threats Persist on Google Play

Despite Google Play’s security measures, Dr. Web’s analysts identified numerous malicious apps, primarily from the Android platform.

FakeApp family, masquerading as finance tools or popular games. These trojans loaded scam websites rather than offering promised functionality.

Examples include financial apps like “TPAO,” targeting Turkish users, and “Quantum MindPro” for French speakers, as well as the fake game “Pino Bounce,” which redirected users to online gambling sites.

Staying Safe in a Hostile Environment

Mobile security experts strongly recommend installing reputable antivirus solutions, such as Dr. Web for Android, to protect against this rapidly evolving threat landscape.

Users should also exercise caution when downloading apps, even from the Play Store, and avoid installing software from unofficial sources.

In summary, Q2 of 2025 has seen not only persistent adware but also a sharp rise in banking trojans and targeted spyware, as cybercriminals continue to evolve and diversify their tactics.