Android Malware 2025: The Latest Mobile Threats You Need to Know About
Table of Contents
The Android threat landscape in 2025 is more sophisticated than ever. Mobile devices have become primary targets because they contain banking apps, authentication codes, messaging history, and location data â an extraordinarily rich target for cybercriminals. This roundup covers the most significant Android malware families and campaigns active in 2025.
The State of Android Malware in 2025¶
Android's open ecosystem â which allows sideloading and third-party app stores â continues to be the primary attack surface. However, 2025 has seen a notable increase in Play Store bypass techniques, with dropper apps making it through Google's review process before downloading malicious payloads after installation.
Key trends:
- Banking trojans remain the most financially damaging category
- Spyware for hire services targeting journalists and activists are expanding beyond nation-state use
- Fake crypto applications targeting the growing retail crypto investor base
- AI-generated phishing improving the quality of social engineering attacks that deliver mobile malware
Major Android Malware Families Active in 2025¶
GoldPickaxe¶
GoldPickaxe is a sophisticated trojan targeting users in Southeast Asia (primarily Thailand and Vietnam) that first emerged in late 2023 and remained active through 2025. Its most alarming capability: it collects facial recognition data â prompting users to record a video or scan their face â which is then used to generate deepfakes to bypass banking biometric authentication.
GoldPickaxe exists in both Android and iOS versions, the iOS variant being distributed through Apple's TestFlight testing platform and Mobile Device Management (MDM) profiles.
Goldoson¶
Goldoson is a malicious SDK (Software Development Kit) that was embedded in over 60 legitimate apps on the Korean Google Play Store. Rather than a standalone malicious app, Goldoson was integrated into apps by developers who used a third-party library without knowing it contained malware.
Goldoson collected lists of installed apps, WiFi and Bluetooth device information, and GPS location â and performed ad fraud by clicking on hidden ads in the background.
Necro Trojan¶
The Necro trojan made headlines in 2024 when it was found inside a modified version of Spotify on unofficial app stores â and later inside legitimate apps on the Google Play Store with combined downloads exceeding 11 million. Necro is a dropper: after installation it downloads additional malicious modules including adware and subscription fraud components.
SpyNote / CypherRAT¶
SpyNote (and its evolution CypherRAT) is a widely circulated Android RAT available on dark web forums. It provides:
- Real-time camera and microphone access
- GPS location tracking
- Keylogging
- Contact and message theft
- Screen recording
- Remote shell access
SpyNote is distributed through fake customer support apps, modified banking apps, and government service impersonators. It's been documented targeting users across Europe, Asia, and South America.
Anatsa (TeaBot)¶
Anatsa is a banking trojan targeting over 650 banking and financial applications. It uses accessibility services for overlay attacks and has been distributed through dropper apps on the Play Store disguised as PDF readers, QR code scanners, and file managers. Anatsa is particularly well-developed â it generates realistic user interactions to avoid automated fraud detection.
Predator Spyware¶
Predator is a commercial surveillance tool developed by Intellexa (a consortium of companies). Like NSO Group's Pegasus, Predator is sold to governments and used against high-value targets. In 2024, Amnesty International and Citizen Lab documented Predator targeting journalists in Egypt, Madagascar, and elsewhere.
Google Play Protect and Its Limitations¶
Google Play Protect is Android's built-in security system that scans apps on the Play Store and on-device for malware. It blocks millions of installs annually.
However, its limitations are significant:
- Sophisticated dropper apps pass initial review by being benign at submission time
- Play Protect's behavioral detection can be defeated by malware that checks for analysis environments
- Sideloaded apps receive less scrutiny
In 2025, Google introduced Play Integrity API improvements requiring app developers to verify app integrity and block execution in tampered environments â a step forward but not a complete solution.
How to Stay Safe from Android Malware in 2025¶
App Installation¶
- Only install apps from the Google Play Store â avoid third-party app stores and APK sites
- For Play Store apps, check the developer name, review count, and publication date â dropper apps typically have short histories and generic developer names
- Avoid apps that request Accessibility Service permissions unless you have a specific reason
Permissions¶
- Review app permissions during and after installation â go to Settings > Apps > [App] > Permissions
- Revoke permissions for apps that don't clearly need them
- Be particularly suspicious of camera, microphone, SMS, and accessibility permissions
Keep Android Updated¶
Android security patches close known vulnerabilities used by exploits. Enable automatic updates and don't ignore system update notifications.
Use a Mobile Security App¶
Bitdefender Mobile Security, Malwarebytes for Android, and ESET Mobile Security provide reliable real-time scanning and behavioral monitoring.
Enable Google Play Protect¶
Ensure Play Protect is active: Google Play > Profile icon > Play Protect.
FAQ¶
Can Android malware infect my phone if I only use the Play Store?
Yes, but the risk is significantly lower. Dropper apps occasionally make it through Google's review process. The vast majority of infections occur through sideloaded apps.
Does factory reset remove Android malware?
For virtually all Android malware, yes. Some sophisticated nation-state malware can persist in the firmware, but this is extremely rare outside of targeted espionage operations.
My phone is slow â does that mean I have malware?
Not necessarily. Slowdowns can be caused by storage being full, aging hardware, or poorly optimized apps. Malware is one possible cause â run a scan with Malwarebytes to check.
What countries are most targeted by Android banking malware?
Banking trojans most frequently target users in the US, UK, Spain, Turkey, Italy, Germany, France, Australia, and Brazil â countries with high mobile banking adoption.
This article is published by ScamSandbox to help users understand and avoid malware threats and online scams.