Mobile threats accelerated sharply over the past year, according to new data from Zscaler. From June 2024 to May 2025, researchers identified 239 malicious Android apps on Google Play, accumulating more than 42 million installs. In the same period, mobile-focused attacks climbed 67% year over year, signaling sustained pressure on the Android ecosystem from financially motivated and surveillance-oriented actors.
Adware Dominates; Joker Infostealer Stays Persistent
Adware accounted for 69% of detected cases, making it the most prevalent category. While often dismissed as “nuisanceware,” modern adware frequently abuses permissions, employs hidden monetization, and can serve as a foothold for broader data collection. The Joker family—responsible for 23% of detections—remains a persistent threat, typically masquerading as legitimate utilities, wallpapers, or productivity tools. Joker is known for SMS interception, notification access, and dynamic payload delivery that enable billing fraud and the exfiltration of sensitive data.
Social Engineering Drives Mobile Payment Fraud
Zscaler notes a marked pivot toward social engineering as the primary lever for monetizing mobile attacks. Techniques include credential phishing, smishing (SMS phishing), SIM swapping to hijack phone numbers, and other payment scams. These methods deliver higher ROI through scale and psychological pressure rather than technical exploitation alone. A common scenario involves SMS messages impersonating banks or delivery firms to capture one-time passwords, then rapidly draining accounts or enrolling users in fraudulent subscriptions.
Spyware Activity Surges 220% YoY
Spyware families such as SpyNote, SpyLoan, and BadBazaar grew by 220%. These tools enable covert surveillance, data theft, and extortion. Many leverage Android’s Accessibility Services to bypass standard security prompts, while low-cost builder kits and remote administration tool (RAT) frameworks lower the barrier to entry. The result is a wider spectrum of operators—from organized groups to low-skilled actors—deploying capabilities once associated with more advanced adversaries.
Global Distribution: India, US, and Canada Most Targeted
The India, United States, and Canada triad accounted for 55% of observed cases. Zscaler also reports extreme year-over-year growth in specific regions, with Italy and Israel experiencing spikes of 800–4000%. Surges frequently align with localized phishing campaigns and targeting of widely used regional services, underlining how threat actors tailor lures to language, brand familiarity, and local payment ecosystems.
Threat Tradecraft: Permissions Abuse, Signed Builds, and Resilient C2
The report highlights three prevalent and dangerous malware families (not named individually) that share technical hallmarks: aggressive permission abuse, resilient command-and-control (C2) channels, and monetization pipelines coupled with code signing and dynamic payload delivery. Code signing helps malware bypass initial trust checks, while on-demand payloads allow operators to modify capabilities post-installation, reducing static detection.
IoT Attack Surface Expands: Home/SOHO Routers in the Crosshairs
Beyond smartphones, adversaries increasingly exploit IoT, especially home and SOHO routers. Unpatched devices are conscripted into botnets, used as proxy nodes to relay malicious traffic and hide C2 infrastructure. This “fog-of-war” at the network edge complicates takedowns, extends attacker dwell time, and enables malware delivery to downstream targets with minimal attribution risk.
How to Reduce Risk: Practical Android and Network Defenses
Update and source control: Apply OS and app updates promptly and avoid sideloading. Scrutinize programs requesting invasive permissions, particularly access to Accessibility Services, SMS, notifications, and overlay features.
Google Play Protect and permissions hygiene: Run Play Protect scans regularly, review installed apps, and revoke unnecessary permissions. Limit background activity for apps that do not need persistent access.
Payment and communications hygiene: Do not click links from unsolicited SMS or messaging apps. Confirm transactions through trusted channels. Enable SIM PIN/PUK and use multifactor authentication (prefer hardware keys or app-based OTPs over SMS when possible).
IoT hardening: Change default router passwords, disable unused services (UPnP/telnet), segment IoT devices on a guest or dedicated VLAN, and apply firmware updates on a schedule. Consider DNS filtering and router-level threat protection where available.
The data indicates that Android remains a prime target for criminal monetization, with a combination of social engineering and malicious apps driving risk. Strengthening basic hygiene, maintaining strict permission discipline, leveraging Google Play Protect, and isolating IoT devices can significantly lower exposure. For organizations, complement user training with mobile device management, application allowlists, and network segmentation to stay ahead of evolving threats.
