Doctor Web’s Q3 2025 review of virus activity on mobile devices

According to detection statistics collected by Dr.Web Security Space for mobile devices, Android.MobiDash ad-displaying trojans were the most widespread threats of Q3 2025. They were detected on protected devices 18.19% more often than during the previous observation period.

The adware trojans Android.HiddenAds, whose activity decreased for the second quarter in a row, fell to second place. In the past 3 months, users encountered them 71.85% less often. These malicious apps conceal their icons, making the trojans harder to detect and remove, and then display ads, including full-screen videos.

Third place was again occupied by the Android.FakeApp trojans that cybercriminals use in various fraudulent schemes; the number of times they were detected decreased by 7.49%. Instead of providing the declared functionality, these malicious apps often load various websites, including fraudulent and malicious ones, as well as bookmaker and online casino websites.

Despite a 38.88% decline in activity, Android.Banker trojans remain the most widespread banking malware. Threat actors use them to gain illegal access to banking accounts and steal money. These trojans can display phishing windows to hijack logins and passwords, imitate the appearance of real banking software, intercept SMS to obtain one-time codes, etc.

Android.Banker trojans were followed by the Android.BankBot trojans, which were detected 18.91% more often than in Q2. Such trojans also try to gain access to users’ online banking accounts by intercepting confirmation codes. At the same time, these malicious apps can execute various commands coming from cybercriminals. Some of them also allow infected devices to be controlled remotely.

Rounding out the top three, Android.SpyMax banking trojans were detected 17.25% less often than in the previous quarter. These malicious apps are based on the source code of the spyware trojan SpyNote and provide a wide range of functions, including the ability to remotely control affected devices.

In August, we informed users about a malware distribution campaign involving the Android.Backdoor.916.origin multi-functional backdoor. Cybercriminals use this piece of malware to steal confidential data and spy on Android device users. Threat actors sent messages to potential victims via various messengers, offering an “anti-virus” that can be installed from the attached APK file. Doctor Web’s anti-virus laboratory discovered the first versions of this backdoor back in January 2025 and has continued to monitor its development ever since. Our experts believe that this backdoor is used in targeted attacks and is not intended for mass distribution. The main target for cybercriminals is representatives of Russian businesses.

Over the course of Q3, a large number of malicious programs were distributed on Google Play for a combined total of over 1,459,000 installations. Among them were dozens of Android.Joker trojans that subscribe victims to paid services and Android.FakeApp malicious fake programs. In addition, our malware analysts discovered yet another app that supposedly allowed virtual rewards to be converted into real money.

According to statistics collected by Dr.Web Security Space for mobile devices

Android.MobiDash.7859

A trojan app that displays obnoxious ads. It is a special software module that developers incorporate into applications.

Android.FakeApp.1600

A trojan app that loads the website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site.

Android.Click.1812

The detection name for malicious WhatsApp messenger mods that can covertly load various websites in the background.

Android.HiddenAds.673.origin

A trojan app designed to display intrusive ads. Members of the Android.HiddenAds family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.

Android.Triada.5847

The detection name for a packer for Android.Triada trojans that is designed to protect them from being detected and analyzed. Threat actors most often use the packer together with malicious Telegram messenger mods in which these trojans are embedded.

Program.FakeMoney.11

The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps.

Program.CloudInject.5

Program.CloudInject.1

The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, modders can remotely manage these apps—blocking them, displaying custom dialogs, tracking when other software is being installed or removed from a device, etc.

Program.FakeAntiVirus.1

The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.

Program.TrackView.1.origin

The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, take photos and video with the camera, eavesdrop via the microphone, record audio, etc.

Tool.NPMod.3

Tool.NPMod.1

Tool.NPMod.4

The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified.

Tool.LuckyPatcher.2.origin

A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to a shared database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.

Tool.Androlua.1.origin

The detection name for some potentially dangerous versions of a specialized framework for developing Android software based on the Lua scripting language. The main logic of Lua-based apps resides in corresponding scripts that are encrypted and decrypted by the interpreter upon execution. By default, this framework often requests access to a large number of system permissions in order to operate. As a result, the Lua scripts that it executes can potentially perform various malicious actions in accordance with the acquired permissions.

Adware.AdPush.3.origin

Adware.Adpush.21846

Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.

Adware.ModAd.1

The detection name for some modified versions (mods) of the WhatsApp messenger, whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) when the messenger is in operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites.

Adware.Youmi.4

The detection name for an unwanted adware module that adds advertizing shortcuts onto the Android OS home screen.

Adware.Basement.1

These are apps that display unwanted ads which often lead to malicious and fraudulent websites. They share a common code base with the Program.FakeMoney.11 unwanted applications.

Threats on Google Play

In Q3 2025, Doctor Web's anti-virus laboratory detected over 50 trojans from the Android.Joker family which subscribe users to paid services. They were distributed under the guise of different software, including messengers, various system tools, image-editing apps, camera apps, programs for working with documents, etc.

One trojan was hidden in the system-optimizing app Clean Boost (Android.Joker.2412), and another — in the app Convert Text to PDF (Android.Joker.2422) for creating PDF documents

Moreover, our specialists discovered more fake apps from the Android.FakeApp family being used in fraudulent schemes. As before, cybercriminals passed off some of them as financial apps, like reference books and teaching aids and software for accessing investing services. Other Android.FakeApp trojans were distributed as games and under certain conditions could load bookmaker and online casino websites instead of operating as promised.

Examples of Android.FakeApp trojans disguised as financial apps. Android.FakeApp.1889 offered users the chance to test their financial literacy and Android.FakeApp.1890 the opportunity to develop financial intellection

Our experts also discovered Program.FakeMoney.16—an unwanted app, distributed as software called Zeus Jackpot Mania. In this program, users could get virtual rewards that they could supposedly convert into real money and withdraw it.

Program.FakeMoney.16 on Google Play

To “withdraw” the money, victims had to give this app some of their data. However, ultimately, they did not receive any payments.

Program.FakeMoney.16 asks users to provide their full name and information about their bank account

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.