Doctor Web’s Q1 2026 review of virus activity on mobile devices
April 1, 2026
In Q1, widely common were apps to which junk code had been added to obfuscate their logic (these accounted for 15.35% of all detections registered). This modification is performed using NP Manager hacker tools for modding Android software. Since last fall, these tools are actively being used in the Android.Banker.Mamont trojan family to evade anti-virus detection. That is why we warn users when a particular app has been altered in such a way. Dr.Web Anti-virus products detect such apps as Tool.Obfuscator.TrashCode.
Other widespread potentially dangerous software, despite a 31.65% decrease in the number of detections, was again software modified with the help of the NP Manager tool. (Dr.Web detects them as Tool.NPMod). This tool contains various modules for protecting and obfuscating the apps’ code as well as for bypassing digital signature verification once apps are modified. Cybercriminals use it to protect malware so that anti-viruses have a harder time detecting it.
The most prevalent unwanted software was Program.FakeAntiVirus—fake anti-viruses that allegedly detect threats and demand that users purchase the full version to “cure” the infection. Moreover, users again encountered apps from the Program.FakeMoney and Program.CloudInject families. The former supposedly allow users to earn money by completing various tasks. The latter are apps modified using the CloudInject cloud service. Via this service, the programs are given dangerous system permissions as well as an obfuscated code whose functionality cannot be controlled.
The most frequently detected adware programs were Adware.Bastion.1.origin optimization apps. These periodically create notifications containing misleading messages that inform users about alleged low memory and system errors. Their goal is to display ads during “optimization”. Another popular adware was Adware.Opensite.15—programs which cybercriminals pass off as cheat tools for obtaining resources in games. In reality, such apps load various ad-filled websites. Adware.AdPush—programs with built-in ad-displaying modules—were also widespread once again.
In January, Doctor Web informed users about a new family of trojan clickers, dubbed Android.Phantom. Our virus analysts identified several distribution sources for these malicious apps. One was the official app catalog for Xiaomi devices—GetApps, where the trojans were found to be embedded in several games. Moreover, threat actors distributed the clickers within the mods of popular software via various Telegram channels, Discord servers, online software collections, and malicious websites.
Using Android.Phantom trojans, cybercriminals manipulate ad clicks on websites with the help of both machine-learning technologies and WebRTC, a technology for transmitting streaming data (including video) through a browser. The trojans load target websites along with JavaScript code for simulating user actions in WebView. Interaction with ads occurs in one of two modes. If a device supports WebRTC, Android.Phantom clickers broadcast a virtual screen with the loaded website to the attackers, who then control the website manually or using an automated system.
If WebRTC is not available, automated JavaScript scripts utilizing the TensorFlowJS framework are used. The clickers download the required behavioral model from a remote server as well as JavaScript containing the framework itself and all of the functions necessary for the model to operate and interact with target sites.
Over the course of Q1, Doctor Web’s anti-virus laboratory identified new threats on Google Play. Among them were many Android.Joker trojans as well as the malicious apps Android.Subscription.23 and Android.Subscription.24. All of them are designed to subscribe users to paid services.
Principal trends of Q1 2026
- Android.Banker banking trojans became the most common Android threats.
- Cybercriminals have begun using Android app modding tools more often to protect banking trojans.
- The ad-displaying trojans Android.MobiDash and Android.HiddenAds continued to be less active.
- The spread of Android.Phantom trojan apps, which utilize machine learning and video broadcasts to boost clicks on websites, was notable.
- New malware was detected on Google Play.
According to statistics collected by Dr.Web Security Space for mobile devices
- Android.Banker.Mamont.80.origin
- A banking trojan that intercepts SMS containing one-time codes from credit organizations, hijacks the contents of notifications, and collects other confidential information. This includes technical data about the infected device, the list of installed apps, and information about the SIM card, phone calls, and sent and received SMS.
- Android.FakeApp.1600
- A trojan app that loads the website hardcoded into its settings. Known modifications of this malicious program load an online casino site.
- Android.HiddenAds.675.origin
- A trojan app designed to display intrusive ads. Members of the Android.HiddenAds family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
- Android.Packed.57.origin
- The detection name for an obfuscator used to protect apps, including malicious ones (for example, some Android.SpyMax banking trojan versions).
- Android.Click.1812
- The detection name for malicious WhatsApp messenger mods that can covertly load various websites in the background.
- Program.FakeAntiVirus.1
- The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
- Program.FakeMoney.11
- The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps.
- Program.CloudInject.5
- Program.CloudInject.1
- The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, modders can remotely manage these apps—blocking them, displaying custom dialogs, tracking when other software is being installed or removed from a device, etc.
- Program.SnoopPhone.1.origin
- An application designed to monitor the activity of Android device owners. It allows intruders to read SMS, collect call information, track device location, and record the surroundings.
- Tool.Obfuscator.TrashCode.1
- Tool.Obfuscator.TrashCode.2
- The detection name for Android programs to which junk code has been added, using hacker tools for modifying Android apps. Such modification is performed to scramble the apps’ logic. This technique is often found in banking trojans and pirated software.
- Tool.NPMod.3
- Tool.NPMod.1
- The detection name for Android programs that have been modified using the NP Manager utility. This tool contains modules for obfuscating and protecting the apps’ code as well as for bypassing their digital signature verification after they have been modified. The obfuscation it adds is often used to make the malware more difficult to detect and analyze.
- Tool.LuckyPatcher.2.origin
- A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads from the Internet specially prepared scripts, which can be crafted and added to a common database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.
- Adware.Bastion.1.origin
- The detection name for optimization programs that periodically create notifications containing misleading messages. They inform users about alleged low memory and system errors in order to display ads during “optimization”.
- Adware.AdPush.3.origin
- An adware module that can be built into Android apps. It displays notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, this module collects a variety of confidential data and is able to download other apps and initiate their installation.
- Adware.Opensite.15
- Apps passed off as cheat tools for obtaining resources in games. In fact, they are created to display ads. These programs receive a configuration from a remote server and use it to open a target website containing ads like banners, pop-up windows, video clips, etc.
- Adware.Fictus.1.origin
- An adware module that malicious actors embed into cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display obnoxious ads.
- Adware.Airpush.7.origin
- Adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.
Threats on Google Play
In Q1 2026, Doctor Web’s anti-virus laboratory experts discovered more Android.Joker malicious programs, which subscribe victims to paid services. The trojans were concealed in a number of tools for optimizing the operation of Android devices, and were distributed under the guise of messengers, multimedia, and other software. In total, they have been installed at least 370,000 times.
Examples of Android.Joker malware detected on Google Play in Q1 2026. Android.Joker.2511 was built into the messenger Private Chat Message, and Android.Joker.2524—into the camera app Magic Camera
Moreover, our malware analysts discovered the malicious programs, Android.Subscription.23 and Android.Subscription.24, which are also designed to subscribe users to paid services. These trojans load websites, where a paid mobile subscription is activated with the help of Wap Click technology. On these sites, users are asked to provide their mobile phone number, after which an attempt is made to automatically activate a subscription. Both trojans were downloaded from Google Play over 1.5 million times in total.
The Android.Subscription.23 and Android.Subscription.24 malicious programs were distributed as Stream Hive and Prime Link, apps for managing personal finances, but their only functionality was loading websites to subscribe Android device owners to paid mobile services
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.