- 239 malicious apps on Google Play and over 42 million downloads detected by Zscaler
- New campaigns: banking trojan with overlays, "Landfall" spyware, and NFC fraud with NGate
- Mobile malware grows 67% year-on-year; adware dominates (69%) and Europe registers peaks in countries like Italy
- Protection guide: permissions, updates, Play Protect, app verification, and account monitoring
Android phones remain in the spotlight, and according to the latest research, The outlook is not exactly calm.. Between Banking Trojans that empty accounts, Spyware that exploits zero-day vulnerabilities and contactless fraudThe attack surface grows in line with digital adoption in Europe and Spain.
In the last weeks Campaigns and data have come to light that paint a complex picture: 239 malicious apps on Google Play accumulating more than 42 million downloads, a new banking Trojan with overlays capable of taking control of the device, a spyware called landfall that seeps through DNG images and a scheme of card cloning via NFC (NGate) originating in Europe and expanding to Latin America.
A snapshot of the rise of mobile malware on Android
The latest Zscaler report reveals that between June 2024 and May 2025 Google Play hosted 239 malicious apps which exceeded 42 million installations. Mobile malware activity grew by 67% year-on-year, with a special presence in the tools and productivity category, where attackers disguise themselves as seemingly legitimate utilities.
This evolution translates into a clear change in tactics: Adware accounts for 69% of detectionswhile the Joker family falls to 23%. By country, India (26%), the United States (15%), and Canada (14%) lead the statistics, but in Europe, a decrease has been observed. notable upticks in Italywith very sharp year-on-year increases, and warnings about the possible spread of the risk to the rest of the continent.
Faced with this scenario, Google has tightened its control over the developer ecosystem with additional identity verification measures for publishing on Android. The intention is to raise the bar for entry and traceability, reducing the ability of cybercriminals to distribute malware through official stores.
In addition to volume, sophistication is a concern: Zscaler highlights particularly active families, among them Anatsa (banking Trojan), Android Void/Vo1d (backdoor in devices with legacy AOSP, with more than 1,6 million devices affected) and XnoticeA RAT designed to steal credentials and 2FA codes. In Europe, financial institutions and mobile banking users They represent a clear risk.
Experts point to a shift from classic credit card fraud towards mobile payments and social technologies (phishing, smishing and SIM swapping), which requires raising the digital hygiene of the end user and strengthening the protection of the entities' mobile channels.
Android/BankBot-YNRK: Overlays, Accessibility, and Bank Theft
Cyfirma researchers have documented a banking trojan for Android dubbed “Android/BankBot‑YNRK”, it was designed to impersonate legitimate apps and then activate Accessibility Services for gain total control of the device. Its specialty is overlay attacks: it creates fake login screens about real banking and crypto apps to capture credentials.
The distribution combines the Play Store (in waves that bypass filters) with fraudulent pages offering APKs, using package names and titles that mimic popular services. Among the detected technical identifiers are several SHA-256 hashes and it is speculated that the operation will work under Malware-as-a-Service, which facilitates its expansion to different countries, including Spain.
Once inside, it forces accessibility permissions, adds itself as a device administrator, and reads what appears on the screen. press virtual buttons and fill out formsIt can also intercept 2FA codes, manipulate notifications, and automate transfersall without raising any visible suspicions.
Analysts link this threat to the BankBot/Anubis family, active since 2016, with multiple variants that They evolve to evade antivirus software and store controls. The campaigns are usually targeted at widely used financial apps, which increases the potential impact if not detected in time.
For users and businesses in the EU, the recommendation is to strengthen permission controlsReview accessibility settings and monitor the behavior of financial apps. If in doubt, it's best to uninstall, scan your device, and change credentials in coordination with the entity.
Landfall: Silent espionage using DNG images and zero-day glitches
Another investigation, led by Unit 42 of Palo Alto Networks, uncovered a spyware for Android called landfall that exploited a zero-day vulnerability in the image processing library (libimagecodec.quram.so) to execute code when decode DNG files. It was enough to receive the image via messaging so that the attack could be carried out without interaction.
The first indications date back to July 2024 and the ruling was categorized as CVE ‑ 2025‑21042 (with an additional correction CVE-2025-21043 months later). The campaign targeted with particular emphasis Samsung Galaxy devices and had the greatest impact in the Middle East, although experts warn of how easily these operations can expand geographically.
Once committed, Landfall allowed extraction photos without uploading them to the cloudmessages, contacts, and call logs, plus activate the microphone covertlyThe modularity of the spyware and its persistence for almost a year without being detected underscore the leap in sophistication that are being given by advanced mobile threats.
To mitigate the risk, it is key Apply manufacturer security updates, limit exposure to files received from unverified contacts, and keep system protection mechanisms active., both in personal use terminals and in corporate fleets.
NGate: NFC card cloning, from Czech Republic to Brazil
The cybersecurity community has also focused on NGate, Android malware designed for financial fraud that abuses NFC to copy card data and emulate them on another device. Campaigns have been documented in Central Europe (Czech Republic) involving impersonation of local banks and a subsequent evolution aimed at users in Brazil.
The deception combines smishing, social engineering, and the use of PWA/WebAPK and websites that mimic Google Play to facilitate installation. Once inside, it guides the victim to activate NFC and enter the PIN, intercepts the exchange, and relays it using tools such as NFCGate, allowing cash withdrawals at ATMs and contactless POS payments.
Various suppliers They detect variants under tags such as Android/Spy.NGate.B and Trojan-Banker heuristicsAlthough there is no public evidence of active campaigns in Spain, the techniques used are transferable to any region with widely adopted contactless banking.
How to reduce risk: best practices
Before installing, take a few seconds to check the editor, ratings and date of the app. Be wary of permission requests that don't match the stated function. (especially Accessibility and Administration of the device).
Keep the system and apps always updatedActivate Google Play Protect and perform regular scans. In corporate environments, it's advisable to implement MDM policies. block lists and fleet anomaly monitoring.
Avoid downloading APKs from links in SMS messages, social media, or emails, and steer clear of... pages that mimic Google PlayIf a banking app asks for your card PIN or asks you to hold your card near your phone, be suspicious and check with your bank.
If you notice signs of infection (abnormal data or battery consumption, strange notifications(overlapping screens), disconnect data, uninstall suspicious apps, scan your device, and change your credentials. Contact your bank if you detect unauthorized movements.
In the professional scope, It incorporates IoCs published by researchers (domains, hashes, and observed packets) to your blocklists, and coordinate response with sector CSIRTs to cut possible strings of infection.
The Android ecosystem is going through a phase of high pressure from cybercrime: from malicious apps in official stores This includes banking Trojans with overlays, spyware that exploits DNG images, and NFC fraud with card emulation. With up-to-date updates, caution during installation, and active monitoring of permissions and banking transactions, it's possible to prevent them. drastically reduce exposure both individual users and organizations in Spain and the rest of Europe.
I am a technology enthusiast who has turned his "geek" interests into a profession. I have spent more than 10 years of my life using cutting-edge technology and tinkering with all kinds of programs out of pure curiosity. Now I have specialized in computer technology and video games. This is because for more than 5 years I have been writing for various websites on technology and video games, creating articles that seek to give you the information you need in a language that is understandable to everyone.
If you have any questions, my knowledge ranges from everything related to the Windows operating system as well as Android for mobile phones. And my commitment is to you, I am always willing to spend a few minutes and help you resolve any questions you may have in this internet world.