{"id":55191,"date":"2026-01-27T11:36:28","date_gmt":"2026-01-27T16:36:28","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=55191"},"modified":"2026-01-27T11:36:28","modified_gmt":"2026-01-27T16:36:28","slug":"growing-2026-android-threats-and-protection","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/growing-2026-android-threats-and-protection\/55191\/","title":{"rendered":"The perfect storm of Android threats"},"content":{"rendered":"

The year 2025 saw a record-breaking number of attacks on Android devices. Scammers are currently riding a few major waves: the hype surrounding AI apps, the urge to bypass site blocks or age checks, the hunt for a bargain on a new smartphone, the ubiquity of mobile banking, and, of course, the popularity of NFC. Let\u2019s break down the primary threats of 2025\u20132026, and figure out how to keep your Android device safe in this new landscape.<\/p>\n

Sideloading<\/h2>\n

Malicious installation packages (APK files) have always been the Final Boss among Android threats, despite Google\u2019s multi-year efforts to fortify the OS. By using sideloading \u2014 installing an app via an APK file instead of grabbing it from the official store \u2014 users can install pretty much anything, including straight-up malware. And neither the rollout of Google Play Protect, nor the various permission restrictions for shady apps have managed to put a dent in the scale of the problem.<\/p>\n

According to preliminary data from Kaspersky for 2025, the number of detected Android threats grew almost by half<\/a>. In the third quarter alone, detections jumped by 38%<\/a> compared to the second. In certain niches, like Trojan bankers, the growth was even more aggressive. In Russia alone, the notorious Mamont banker<\/a> attacked 36 times more users than it did the previous year, while globally this entire category saw a nearly fourfold increase.<\/p>\n

Today, bad actors primarily distribute malware via messaging apps by sliding malicious files into DMs and group chats. The installation file usually sports an enticing name (think \u201cparty_pics.jpg.apk\u201d or \u201cclearance_sale_catalog.apk\u201d), accompanied by a message \u201chelpfully\u201d explaining how to install the package while bypassing the OS restrictions and security warnings.<\/p>\n

Once a new device is infected, the malware often spams itself to everyone in the victim\u2019s contact list.<\/p>\n

Search engine spam and email campaigns are also trending, luring users to sites that look exactly like an official app store. There, they\u2019re prompted to download the \u201clatest helpful app\u201d, such as an AI assistant. In reality, instead of an installation from an official app store, the user ends up downloading an APK package. A prime example of these tactics is the ClayRat Android Trojan<\/a>, which uses a mix of all these techniques to target Russian users. It spreads through groups and fake websites, blasts itself to the victim\u2019s contacts via SMS, and then proceeds to steal the victim\u2019s chat logs and call history; it even goes as far as snapping photos of the owner using the front-facing camera. In just three months, over 600 distinct ClayRat builds have surfaced.<\/p>\n

The scale of the disaster is so massive that Google even announced an upcoming ban<\/a> on distributing apps from unknown developers starting in 2026. However, after a couple of months of pushback from the dev community, the company pivoted<\/a> to a softer approach: unsigned apps will likely only be installable via some kind of superuser mode. As a result, we can expect scammers to simply update their how-to guides with instructions on how to toggle that mode on.<\/p>\n

Kaspersky for Android<\/a> will help you protect yourself from counterfeit and trojanized APK files. Unfortunately, due to Google\u2019s decision, our Android security apps are currently unavailable on Google Play. We\u2019ve previously provided detailed information on how to install our Android apps with a 100% guarantee of authenticity<\/a>.<\/p>\n

NFC relay attacks<\/h2>\n

Once an Android device is compromised, hackers can skip the middleman to steal the victim\u2019s money directly thanks to the massive popularity of mobile payments. In the third quarter of 2025 alone, over 44\u00a0000 of these attacks were detected in Russia alone \u2014 a 50% jump from the previous quarter.<\/p>\n

There are two main scams currently in play: direct and reverse NFC exploits.<\/p>\n

Direct NFC relay is when a scammer contacts the victim via a messaging app and convinces them to download an app \u2014 supposedly to \u201cverify their identity\u201d with their bank. If the victim bites and installs it, they\u2019re asked to tap their physical bank card against the back of their phone and enter their PIN. And just like that the card data is handed over to the criminals, who can then drain the account or go on a shopping spree.<\/p>\n

Reverse NFC relay is a more elaborate scheme. The scammer sends a malicious APK and convinces the victim to set this new app as their primary contactless payment method. The app generates an NFC signal that ATMs recognize as the scammer\u2019s card. The victim is then talked into going to an ATM with their infected phone to deposit cash into a \u201csecure account\u201d. In reality, those funds go straight into the scammer\u2019s pocket.<\/p>\n

We break both of these methods down in detail in our post, NFC skimming attacks<\/strong><\/a>.<\/p>\n

NFC is also being leveraged to cash out cards after their details have been siphoned off through phishing websites. In this scenario, attackers attempt to link the stolen card to a mobile wallet on their own smartphone \u2014 a scheme we covered extensively in NFC carders hide behind Apple Pay and Google Wallet<\/strong><\/a>.<\/p>\n

The stir over VPNs<\/h2>\n

In many parts of the world, getting onto certain websites isn\u2019t as simple as it used to be. Some sites are blocked by local internet regulators or ISPs via court orders; others require users to pass an age verification check by showing ID and personal info. In some cases, sites block users from specific countries entirely just to avoid the headache of complying with local laws. Users are constantly trying to bypass these restrictions \u2014and they often end up paying for it with their data or cash.<\/p>\n

Many popular tools for bypassing blocks \u2014 especially free ones \u2014 effectively spy on their users. A recent audit revealed that over 20 popular services with a combined total of more than 700 million downloads actively track user location<\/a>. They also tend to use sketchy encryption at best, which essentially leaves all user data out in the open for third parties to intercept.<\/p>\n

Moreover, according to Google data from November 2025<\/a>, there was a sharp spike in cases where malicious apps are being disguised as legitimate VPN<\/a> services to trick unsuspecting users.<\/p>\n

The permissions that this category of apps actually requires are a perfect match for intercepting data and manipulating website traffic. It\u2019s also much easier for scammers to convince a victim to grant administrative privileges to an app responsible for internet access than it is for, say, a game or a music player. We should expect this scheme to only grow in popularity.<\/p>\n

Trojan in a box<\/h2>\n

Even cautious users can fall victim to an infection if they succumb to the urge to save some cash. Throughout 2025, cases were reported worldwide where devices were already carrying a Trojan the moment they were unboxed<\/a>. Typically, these were either smartphones from obscure manufacturers or knock-offs of famous brands purchased on online marketplaces. But the threat wasn\u2019t limited to just phones; TV boxes, tablets, smart TVs<\/a>, and even digital photo frames<\/a> were all found to be at risk.<\/p>\n

It\u2019s still not entirely clear whether the infection happens right on the factory floor or somewhere along the supply chain between the factory and the buyer\u2019s doorstep, but the device is already infected before the first time it\u2019s turned on. Usually, it\u2019s a sophisticated piece of malware called Triada, first identified by Kaspersky analysts back in 2016<\/a>. It\u2019s capable of injecting itself into every running app to intercept information: stealing access tokens and passwords for popular messaging apps and social media, hijacking SMS messages (confirmation codes: ouch!), redirecting users to ad-heavy sites, and even running a proxy directly on the phone so attackers can browse the web using the victim\u2019s identity.<\/p>\n

Technically, the Trojan is embedded right into the smartphone\u2019s firmware, and the only way to kill it is to reflash the device with a clean OS. Usually, once you dig into the system, you\u2019ll find that the device has far less RAM or storage than advertised \u2014 meaning the firmware is literally lying to the owner to sell a cheap hardware config as something more premium.<\/p>\n

Another common pre-installed menace is the BADBOX 2.0<\/a> botnet, which also pulls double duty as a proxy and an ad-fraud engine. This one specializes in TV boxes and similar hardware.<\/p>\n

How to go on using Android without losing your mind<\/h2>\n

Despite the growing list of threats, you can still use your Android smartphone safely! You just have to stick to some strict mobile hygiene rules.<\/p>\n