Threat Intelligence & Malware Research¶
Companies that discover, analyze, and name mobile malware families. Their reports are primary sources for the Android threat landscape.
Research Labs¶
| Company | Focus | Notable For |
|---|---|---|
| Avast Threat Labs | Consumer + research | Avast Decoded blog. Android adware, Play Store threats, Cerberus analysis. |
| CheckPoint Research | Broad security research | CPR publishes Android malware campaigns, Play Store threat analysis. Rafel RAT discovery (120+ campaigns). FluHorse (Flutter-based stealer). |
| Cisco Talos | Broad threat intelligence | Gustuff analysis. Predator deep-dive (Python implant architecture). |
| Citizen Lab | Digital surveillance research | University of Toronto. Pegasus, Predator, FinSpy tracking. |
| Cleafy | Financial fraud, mobile banking | Detailed banking trojan reports. Copybara, Anatsa, BRATA, ToxicPanda, SharkBot, PixPirate, BingoMod, Klopatra, Albiriox. |
| CYFIRMA | External threat landscape management | FireScam discovery (fake RuStore/Telegram Premium info-stealer). |
| Cyble | Dark web intelligence + mobile | CRIL (Cyble Research and Intelligence Labs). Chameleon, GodFather v2, TsarBot, Antidot, TrickMo, Gigabud, BTMOB RAT, DeVixor. |
| ESET | Broad antivirus + research | Regular Android publications. FinSpy devirtualization. NGate NFC relay discovery. FurBall, SpyAgent. |
| Fortinet FortiGuard Labs | Broad threat intelligence | Android malware write-ups, BankBot analysis. |
| Google TAG | State-sponsored threat tracking | Tracks commercial spyware. Predator exploit chains, Hermit analysis. |
| Group-IB | Threat intelligence, fraud prevention | GodFather, Gustuff discovery. APT-level mobile tracking. |
| HUMAN Security (Satori) | Bot/fraud intelligence | Harly analysis. Mobile fraud research. |
| IBM Security Trusteer | Financial fraud | PixPirate analysis. Banking fraud intelligence. |
| Kaspersky | Broad threat intelligence | Long Android malware history. Triada, Harly, BRATA, Roaming Mantis, LightSpy (initial iOS disclosure). |
| Lookout | Mobile-focused threat intel | Pegasus (Chrysaor), Hermit discovery. KoSpy DPRK spyware, GuardZoo Houthi surveillance. BoneSpy/PlainGnome Sandcat spyware. EagleMsgSpy Chinese lawful intercept. LightSpy (DragonEgg attribution). DCHSpy MuddyWater Iranian surveillanceware. |
| McAfee Mobile Research | Mobile malware, adware, PUPs | Part of McAfee Labs. Primary tracker of MoqHao/Roaming Mantis. Original discovery of SpyAgent OCR crypto theft, Goldoson SDK supply chain, Xamalicious Xamarin backdoor, .NET MAUI evasion. Deep Korean and Indian market coverage. HiddenAds, Clicker, and Invisible Adware at-scale ad fraud discovery. SpyLoan global tracking. Sun Team DPRK attribution. |
| NCC Group / Fox-IT | Offensive security + research | SharkBot, Ermac/Hook lineage analysis. FluBot DGA research. |
| PRODAFT | Threat intelligence | FluBot infrastructure analysis. Underground forum monitoring. |
| Proofpoint | Email/messaging threats | TangleBot (Medusa) naming. Mobile phishing campaigns. |
| Sophos | Cross-platform threats | X-Ops team publishes Android malware analysis. FluBot, PJobRAT Taiwan campaign. |
| ThreatFabric | Android banking trojans | Most prolific Android malware research. Named Cerberus, Anatsa, Hook, Ermac, Xenomorph, Medusa, Vultur, Octo, Alien, Brokewell, Crocodilus, Herodotus, Sturnus, RatOn. LightSpy DragonEgg-to-LightSpy link. |
| Trend Micro | Enterprise threats | TgToxic discovery. Mobile ransomware, spyware. |
| Zimperium | Mobile threat defense | GriftHorse discovery. Hook v3, GodFather v3 analysis. Gigabud+SpyNote infrastructure mapping. zLabs research. |
| Zscaler ThreatLabz | Cloud security + research | Copybara MQTT analysis, Anatsa Play Store campaigns. |
Vendor Comparison¶
Which vendor to reference depends on what you need. This matrix ranks the major Android malware research publishers.
| Vendor | Named Families | Blog Frequency | Primary Focus | Free Intel |
|---|---|---|---|---|
| ThreatFabric | 30+ | Weekly | Banking trojans, MaaS | Blog posts, IOCs |
| Cleafy | 15+ | Bi-weekly | Banking fraud, ATS | Blog posts |
| Kaspersky | 20+ | Weekly | Broad (banking, spyware, adware) | Securelist blog, quarterly stats |
| ESET | 15+ | Bi-weekly | Broad (regional focus) | WeLiveSecurity blog |
| Cyble | 15+ | Weekly | Dark web + mobile | CRIL blog |
| Lookout | 10+ | Monthly | Spyware, state-sponsored | Blog posts |
| Zimperium | 10+ | Monthly | Banking trojans, enterprise | zLabs blog, annual report |
| Check Point | 10+ | Bi-weekly | Broad campaigns | CPR blog |
| Google TAG | 5+ | Quarterly | State-sponsored, 0-days | Blog posts |
ThreatFabric is the most prolific for Android banking trojans specifically. Cleafy provides the deepest technical analysis of ATS/on-device fraud. Kaspersky has the broadest coverage. Lookout leads in commercial spyware tracking.