Android Malware¶
The Android malware landscape from its earliest trojans to modern banking malware with full device takeover. This section documents how Android malware works, how it evolved, and the techniques that define each generation.
Structure¶
| Page | Content |
|---|---|
| Timeline | Chronological evolution of Android malware: key families, milestones, how techniques spread |
| Naming Conventions | How different security vendors name the same malware, and how to map between naming schemes |
| Grayware & Data Harvesting | Data broker SDKs, stalkerware, ad fraud, fleeceware, predatory lending apps -- the gray area between aggressive monetization and malware |
| Threat Actors | MaaS operators, state-sponsored groups, regional criminal organizations, and solo developers behind Android malware |
| Families | Individual write-ups on notable malware families: behaviors, permissions, techniques, packers, IOCs |
Key Insight
Accessibility Service abuse is nearly universal in modern banking trojans and is the single most critical permission for malware operations. It enables overlay injection, keylogging, ATS fraud, screen reading, and self-granted permissions -- making it the foundation that most other attack techniques depend on.
Landscape Overview¶
By Category¶
| Category | Count | Description |
|---|---|---|
| Banking trojans (MaaS) | 25+ | Overlay attacks, ATS, VNC/DTO. Sold as subscriptions ($3k--$10k/month) |
| Regional bankers | 10+ | Single-country targeting with local financial system knowledge |
| SMS/toll fraud | 5+ | Premium SMS, WAP billing, subscription fraud |
| Spyware/surveillance | 15+ | State-sponsored and commercial. Screen capture, keylogging, targeted deployment |
| RATs | 5+ | General-purpose remote access. Builder-based or open-source |
| Supply chain | 3+ | Malicious SDKs, compromised apps. Dynamic code loading via Play Store |
| Crypto stealers | 3+ | OCR seed phrase theft, clipboard hijacking |
Major Lineages¶
Android malware families frequently share code through source leaks, MaaS rebranding, and direct evolution:
graph LR
Cerberus["Cerberus (2019)"] -->|leak| Alien["Alien (2020)"]
Alien -->|fork| Ermac["Ermac (2020)"]
Ermac -->|evolve| Hook["Hook (2022)"]
BankBot["BankBot (2016)"] -->|influence| Anubis["Anubis (2018)"]
Anubis -->|leak| GodFather["GodFather (2022)"]
Exobot["Exobot (2016)"] --> ExobotCompact
ExobotCompact --> Coper
Coper --> Octo["Octo (2022)"]
Octo --> Octo2["Octo2 (2024)"]
GMBot["GM Bot (2014)"] -->|leak| Overlay["overlay technique adopted industry-wide"]
BRATA["BRATA (2019)"] -->|evolve| Copybara["Copybara (2021)"]
Copybara --> ToxicPanda["ToxicPanda (2024)"]
CraxRAT --> SpySolr
SpySolr --> BTMOB["BTMOB RAT (2025)"]2024-2025 Trends¶
| Trend | Examples |
|---|---|
| Reduced permission footprints | Medusa v2 dropped from 21 to 5 permissions |
| NFC relay attacks | NGate, RatOn clone contactless payment cards |
| OCR-based crypto theft | SparkCat, SpyAgent scan photos for seed phrases |
| Commercial packer adoption | Klopatra, Gigabud use Virbox for anti-analysis |
| On-device virtualization | GodFather v3 installs real banking apps inside VirtualApp sandbox |
| Fake lockscreen PIN capture | TrickMo, TsarBot steal device PINs via fake lockscreens |
| Human behavior mimicry | Herodotus types with natural delays to evade behavioral biometrics |
| Firebase as C2 | KoSpy, FireScam, DeVixor use Firebase infrastructure |
Most Impactful Trend
NFC relay attacks represent a paradigm shift -- malware like NGate and RatOn can clone contactless payment cards remotely, bridging the gap between digital compromise and physical-world fraud at ATMs and POS terminals.
Geographic Hotspots¶
| Region | Dominant Families | Distribution |
|---|---|---|
| Europe (Western) | Anatsa, Octo, Medusa, Vultur | Play Store droppers |
| Europe (Southern) | Copybara, Sturnus, Herodotus | Vishing (TOAD), smishing |
| Turkey | Frogblight, BlankBot, Klopatra | Smishing, phishing pages |
| Russia/CIS | Mamont, FireScam | Fake parcel tracking, fake RuStore |
| Iran | DeVixor, DCHSpy | Fake VPN apps, automotive phishing |
| South Korea | Fakecalls, SoumniBot, SpyAgent | Smishing, fake banking apps |
| East Asia | MoqHao, FluHorse | Smishing (Roaming Mantis), trojanized apps |
| Southeast Asia | Gigabud, GoldPickaxe | Fake government/banking apps |
| India | SpyLoan, regional banking trojans | Fake loan apps, MaaS phishing platforms, smishing |
| Latin America | PixPirate, ToxicPanda, Zanubis | WhatsApp lures, social engineering |
| Middle East | GuardZoo, AridSpy | Trojanized messaging apps |
Detailed Lineage Maps¶
Banking Trojan Evolution¶
The banking trojan ecosystem is defined by source code leaks and direct inheritance. The Cerberus leak in September 2020 was the single most impactful event, seeding three successor families.
graph TD
subgraph Cerberus Lineage
Cerberus["Cerberus<br/>(2019)"] -->|"source leak<br/>Sept 2020"| Alien["Alien<br/>(2020)"]
Alien -->|"fork by DukeEugene"| Ermac["ERMAC<br/>(2021)"]
Ermac -->|"evolve + VNC"| Hook["Hook<br/>(2022)"]
Hook -->|"v2 + WebSocket"| HookV2["Hook v2<br/>(2023)"]
end
subgraph Exobot Lineage
Exobot["Exobot<br/>(2016)"] -->|"lite version"| ExobotCompact["ExobotCompact<br/>(2019)"]
ExobotCompact -->|"rebrand"| Coper["Coper<br/>(2021)"]
Coper -->|"rebrand by ThreatFabric"| Octo["Octo<br/>(2022)"]
Octo -->|"DGA + encrypted C2"| Octo2["Octo2<br/>(2024)"]
end
subgraph Anubis Lineage
GMBot["GM Bot<br/>(2014)"] -->|"overlay concept"| BankBot["BankBot<br/>(2016)"]
BankBot -->|"influenced"| Anubis["Anubis<br/>(2018)"]
Anubis -->|"source leak 2019"| GodFather["GodFather<br/>(2022)"]
GodFather -->|"VirtualApp sandbox"| GodFatherV3["GodFather v3<br/>(2024)"]
end
subgraph BRATA Lineage
BRATA["BRATA<br/>(2019)"] -->|"evolved by same actor"| Copybara["Copybara<br/>(2021)"]
Copybara -->|"rebranded for LATAM"| ToxicPanda["ToxicPanda<br/>(2024)"]
end
subgraph Independent Lines
Medusa1["Medusa v1<br/>(2020)"] -->|"reduced permissions"| Medusa2["Medusa v2<br/>(2024)"]
Xeno1["Xenomorph v1<br/>(2022)"] -->|"added ATS"| Xeno2["Xenomorph v2"] -->|"ATS engine"| Xeno3["Xenomorph v3<br/>(2023)"]
Vultur1["Vultur v1<br/>(2021)"] -->|"added screen streaming"| Vultur2["Vultur v2<br/>(2024)"]
CraxRAT --> SpySolr --> BTMOB["BTMOB RAT<br/>(2025)"]
endSpyware Evolution¶
Commercial and state-sponsored spyware follows a different lifecycle. Distribution is targeted (not mass), capabilities are deeper (kernel-level), and operators face legal consequences.
graph TD
subgraph Commercial Spyware
FinSpy["FinSpy<br/>(2012, FinFisher)"] -->|"bankrupt 2022"| FinSpyEnd["Operations ceased"]
Pegasus["Pegasus<br/>(2016, NSO Group)"] -->|"ongoing"| PegasusCurrent["Active<br/>zero-click exploits"]
Predator["Predator<br/>(2019, Cytrox)"] -->|"Intellexa consortium"| PredSanctions["US sanctions<br/>March 2024"]
PredSanctions -->|"fragmented ops"| PredContinue["Infrastructure rotating"]
Hermit["Hermit<br/>(2019, RCS Lab)"] -->|"ISP-level delivery"| HermitActive["Active in Italy, Kazakhstan"]
end
subgraph State-Sponsored
APT41["APT41<br/>(China)"] -->|"cross-platform"| LightSpy["LightSpy<br/>(2020)"]
LightSpy -->|"14+ plugins"| LightSpyV2["LightSpy v2<br/>(2024)"]
ScarCruft["ScarCruft/APT37<br/>(DPRK)"] --> KoSpy["KoSpy<br/>(2024)"]
Gamaredon["Gamaredon/Sandcat<br/>(Russia)"] --> BoneSpy["BoneSpy<br/>(2021)"]
Gamaredon --> PlainGnome["PlainGnome<br/>(2024)"]
endSMS Worm and Toll Fraud¶
SMS-based malware peaked around 2020-2022 with FluBot's worm-like spreading mechanism. Law enforcement intervention proved effective in this category.
graph LR
FluBot["FluBot<br/>(2020)"] -->|"SMS worm spread<br/>across Europe"| FluBotPeak["Peak: 2021<br/>11 countries"]
FluBotPeak -->|"Europol takedown<br/>June 2022"| FluBotEnd["Dead"]
Joker["Joker<br/>(2017)"] -->|"continuous<br/>Play Store presence"| JokerOngoing["Active<br/>1,700+ variants"]
MoqHao["MoqHao<br/>(2018, Roaming Mantis)"] -->|"expanded to<br/>27 languages"| MoqHaoV2["Auto-execute<br/>variant (2024)"]Source Code Leaks¶
Source code leaks fundamentally reshape the threat landscape. A single leak can spawn multiple successor families and reduce the barrier to entry for new operators.
| Date | Family | What Happened | Impact |
|---|---|---|---|
| 2017 | GM Bot | Source leaked on underground forums | Pioneered overlay technique; code reused across dozens of families |
| 2019 | Anubis | Source code leaked after developer arrest | Enabled GodFather and numerous low-tier forks targeting specific regions |
| Sept 2020 | Cerberus | Developer failed to auction, released source free on forums | Most impactful Android malware leak. Seeded Alien, ERMAC, Hook. ThreatFabric documented the cascade |
| 2021 | SpyNote | Builder leaked publicly | Explosion of SpyNote variants; accessible to low-skill operators. Zimperium tracked post-leak proliferation |
| 2022 | BRATA | Partial source circulated | Influenced Copybara development |
| 2023 | Rafel RAT | Open-source release | Check Point documented 120+ campaigns across 10 threat actors using Rafel RAT |
| 2024 | CraxRAT | Builder sold then leaked | Led to SpySolr fork, then BTMOB RAT |
Law Enforcement Actions¶
Law enforcement actions against mobile malware are rare but impactful when they occur. Most "takedowns" are Google removing apps from the Play Store after vendor publications.
| Date | Operation | Target | Outcome | Source |
|---|---|---|---|---|
| June 2022 | Europol/Dutch Police | FluBot infrastructure | Infrastructure seized across 11 countries. FluBot did not resurface. One of the most successful mobile malware takedowns. | Europol |
| 2022 | German authorities | FinFisher GmbH | FinSpy vendor filed bankruptcy after investigation into sales to authoritarian regimes. Operations ceased. | Netzpolitik.org |
| March 2024 | US Treasury OFAC | Intellexa Consortium | Sanctions on entities and individuals behind Predator spyware. First financial sanctions targeting a commercial spyware vendor. | US Treasury |
| March 2024 | Joint (FBI/Europol) | Blackphone encrypted network | Infrastructure used by multiple Android malware operators. Disrupted but not fully dismantled. | Europol |
| 2024 | Google TAG + Mandiant | Predator infrastructure | Technical disruption of Predator delivery infrastructure and exploit chains. Intellexa fragmented to new hosting. | Google TAG |
By Behavior¶
Malware families are also cross-referenced from Attack Techniques based on observed behaviors: overlay attacks, accessibility abuse, SMS interception, NFC relay, etc. Permission pages document which families abuse each Android permission.