Android Malware Timeline¶
A chronological overview of Android malware evolution, from proof-of-concept trojans to sophisticated banking malware with automated fraud capabilities. Each era introduced techniques that became standard in later families.
2010-2012: Early Stage¶
The Android malware landscape begins. Threats are simple, mostly SMS fraud and basic trojans.
| Year | Family | Significance |
|---|---|---|
| 2010 | FakePlayer | First known Android malware. Sent premium SMS messages. |
| 2010 | Geinimi | First Android botnet. C2 communication, app repackaging for distribution. |
| 2011 | DroidDream | First large-scale Play Store infection. Exploited root vulnerabilities (exploid, rageagainstthecage). ~250k downloads before removal. |
| 2011 | DroidKungFu | Root exploit + payload download. Embedded encrypted payload decrypted at runtime. |
| 2011 | Plankton | Aggressive adware framework. Demonstrated large-scale data harvesting without root. |
| 2012 | NotCompatible | TCP proxy on infected devices. Used for click fraud and ticket scalping. |
Era Summary
Premium SMS fraud, root exploits, app repackaging, basic C2.
2013-2015: Ransomware and Banking¶
Banking trojans emerge. Ransomware arrives on mobile. Distribution through social engineering improves.
| Year | Family | Significance |
|---|---|---|
| 2013 | Obad | Most sophisticated to date: exploited device admin, SMS distribution, proxy chaining. |
| 2013 | Svpeng | First mobile banking trojan to combine phishing overlays with SMS interception. |
| 2014 | Simplocker | First Android ransomware with actual file encryption (AES). |
| 2014 | GM Bot | Pioneered overlay attacks for credential theft. Source code leaked in 2016, spawning many variants. |
| 2014 | Koler | Police-themed lockscreen ransomware. Used WebView for ransom display. |
| 2015 | SlemBunk | Targeted 33 banking apps across multiple countries using overlays. |
Era Summary
Overlay attacks invented, device admin abuse, file encryption, SMS-based spreading.
2016-2018: Overlay Era¶
Overlay-based banking trojans become the dominant threat. Malware-as-a-service appears.
| Year | Family | Significance |
|---|---|---|
| 2016 | BankBot | Open-source banking trojan. Lowered the entry barrier for banking malware. Multiple Play Store appearances. |
| 2016 | Exobot | Major MaaS banking trojan. Evolved into ExobotCompact/Octo. |
| 2016 | Marcher | Major banking trojan targeting European banks. WebView-based overlays, credit card phishing. |
| 2016 | HummingBad | 10M+ infections. Root exploits, ad fraud, app installation. Generated $300k/month in ad revenue. |
| 2016 | Triada | Zygote-injecting trojan, later found pre-installed in firmware. System-level compromise. |
| 2016 | SpyNote | Free RAT builder. Lowered barrier to entry for mobile surveillance. |
| 2017 | Red Alert 2.0 | MaaS banking trojan. Telegram-based C2, blocklisted legitimate banking app notifications. |
| 2017 | LokiBot | Banking trojan that transforms into ransomware if user tries to remove admin rights. |
| 2017 | Joker | Premium subscription fraud via accessibility. Repeatedly bypassed Play Protect, thousands of Play Store variants over its lifetime. |
| 2018 | Anubis | Full-featured banking trojan: overlays, keylogging, screen recording, file encryption. Repeatedly found on Play Store. |
| 2018 | MoqHao | Roaming Mantis smishing operation. DNS hijacking, SMS propagation, targeting East Asia. |
Era Summary
WebView inject kits, MaaS model, Play Store infiltration via droppers, Telegram C2, supply chain compromise.
2018-2020: Accessibility Takeover¶
Accessibility service becomes the primary weapon. Malware shifts from stealing credentials to controlling devices.
| Year | Family | Significance |
|---|---|---|
| 2018 | Gustuff | First "automatic transfer system" (ATS): used accessibility to fill banking app forms and initiate transfers without user interaction. |
| 2019 | Cerberus | Major MaaS operation. Overlays, keylogging, 2FA theft, accessibility-based permission escalation. Source leaked in September 2020. |
| 2019 | Hydra | Persistent MaaS banking trojan with broad affiliate network. TOR-based C2. |
| 2019 | BRATA | Brazilian RAT with banking fraud and factory reset for evidence destruction. |
| 2020 | Alien | Built on leaked Cerberus code. Added notification sniffer for 2FA codes, targeting expanded to 226 apps. |
| 2020 | FluBot | SMS worm: spread by sending phishing SMS to victim's contacts. Rapid pan-European spread. Dismantled by Europol in 2022. |
| 2020 | Ermac | Forked from Cerberus. Targeted 467 banking and crypto apps. Rented at $3k/month. |
| 2020 | GriftHorse | Premium SMS fraud at scale. 10M+ victims, 200+ trojanized Play Store apps. |
| 2020 | Medusa | Screen streaming + keylogging MaaS. Shared infrastructure with FluBot. |
Era Summary
ATS fraud, accessibility-based device control, Cerberus source leak spawning new families, SMS worm distribution.
2021-2023: On-Device Fraud¶
Full device control becomes standard. VNC-like capabilities. Malware operates banking apps directly.
| Year | Family | Significance |
|---|---|---|
| 2021 | Anatsa | ATS-focused banker. Play Store droppers with delayed payload delivery. Targeted European banks. |
| 2021 | SharkBot | ATS without overlay: directly manipulates banking app UI via accessibility. DGA for C2 resilience. |
| 2021 | Vultur | First banker to use VNC screen streaming (AlphaVNC) instead of overlays. |
| 2021 | Copybara | Italian-focused banker distributed via vishing (TOAD). Evolved from BRATA. |
| 2022 | Xenomorph | Three generations. v3 added full ATS framework with scripting engine for automating fraud across different banking apps. |
| 2022 | Hook | Evolved from Ermac. Added VNC-like remote access, file manager, WhatsApp message exfiltration. MaaS at $7k/month. |
| 2022 | Octo | Remote access via screen streaming + accessibility control. Lineage traces back to Exobot (2016). |
| 2022 | GodFather | Anubis successor with dynamic overlays, 400+ targets, post-Soviet language kill switch. |
| 2022 | Fakecalls | Korean banker intercepting outgoing calls to real bank numbers, replacing with recorded IVR audio. |
| 2022 | PixPirate | Targets Brazil's Pix instant payment system. Invisible in app drawer. |
| 2022 | Zanubis | Peruvian banking trojan targeting 40+ local financial apps with overlay attacks. |
| 2023 | Chameleon | Banking trojan with biometric prompt bypass to force PIN entry for capture. |
| 2023 | Goldoson | Malicious SDK in 60+ Play Store apps, 100M+ installs. Data harvesting + click fraud. |
| 2023 | FluHorse | Flutter-based credential stealer targeting East Asia. Dart AOT compilation in libapp.so defeats standard Android decompilers. |
| 2023 | GoldDigger/GoldFactory | Targeted Vietnamese and Thai banks. Variants include GoldPickaxe which collects facial biometric data to bypass bank face-verification. |
| 2023 | SpyNote/CypherRat | Source code leak caused surge in global deployments. Evolved from RAT to banking trojan with overlays. |
Era Summary
VNC-like control, ATS scripting engines, anti-forensic device wipes, biometric data theft, biometric bypass, MaaS pricing escalation.
2024-Present: Evolved Threats¶
Continued sophistication. Multi-stage dropper chains. Geographic expansion. Reduced permission footprints to evade detection.
| Year | Family | Significance |
|---|---|---|
| 2024 | Gigabud | GoldFactory group. Screen recording instead of overlay attacks. Shared infrastructure with SpyNote, both Virbox-packed. |
| 2024 | Anatsa v2 | Expanded to US banks. Multi-stage dropper chains using accessibility to bypass Android 13 restricted settings. |
| 2024 | Vultur v2 | Added screen recording, remote access, file download/upload, app blocking. Uses encrypted C2 via Firebase Cloud Messaging. |
| 2024 | Octo 2 | Major update: improved remote control stability, anti-analysis techniques, domain generation algorithm (DGA) for C2. |
| 2024 | Medusa v2 | Reduced permission footprint from 21 to 5 permissions. Added dead drop resolvers on Telegram and X. |
| 2024 | ToxicPanda | Evolved from TgToxic (Southeast Asia). Expanded to EU and Latin America. Chinese-speaking threat actor. |
| 2024 | Mamont | Most active banking trojan of 2024 (36.70% of detections). Russia-exclusive, fake parcel-tracking distribution. |
| 2024 | Necro | Supply chain trojan via compromised Coral SDK. 11M+ installs on Google Play. Steganographic payload delivery. |
| 2024 | MoqHao v2024 | Auto-execution without user interaction. Runs immediately after installation. |
| 2024 | SparkCat | First OCR-based stealer on both Play Store and App Store. Scans photos for crypto seed phrases. |
| 2024 | SpyAgent | 280+ fake apps using OCR to steal crypto seed phrases from Korean users' photos. |
| 2024 | SoumniBot | Korean banker exploiting manifest parsing differences to evade static analysis tools. |
| 2024 | SpyLoan | Predatory loan apps, 8M+ installs, 75% infection increase Q2-Q3 2024. Data weaponized for extortion. |
| 2024 | Mandrake v2 | Returned to Play Store undetected for 2 years with OLLVM-obfuscated native libraries. |
| 2024 | NGate | First Android NFC relay malware. Clones payment cards via NFCGate for ATM cash withdrawal. Czech Republic campaign. |
| 2024 | BingoMod | Banking trojan with VNC-based DTO and BRATA-like post-fraud device wipe. Romanian-speaking attribution. |
| 2024 | Brokewell | Full device takeover banker by "Baron Samedit Marais." Rapid development cycle. |
| 2024 | GoldPickaxe | GoldFactory group. Captures facial biometric data to create deepfakes for bypassing bank face-verification. |
| 2024 | Antidot | Multi-language banking trojan with 35 commands. AppLite variant targets corporate employees. |
| 2024 | BlankBot | Turkish-focused banker with custom keyboard keylogging. Under active development when discovered. |
| 2024 | TrickMo | TrickBot companion resurfaces independently. Fake lockscreen captures device PINs. 40+ C2 variants. |
| 2024 | Rafel RAT | Open-source Android RAT used in 120+ campaigns. Includes ransomware capability. APT-C-35 usage. |
| 2025 | Frogblight | Turkish banker with custom keyboard keylogging. Geofencing avoids US detection. |
| 2025 | Crocodilus | Full DTO with contact list injection. Adds fake "Bank Support" contacts for vishing. 8-country targeting. |
| 2025 | Herodotus | MaaS banker by "K1R0." Types with natural delays to evade behavioral biometrics during DTO. |
| 2025 | Sturnus | Reads decrypted WhatsApp/Telegram/Signal messages via accessibility. Southern/Central European banks. |
| 2025 | RatOn | First family combining NFC relay with ATS. Automates full card cloning and transfer fraud. |
| 2025 | Klopatra | Virbox-packed Turkish banker. Operators execute ODF attacks while victims sleep. |
| 2025 | Albiriox | Budget MaaS ($650-720/month) by "MECipher." 400+ targets, unencrypted TCP C2. |
| 2025 | GodFather v3 | On-device virtualization: installs real banking apps inside sandbox, intercepts all interactions. |
| 2025 | BTMOB RAT | MaaS RAT evolved from CraxRAT/SpySolr. WebView injection, Media Projection streaming. $5k-$10k pricing. |
| 2025 | FireScam | Info-stealer via fake RuStore/Telegram Premium. Firebase for both C2 and data exfiltration. Russian-targeting. |
| 2025 | DeVixor | Iranian banking RAT with ransomware. 700+ samples. TRON crypto ransom payments. |
| 2025 | Hook v3 | 107 commands. Ransomware overlays, NFC payment card overlays, transparent gesture capture. |
| 2025 | TsarBot | 750+ app targets across banking, crypto, social media. WebSocket C2, fake lockscreen PIN capture. |
| 2025 | Zanubis | Peruvian banker evolved to impersonate SUNAT tax authority. 40+ banking app targets. |
Era Summary
Reduced permission footprints, steganographic payloads, OCR-based theft, NFC relay attacks, on-device virtualization, commercial packer abuse.
Spyware Timeline¶
Separate Track
Commercial spyware operates on a separate track from financially-motivated malware, with different distribution, capabilities, and targets.
| Year | Family | Significance |
|---|---|---|
| 2012 | FinSpy | FinFisher GmbH's commercial lawful intercept. Sold to governments globally. Heavily obfuscated. |
| 2014 | FinSpy leaked | Phineas Fisher hack exposed 40GB of FinFisher data including source code. |
| 2016 | Pegasus | NSO Group. Trident exploit chain discovered via Ahmed Mansoor. Zero-click capability. |
| 2017 | EagleMsgSpy | Chinese law enforcement surveillance tool by Wuhan Chinasoft Token. Physical access install, chat app interception. |
| 2019 | Hermit | RCS Lab. Distributed via ISP-level network injection. Modular architecture. |
| 2020 | LightSpy | APT41 (Chinese state). Modular surveillance with 14+ plugins. Cross-platform (Android/iOS/macOS/Windows). Watering hole delivery. |
| 2019 | Predator | Cytrox/Intellexa. Exploit chain delivery. Alien loader + Predator implant architecture. |
| 2021 | Pegasus Project | Forbidden Stories investigation revealed 50,000+ potential surveillance targets across governments. |
| 2022 | Predator exploits | Google TAG documented five zero-day exploits (four Chrome, one Android kernel) used by Predator. |
| 2022 | FinFisher bankrupt | German investigation into unauthorized exports led to company insolvency. |
| 2023 | Predator Files | Amnesty/EIC investigation: Predator sold to 25+ countries. |
| 2024 | Intellexa sanctioned | U.S. Treasury sanctions against Intellexa consortium. |
| 2021 | BoneSpy | Sandcat (Uzbekistan SSS). DroidWatcher-based surveillanceware targeting Central Asian former Soviet states. |
| 2024 | AridSpy | Arid Viper (APT-C-23). Multi-stage trojanized messaging apps targeting Palestine and Egypt. |
| 2024 | PlainGnome | Sandcat. Custom-built two-stage dropper. Screen-off audio recording bypasses Android microphone indicator. |
| 2024 | GuardZoo | Houthi-aligned. Modified Dendroid RAT targeting Middle Eastern military. 450+ victims since 2019. |
| 2025 | KoSpy | DPRK (ScarCruft/APT37). Firebase Firestore C2. Plugin-based surveillance on Google Play. |
| 2024 | PJobRAT | Resurfaces targeting Taiwan military via fake messaging apps. Dual HTTP/WebSocket C2. |
| 2021 | DCHSpy | MuddyWater/MOIS Android surveillanceware. Fake VPN/StarLink lures targeting Iranian dissidents. SFTP exfiltration. |
Full Technique Adoption Timeline
Shows when key techniques first appeared and became standard:
| Technique | Introduced | Became Standard | First Used By |
|---|---|---|---|
| Premium SMS fraud | 2010 | 2010-2012 | FakePlayer |
| Root exploits | 2011 | 2011-2013 | DroidDream |
| Overlay attacks | 2014 | 2016-2018 | GM Bot |
| Device admin abuse | 2013 | 2014-2016 | Obad |
| Accessibility abuse | 2018 | 2019-2020 | Gustuff |
| ATS (auto-transfers) | 2018 | 2021-2022 | Gustuff |
| SMS worm distribution | 2020 | 2020-2021 | FluBot |
| Play Store droppers | 2016 | 2020+ | BankBot |
| VNC-like control | 2021 | 2022-2023 | Vultur, Octo |
| Anti-forensic wipe | 2021 | Uncommon | BRATA |
| Biometric bypass | 2023 | Rare | Chameleon |
| Biometric theft | 2023 | Rare | GoldPickaxe |
| Reduced permissions | 2024 | Emerging | Medusa v2 |
| OCR-based theft | 2024 | Emerging | SparkCat, SpyAgent |
| Manifest obfuscation | 2024 | Rare | SoumniBot |
| Auto-execution on install | 2024 | Rare | MoqHao |
| Custom keyboard keylogging | 2025 | Rare | Frogblight |
| Steganographic payloads | 2024 | Rare | Necro |
| SDK supply chain | 2023 | Growing | Goldoson, Necro |
| NFC relay | 2024 | Emerging | NGate |
| On-device virtualization | 2025 | Rare | GodFather v3 |
| Human behavior mimicry | 2025 | Rare | Herodotus |
| Encrypted messaging interception | 2025 | Rare | Sturnus |
| Contact list injection | 2025 | Rare | Crocodilus |
| NFC relay + ATS combo | 2025 | Rare | RatOn |
| Commercial packer abuse | 2025 | Emerging | Klopatra, Gigabud |
| Fake lockscreen PIN capture | 2024 | Emerging | TrickMo, TsarBot |
| Firebase C2 config delivery | 2022 | Emerging | KoSpy, PJobRAT |
| Corporate employee targeting | 2024 | Rare | Antidot/AppLite |
| Clipboard hijacking | 2019 | Standard | Cerberus |
| Firebase C2/exfiltration | 2022 | Emerging | KoSpy, FireScam |
| Voice call interception | 2022 | Rare | Fakecalls |
| SFTP exfiltration | 2021 | Rare | DCHSpy |
| Predatory lending extortion | 2020 | Growing | SpyLoan |
| Flutter/Dart framework abuse | 2023 | Rare | FluHorse |
| Screen-off audio recording | 2024 | Rare | PlainGnome |
Law Enforcement Actions¶
| Year | Event | Impact |
|---|---|---|
| 2020 | Cerberus source code leaked | Spawned Alien, Ermac, Hook lineage. Single most impactful code leak in Android malware history. |
| 2021 | Europol takes down FluBot | Operation coordinated across 11 countries. Infrastructure seized, suspects arrested. |
| 2022 | FinFisher declares bankruptcy | German investigation into unauthorized exports of surveillance tools. |
| 2024 | Intellexa/Cytrox sanctioned | U.S. Treasury sanctions against Predator spyware consortium. |
| 2024 | Anubis/Medusa infrastructure disruption | Multiple C2 domains seized through coordinated takedowns. |
| 2025 | Hook operators arrested | Several affiliates arrested in Europe through ThreatFabric intelligence sharing with law enforcement. |