Threat Research

In late February 2026, analysts detected malicious activity on Android devices linked to the Keenadu backdoor. Keenadu is a firmware-level infection embedded in libandroid_runtime.so, injecting itself into the Zygote process. Since Zygote spawns all apps, this gives attackers near-total control over infected devices....

Divide and Conquer: How the New Keenadu Backdoor Exposed Links Between Major Android Botnets outlines the discovery of Keenadu, a firmware-level Android backdoor embedded during the build process via a malicious library linked to libandroid_runtime.so....

RelayNFC is a newly identified and increasingly sophisticated Android malware targeting users in Brazil through phishing campaigns. Designed specifically for NFC relay attacks, it captures victims’ contactless payment card data and relays it in real time to attacker-controlled servers, enabling fraudulent transactions as if the physical card were present....

Researchers have discovered a new Android spyware family called LANDFALL. Attackers delivered it through a zero-day flaw (CVE-2025-21042) in Samsung’s image processing library. This issue is part of a broader pattern seen across multiple mobile platforms. The vulnerability was exploited in the wild before Samsung patched it in April 2025....

Sophisticated Android campaign that uses adult-content lures to distribute malicious APKs. Multi-stage architecture with obfuscated front-end lure sites and a separate backend; front pages use commercial JS obfuscation (jsjiami[.]com) and Triple DES to conceal backend URLs and config....

The team has detected a surge in Android malware posing as Indian RTO apps, targeting Indian users to steal sensitive data. The malware spreads via WhatsApp and SMS with shortened links redirecting to malicious APKs hosted on GitHub or compromised sites. Once installed, it uses phishing pages to steal banking credentials, UPI PINs, and intercepts SMS with financial data....

Two new Android spyware campaigns, ProSpy and ToSpy, are targeting privacy-conscious users in the UAE by impersonating secure messaging apps like Signal and ToTok....

PhantomCard is an Android malware used in NFC relay attacks (ghost tapping) to steal payment card data and commit fraud at ATMs and POS terminals. It's spread via Telegram and possibly the Google Play Store, and is linked to Chinese-speaking cybercriminals targeting financial and retail sectors....

A recent Android phishing campaign targeting Indian users disguises itself as a government electricity subsidy service. The attackers use social engineering tactics, including YouTube videos, fake government-like websites, and a GitHub-hosted malicious APK, to trick users into installing malware....

A new Android malware campaign targets Hindi-speaking users in India by impersonating popular banking apps. Spread via phishing websites, it steals personal and financial data and secretly mines Monero cryptocurrency using XMRig, triggered by Firebase Cloud Messaging....