Threat Research

Security researchers have discovered OverlayPhantom, a new Android banking trojan spreading through malicious URLs. The malware utilizes a two-stage infection process, relying on dropper apps that impersonate trusted platforms like TikTok and the Austrian government’s "ID Austria" app to trick users....

SURXRAT abuses Android accessibility services to perform malicious actions such as keylogging, screen capture, and OTP interception. By using legitimate cloud services, the malware blends in with normal traffic, making detection more difficult. SURXRAT can remotely execute commands, exfiltrate sensitive data, and maintain persistent access to infected devices....

Researchers uncovered an Android rootkit campaign called Operation Novoice targeting older vulnerabilities (2016–2021). Devices with security patches from May 2021 onward are protected from known exploits. However, even patched devices may have been exposed to unknown payloads via malicious apps. These apps, disguised as tools or games on Google Play, appeared normal to users....

Oblivion Android RAT uses social engineering and fake update screens to trick users into installing a malicious app. It heavily abuses Android’s Accessibility Service to gain full control of the device and silently grant permissions. Once active, the malware can intercept SMS messages and OTP/2FA codes, log keystrokes, and monitor notifications....

In late February 2026, analysts detected malicious activity on Android devices linked to the Keenadu backdoor. Keenadu is a firmware-level infection embedded in libandroid_runtime.so, injecting itself into the Zygote process. Since Zygote spawns all apps, this gives attackers near-total control over infected devices....

Divide and Conquer: How the New Keenadu Backdoor Exposed Links Between Major Android Botnets outlines the discovery of Keenadu, a firmware-level Android backdoor embedded during the build process via a malicious library linked to libandroid_runtime.so....

RelayNFC is a newly identified and increasingly sophisticated Android malware targeting users in Brazil through phishing campaigns. Designed specifically for NFC relay attacks, it captures victims’ contactless payment card data and relays it in real time to attacker-controlled servers, enabling fraudulent transactions as if the physical card were present....

Researchers have discovered a new Android spyware family called LANDFALL. Attackers delivered it through a zero-day flaw (CVE-2025-21042) in Samsung’s image processing library. This issue is part of a broader pattern seen across multiple mobile platforms. The vulnerability was exploited in the wild before Samsung patched it in April 2025....

Sophisticated Android campaign that uses adult-content lures to distribute malicious APKs. Multi-stage architecture with obfuscated front-end lure sites and a separate backend; front pages use commercial JS obfuscation (jsjiami[.]com) and Triple DES to conceal backend URLs and config....

The team has detected a surge in Android malware posing as Indian RTO apps, targeting Indian users to steal sensitive data. The malware spreads via WhatsApp and SMS with shortened links redirecting to malicious APKs hosted on GitHub or compromised sites. Once installed, it uses phishing pages to steal banking credentials, UPI PINs, and intercepts SMS with financial data....