Beware Android Malware: Spoofed Apps and Dangerous Trojans

Edward Zhou
Edward Zhou

CEO & Founder

 
July 16, 2025 2 min read

Android Malware Threats

Konfety Malware

A new variant of the Konfety malware targets Android devices using distorted APK files and other methods to avoid detection. This malware can masquerade as legitimate apps by mimicking their branding and names found on the Google Play Store.

A picture of a skull and bones on a smartphone depicting malware

Image courtesy of Tom's Guide

Once installed, Konfety utilizes a malformed ZIP structure to evade analysis and redirects users to dangerous websites. It can install unwanted apps, generate fake browser notifications, and exfiltrate sensitive device data such as installed applications and network settings. To enhance its stealth, Konfety can hide its app icon and name, using geofencing to adjust its behavior based on the user's location.

To protect against Konfety, avoid sideloading apps from untrusted sources and ensure that Google Play Protect is enabled. Additionally, consider using one of the best Android antivirus apps for added security.

Impersonation of Popular Apps

Malware has been observed posing as widely used applications like Google, Instagram, and WhatsApp to steal sensitive user information. Researchers from SonicWall Capture Labs report that these malicious apps use nearly identical icons to legitimize themselves, tricking users into installing them.

Android Logo

Image courtesy of TechRadar

Once installed, these apps request excessive permissions, such as Accessibility Service and Device Admin permissions, allowing them to access contacts, SMS messages, and other sensitive data. Users are advised to only download apps from legitimate sources and scrutinize user ratings and reviews before installation.

Mamont Banking Trojan

The Mamont malware targets Android users by impersonating the Google Chrome browser. This banking trojan leverages Chrome’s popularity to gain user trust and extract personal and financial data.

Android malware on phone

Image courtesy of Tom's Guide

Once installed, Mamont requests permissions typically unnecessary for a web browser, such as managing phone calls and sending messages. It then prompts users with fake cash prize offers, tricking them into providing their credit card information.

To stay safe from Mamont, avoid downloading apps from unreliable sources, and regularly check app permissions. Ensure Google Play Protect is enabled, and consider using a reputable antivirus app.

SpyNote Malware Campaign

The SpyNote malware has resurfaced, targeting users through fake Google Play Store pages. This remote access trojan is capable of significant harm and is difficult to remove once installed.

Green skull on smartphone screen.

Image courtesy of Tom's Guide

SpyNote is distributed via deceptive websites that closely resemble authentic Google Play Store pages. Once users click on the install button, they inadvertently download a malicious APK file that connects to the hackers' command-and-control servers.

To protect against SpyNote, users should avoid sideloading apps and verify website URLs before downloading. Employing a reliable Android antivirus app can help mitigate risks.

By understanding these threats and following safety protocols, Android users can better safeguard their devices and personal information from malicious attacks.

Edward Zhou
Edward Zhou

CEO & Founder

 

CEO & Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions..

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article