Over 42 million downloads: malicious Android apps found on Google Play

Robert Haba
Robert Haba
4 min read
Over 42 million downloads: malicious Android apps found on Google Play
Trust this source on Google
Add trusted source

According to a survey by cloud security firm Zscaler, hundreds of malicious Android apps on Google Play were downloaded over 40 million times between June 2024 and May 2025.

The company saw a 67% year-over-year increase in malware that targeted mobile devices during that time, with banking trojans and spyware being the most common threats.

According to telemetry data, threat actors are leveraging phishing, smishing, SIM-swapping, and payment frauds to take advantage of mobile payments instead of traditional card fraud.

Malicious Android apps found on Google Play

The shift to social engineering assaults can be explained by the widespread use of mobile payments and enhanced security standards like chip-and-PIN technology.

According to Zscaler, “to carry out these assaults, fraudsters use phishing trojans and malicious programs designed to steal financial information and login passwords.”

Zscaler estimates that it has found 239 harmful apps in the official Android store, with a total of 42 million downloads, compared to 200 malware apps on Google Play last year.

The emergence of adware as the most significant threat in the Android ecosystem, which now accounts for over 69% of all detections—nearly twice as many as the previous year—is another noteworthy trend observed at that time.

After leading with 38% the previous year, the Joker info-stealer is currently in second position with 23%.

The SpyNote, SpyLoan, and BadBazaar families—which are used for identity theft, extortion, and surveillance—were the primary drivers of the notable 220% year-over-year (YoY) increase in spyware.

Geographically speaking, 55% of all attacks were directed towards the United States, Canada, and India. Attacks against Israel and Italy also showed substantial increases, ranging from 800% to 4000% YoY, according to Zscaler.

Malicious Android apps and malware

In its annual study, Zscaler identifies three malware families that significantly affected Android users. The first is Anatsa, a banking trojan that occasionally enters Google Play through productivity and utility apps and receives hundreds of thousands of downloads each time.

Since its discovery in 2020, anatsa has undergone continuous evolution. The most recent version is capable of stealing data from bitcoin sites, more than 831 financial institutions, and new areas like South Korea and Germany.

The second is Android Void (Vo1d), a backdoor malware that targets Android TV boxes and has infected at least 1.6 million devices with out-of-date Android Open Source Project (AOSP) versions, mostly in Brazil and India.

Malicious Android apps found on Google Play

The third is Xnotice, a brand-new Android remote access trojan (RAT) that specifically targets job seekers in the oil and gas sector in Iran and Arabic-speaking areas.

Xnotice propagates via applications that are disseminated through phony employment websites and pose as tools for registering for exams or applying for jobs.

Through overlays, multi-factor authentication (MFA) codes, SMS messages, and screenshots, the spyware targets banking credentials.

Users are encouraged to install security updates, only trust reliable publishers, reject or restrict accessibility permissions, refrain from downloading unnecessary apps, and routinely run Play Protect scans in order to protect themselves from Android malware threats, including those from Google Play.

Routers continued to be the most targeted IoT equipment this year, according to Zscaler’s study. Hackers added routers to botnets or used them as proxies to spread malware by taking advantage of command injection flaws.

The majority of IoT attacks took place in the United States, with rising hotbeds in Hong Kong, Germany, India, and China following, suggesting that attackers are targeting devices throughout a larger geographic area.

The cybersecurity company advises businesses to harden IoT and cellular gateways by keeping an eye out for anomalies and implementing firmware-level protections, as well as to deploy zero-trust solutions for key networks.

Strict application control guidelines, security against phishing attacks, and monitoring SIM-level communications for anomalies should all be part of mobile endpoint protections.

💎Best Android Device
Samsung Galaxy S26 Ultra

Samsung Galaxy S26 Ultra

4.9 / 5.0
Est. Price
$1,212.85$1,499.9919% OFF
Buy
👑A good choice
Apple iPhone 17 Pro

Apple iPhone 17 Pro

4.8 / 5.0
Est. Price
$1,012.97$1,099.008% OFF
Buy
Samsung Galaxy Watch 8

Samsung Galaxy Watch 8

4.9 / 5.0
Est. Price
$289.99$349.9917% OFF
Buy
DEAL!
Samsung Galaxy Watch Ultra (2025)

Samsung Galaxy Watch Ultra (2025)

5.0 / 5.0
Est. Price
$449.99$649.9931% OFF
Buy
Google Pixel Watch 4

Google Pixel Watch 4

4.8 / 5.0
Est. Price
396.00$499.9921% OFF
Buy
* As an Amazon Associate, Droid Tools earns from qualifying purchases. Learn more in our Affiliate Disclosure.
Founder · Editor-in-Chief
Robert Haba is the founder and editor-in-chief of Droid Tools. A lifelong gadget enthusiast with over a decade following the Android ecosystem, he built this publication to cut through the noise and give readers honest, real-world coverage of the tech they actually use.

Comments & Discussions

Join the conversation! We use Disqus to handle comments. Click the button below to load the comment section.

Keep Reading

Early Geekbench results for the Snapdragon 6 Gen 5 show almost no CPU improvement over the Snapdragon 6 Gen 4, with the older chip actually edging it out in single-core performance. GPU gains look more promising, sitting around 20%, but raw processing power appears to be largely unchanged. Typically, when a company like Qualcomm releases […]

Snapdragon 6 Gen 5
NewsRobert HabaJuly 3, 2026

New software launches rarely go off without a hitch, and Android 17 is proving no different. Shortly after the update rolled out, Pixel owners began reporting connectivity problems — specifically, losing access to 5G entirely after installing the update. Reports surfaced on the Google Pixel subreddit, with multiple users across different device generations describing the […]

android 17 update
NewsRobert HabaJune 23, 2026