The Top 8 Android Malware Threats To Watch In 2020

CRN spoke with experts at Avast, Avira, Bitdefender and Sophos to get the lowdown on how threats like sideloading, stalkerware, fake subscription services and Hiddad are putting Android users in harm's way.

Mastering Mobile Device

Securing mobile devices has become increasingly important in recent years as the number of devices in operations and the ways in which they are used has expanded dramatically. Mobile device users are struggling with everything from device loss and device theft to data leakage, where mobile device screens display information that could be captured by unauthorized parties.

Wireless device security is also expected to drive growth of the mobile security market in the coming years. All told, the mobile security market is expected to grow to $42.2 billion by 2024, representing a compound annual growth rate of 48.1 percent over the previous half-decade, according to Market Research Engine.

As part of Cybersecurity Week 2019, CRN spoke with technical and research experts at Avast, Avira, Bitdefender and Sophos to get the lowdown on how everything from sideloading and stalkerware to fake subscription services and Hiddad are putting Android users in harm's way. Here's a look at eight of the most dangerous Android malware threats.

Banking Disruption In India

A big chunk of Indian infrastructure is handled by mobile phones and infrastructure, with many businesses run on 4G using inexpensive phones, according to Petter Nordwall, director of product management at Oxford, U.K.-based Sophos. A lack of maturity and vigilance in the Indian market means that banking trojans are just now bursting onto the scene, Nordwall said.

'The 'e-ATM' has also popped up in India, Nordwall said, which is an app that promises to withdraw money for individuals who input their ATM number and pin code into the realistic-looking interface. The relative immaturity and novelty of mobile banking in the Indian market means that more people have fallen for the 'e-ATM' scan than would be expected in North America or Europe.

Many of the Android devices being used in the Indian market are cheaper, Nordwall said, and therefore might not get the latest security patches that are being rolled out to their Western counterparts. A survey from earlier this year detected twice as many mobile attacks in India as compared with other parts of the world, with nearly 20 percent of Indian businesses spotting a serious mobile cyberattack.

Fake Subscription Services

Applications in both the Google Play and iOS App Store are trying to hoodwink people into subscribing for a purported service that doesn't have any functionality, according to Nikolas Chrysaidos, head of mobile threat intelligence and security at Prague, Czech Republic-based Avast.

For instance, Chrysaidos said an app might tease a subscription for $50 or $60 per month to allow users to search phone numbers and figure out the person behind it, but not be able to deliver that functionality. Chrysaidos said people are often willing to subscribe to something with a smaller monthly charge without scrutinizing the claims made or doing research on their own.

After figuring out the service doesn't actually work, users will typically comment on the Google store and attempt to unsubscribe and get their money back, but Chrysaidos said they are rarely successful. A handful of these fake subscription services have been spotted thus far, and Chrysaidos think it'll continue given the difficulty associated with educating a massive population of non-technical users.

Government Spying On Users

The Chinese government has already installed malware on the mobile phones of tourists visiting several regions of the country, establishing a dangerous precedent even if the geographic scope is limited, according to Bogdan Botezatu, director of threat research and reporting at Bucharest, Romania-based Bitdefender.

Law enforcement has struggled with visibility in the instant messaging and chat space given the end-to-end encryption offered by apps like WhatsApp or Signal, Botezatu said. Governments therefore need to attack one of the endpoints to gain access to the unencrypted data, and, given the dedicated IT security vendors have around their data center, have begun targeting the end user, Botezatu said.

Savvy government actors would target the user and crack or find holes in their mobile device to get a local copy of the instant messaging database, which is saved unencrypted right on the device, according to Botezatu. Once the database with instant messaging conversations is found, Botezatu said the information can be exfiltrated directly from the device.


Hiddad poses as a legitimate app, but has a trojan hidden in the background, according to Alexander Vukcevic, director of protection labs and QA for Tettnang, Germany-based Avira. Typically, Vukcevic said the user is downloading a purportedly legitimate game like Tetrix from a third-party app store, but it turns out malicious text is contained within a second binary that's running invisibly in the background.

Once downloaded, the app asks users for permission to access their phone contacts, which many people will agree to since they're not paying attention to what specific access is being given to the third party, Vukcevic said. After that access is granted, Vukcevic said Hiddad will begin sending the user's information to third parties.

Hiddad is typically only found in third-party app stores and not the Google Play store since Google analyzes the structure of apps in its store and will take a close look if it sees binaries in the app beyond the game itself, Vukcevic said. Third-party stores tend not to take a close look at potential suspicious activity , according to Vukcevic.


Users have been subliminally trained to remove sideloading controls on Android devices, which in turn has made it easier for threat actors to get a modified or tampered with piece of software to deliver remote access capabilities to a user's device, according to Sophos's Nordwall.

For instance, Nordwall said copies of Fortnite outside Google Play store have trained users to switch sideloading controls off and download items from unknown third parties onto their phone. Sideloading is an easy way to deliver a product that's been tampered with by injecting a remote access trojan payload into an Android Package (APK) file, Nordwall said.

The Google Play store blocks sideloading, Nordwall said, meaning the main vehicle for getting sideloading onto devices is through phishing email campaigns. Users need to think very carefully before downloading applications from non-approved sources, according to Nordwall, and make sure they close off entry points to their device by deactivating the ability for sideloading to enter from different sources.


The Spy.Banker trojan attempts to gain access to people's online bank accounts and transfer the money from those bank accounts to a third-party location somewhere else in the world, according to Avira's Vukcevic. Adversaries start by deploying malware to see what kinds of online banking applications users have installed on their mobile devices, Vukcevic said.

From there, Vukcevic said the threat actor collects data to see how to log into the online back account, and then pursues the user's phone number so they can provide the second factor typically needed to authenticate the user's identity.

Spy.Banker hides in the background, stealing credentials once the user has logged into the bank account on the mobile app and then stealing the pin number sent to the user's phone as the second factor of authentication, Vukcevic said. Once the adversary has collected bank account data and login information, Vukcevic said they tend to immediately go and abuse it.


Stalkerware tracks and monitors the phone activity of a spouse, romantic partner or friend, according to Avast's Chrysaidos. Some stalkerware apps just want to track the location of another person, Chrysaidos said, while others have features where they're also watching the Facebook Messenger, WhatsApp, and Skype accounts of a third-party.

Developers have for the past half-decade uploaded their spyware and stalkerware apps into Google Play in an attempt at monetization, but Chrysaidos said apps that track more than another person's location are not allowed in the Google Play store.

Pressure for better regulation has intensified as extensive research has come out recently connecting domestic violence to mobile stalkerware applications, Chrysaidos said. Researchers and universities alike have pushed the application platforms to do a better job of detecting stalkerware in hope that tools like these eventually stop being developed.

Propagate Malware From Windows Devices

Malware creators have started to become more innovative, targeting Windows computers and then propagating their malware to Android users, according to Bitdefender's Botezatu. Windows devices are prone to malware, Botezatu said, and are often easier to establish a foothold on than the smartphone itself.

Adversaries typically target vulnerable PC users who they believe have turned off their local anti-virus software such as users pirating information, Botezatu said. From there, the threat actors not only seizes on the Windows device for direct monetization, Botezatu said, but also pivots to more valuable assets like mobile phones.

Mobile phones provide access to a payment mechanism, Botezatu said, especially as it relates to getting access to a second factor of authentication to subvert the victim's bank account. In addition, a mobile device provides the adversary with a comprehensive look into the victim's digital life from sensors, photo galleries and GPS to conversation history, messages, emails, and downloaded attachment files.