Android Malware Surges As Google Play Gets 42M+ Risky Installs From 239 Apps, Zscaler Flags A “67% Jump”

GigaNectar Team

NewsTechnology
Android phones placed on a laptop keyboard, symbolizing mobile app and device usage

Android & IoT Threat Watch: June 2024–May 2025 — Fast Visual Brief

Between June 2024 and May 2025, 239 malicious Android apps on Google Play amassed ~42 million downloads, while Android malware transactions rose 67% year over year. Key families included adware (69% of detections), Joker (now 23%), and fast-moving spyware strains. Energy (+387%), Manufacturing, and Healthcare (+224%) saw sharp activity. Verified details are available via Zscaler ThreatLabz, their research brief, and a concise summary by BleepingComputer. A community note is posted on X.

For readers comparing platforms and devices, see our related explainers: Samsung Galaxy XR overview, Intel Panther Lake lineup, PlayStation Portal update, Google Doodle: Pac-Man at 45, and Chip fab capacity explainer.

42M
Malicious app installs (Google Play)
Period
239
Malicious apps identified
Store
+67%
YoY Android malware growth
Trend
69%
Adware share of detections
Type
23%
Joker family share
Info-stealer
+220%
Spyware growth (YoY)
Growth
4.89M
Banking-malware transactions (2025)
Volume
1.6M
Android TV boxes affected (Vo1d)
Backdoor

Metrics reflect the attached brief period. Values are rounded for readability.

Sector spikes during the period (Android/IoT activity)

Energy (+387%), Transportation (+382%), Healthcare (+224%), plus sharp IoT activity across Education (+861%), Government (+370%), and Construction (+410%).

Countries referenced in the brief
Top impacted Large spike

Anatsa

Banking trojan active since 2020; a recent variant targets data from 831 financial organizations and crypto platforms. Typical entry: utility/productivity app decoys; credential overlays used.

Android Void (Vo1d)

Backdoor on Android TV boxes; about 1.6 million devices affected, often with outdated AOSP firmware; activity observed in India and Brazil. Related backdoor behavior includes silent app installs.

Xnotice

Android RAT aimed at oil & gas job seekers in Iran and Arabic-speaking regions via fake job/exam apps; targets banking credentials, MFA codes, SMS content, and screenshots.

Payments & permissions

Shift from card fraud to mobile payments via phishing, smishing, SIM-swaps; frequent abuse of Accessibility permissions for device control and data capture.

Tap to open: Simple safety checklist for Android, IoT & TV boxes
  • Prefer trusted publishers; avoid non-essential installs; review requested permissions—especially Accessibility.
  • Keep Android and apps updated; run periodic Play Protect scans.
  • Treat urgent delivery/bank texts as high-risk; verify inside official apps before acting.
  • For organizations: apply strict application control, monitor SIM-level anomalies, and use zero-trust segmentation across mobile/IoT/OT.

More context: Zscaler ThreatLabz brief · BleepingComputer summary · Community post

Related reads on our site: Samsung Galaxy XR overview · Intel Panther Lake lineup · PlayStation Portal update · Google Doodle: Pac-Man at 45 · Chip fab capacity explainer

The section presented download counts, growth figures, family names, affected sectors, countries with spikes, and a safety checklist for Android, IoT, and TV boxes, with links to source material and related internal explainers.

Leave a comment

About Us

Subscribe

Contact Us

Powered By Karmactive

PRIVACY POLICY Adsense Disclaimer