The malware that attacked Android cell phones the most in 2025

“Added to this is that many of the most effective distribution channels are still fully in force in the region. SMS or messaging campaigns with direct links, modified APKs that are shared outside official stores and applications that manage to enter formal stores with very few reviews or signs of real activity continue to be key vectors. This ecosystem facilitates both the circulation of well-known families and the constant appearance of new or unsophisticated variants that still achieve reach,” comments Martina Lopez, Computer Security Researcher at ESET Latin America

ESET analyzed the 3 families of malicious code most detected in the region, by 2025:

Trojan.Android/Exploit.CVE-2012-6636: An old vulnerability that is still present in the mobile ecosystem because many Android applications continue to use legacy components. The bug affects apps that use WebView with an insecure configuration and that were compiled with versions prior to Android 4.2. Even if the device is modern, the application can maintain that vulnerable behavior. In that context, a malicious web page loaded within the WebView itself can interact with the app’s internal code in ways that should not be possible, opening the door to unauthorized actions.

In the current landscape of mobile threats, this exploit is not usually the center of complex campaigns, but it does appear integrated into APKs distributed outside of official stores or present in applications that no longer receive updates. There are public exploits for CVE-2012-6636, including modules built into frameworks such as Metasploit, making it easier for malicious actors to use. Additionally, it was reported as one of the most prevalent exploits for Android in 2023, according to the ESET Security Report 2024.

Trojan.Android/Exploit.Lotoor: It is a family of privilege escalation exploits used for more than a decade to gain root access on Android devices. It groups together a set of techniques that abuse vulnerabilities in the operating system in different early versions of Android, especially bugs discovered between 2010 and 2013. Under this umbrella, exploits appear that take advantage of errors in drivers, system services or memory management that allowed code to be executed with privileges higher than that of the application.

Its modules continue to reappear within malicious tools that seek to activate advanced functions such as uninstalling security apps, modifying internal configurations or installing additional payloads. It is not the first time that the research team has observed Lotoor in the first places.

Trojan.Android/Pandora: It is malicious code linked to a variant of Mirai adapted for the Android ecosystem. It was first observed in 2023 within popular streaming applications in the region, especially on Android TV Box devices and sticks that are often used to access unofficial content. In these cases, attackers distribute APKs that function as legitimate streaming apps, but include a malicious component capable of turning the device into part of a botnet. In some models, modified factory-infected firmware was even detected, amplifying the scope of the attack.

Once installed, Pandora maintains communication with a command and control server, receives instructions and executes the same capabilities typical of a Mirai-based botnet, with the focus on launching distributed denial of service attacks.

“This 2025 outlook shows us that threats to Android continue to rely on well-known vectors and the lack of updating of devices and applications, which keeps exploits and families that have been circulating for years in force. Even so, this does not mean that the risk is limited to “business as usual.” Less massive, but equally relevant, threats also persist, such as banking Trojans or fraudulent loan applications, which act in a much more focused way and seek a direct impact on the user’s economy. And, in parallel, emerging threats and increasingly innovative techniques appear, such as malware capable of cloning cards using NFCwhich reflect a mobile ecosystem in constant evolution and with a growing level of sophistication.”, concludes Lopez from ESET Latin America.

In this context, it becomes vital to protect information and devices from these threats. ESET shares some tips to avoid being a victim:

• Keep the device updated and do not use old versions of Android if there is a possibility of updating.
• Install applications only from official stores or verified sources.
• Avoid APKs of unknown origin, even if they promise “premium” features or free content.
• Check permissions, developer activity, and actual number of reviews before installing an app.
• Use reliable security solutions that detect exploits, Trojans, and anomalous behavior.
• Avoid disabling system protections or allowing the installation of unknown apps.
• Be wary of messages, links or advertisements that promise quick access, discounts or special features.