From functional but malicious apps to imitation payment cards, cybercriminals targeting Android OS are getting creative

Threat actors targeting mobile users usually go for their victims’ personal information or their money.

From messaging app copycats, toolkits simplifying marketing-scam creation, and on to malware taking advantage of the popularity of gaming-apps, threats to mobile users take on many forms and are constantly evolving.

Check this list of recent malicious mobile campaigns discovered by ESET researchers that target the Android OS to better recognize how these threats look.

If you want to protect your mobile device against such attacks, try ESET Mobile Security.

 

StrongPity espionage campaign

In early 2023, ESET researchers published a blog about the StrongPity a malware campaign which spread a trojanized version of the hugely popular Android Telegram app. It was re-packaged and presented as “the” app for the video-chat service Shagle, despite the fact that Shagle doesn’t have an official app. The fake app was then distributed from a copycat Shagle website.

image 1. Comparison of the legitimate website on the left and the copycat on the right

Ultimately, criminals used Shagle’s popularity, the app has 2.5 million active users, to spread this malware and its diverse spyware features, including 11 functions that are responsible for recording phone calls, collecting SMS messages, call logs, contact lists, and much more. If a victim grants the malicious StrongPity app access to their phones accessibility services, it will also be able to monitor incoming notifications and will be able to steal communications from 17 apps such as Viber, Skype, Gmail, Messenger, or Tinder.

 

Transparent Tribe Campaign

In March 2023, ESET researchers published a blog about a cyberespionage campaign that distributed CapraRAT backdoors through trojanized and supposedly secure Android messaging apps; the apps  also accessed and removed sensitive information. Victims were likely targeted through a honey-trap romance scam where they were initially contacted on one platform and then convinced to use supposedly “more secure” apps, which they were then lured into installing.

image 2. Distribution website of CapraRAT posing as MeetUp

After the victim signs into the app, CapraRAT then starts to interact with the server operated by the cybercriminal by sending basic device info while it waits to receive commands to execute. Based on these commands, CapraRAT is capable of stealing call logs, contact lists, SMS messages, recorded phone calls, recorded surrounding audio, CapraRAT-taken screenshots, CapraRAT-taken photos, and much more.

It can also receive commands to download files, launch any installed app, kill any running app, make calls, send SMS messages, intercept received SMS messages, and download updates and request the victim to install them.

 

Not-so-private messaging

At the beginning of 2023, ESET researchers discovered dozens of copycat Telegram and WhatsApp websites mainly targeting Android and Windows users with trojanized versions of these instant messaging apps.

image 3. Distribution diagram of trojanized messenger apps

Most of the malicious apps identified by ESET researchers are clippers, a type of malware that steals or modifies the contents of the clipboard. Some of these apps use optical character recognition (OCR) to recognize text from screenshots stored on the compromised devices. All of them were chasing after victims’ cryptocurrency funds, with several targeting cryptocurrency wallets.

 

Android Gravity RAT

In June 2023, ESET researchers published research on Android GravityRAT spyware. This malware was distributed within the malicious but functional messaging apps BingeChat and Chatico — both based on the OMEMO Instant Messenger app.

image 4. Distribution website of the malicious BingeChat messaging app

This spyware can steal call logs, contacts, SMS messages, device location, basic device information, and files with specific extensions, such as jpg, png, txt, pdf, etc. GravityRAT can also access and steal WhatsApp backups and receive commands to delete files.

 

SpinOk

In the second half of 2023, ESET telemetry detected an 89% increase in Android malware detections primarily due to a mobile marketing software development kit (SDK) – a digital tool box- that ESET identifies as SpinOk Spyware. This toolbox was offered as a gaming platform and was incorporated into numerous legitimate Android apps, including many available on official app marketplaces.

image 5. Android/SpinOK detection trend in H2 2023, seven-day moving average

Once an app with the aforementioned SpinOK toolkit is installed, it operates like spyware, connecting to the criminal’s command-and-control server and stealing a range of data from the device, including potentially sensitive clipboard (short-term storage) contents.

 

Telekopye

In 2023, ESET researchers found the source code of a toolkit that helps well-organized groups of scammers to conduct online-shopping scams without being particularly well-versed in IT. The toolkit, which ESET researchers have named Telekopye, creates phishing web pages from predefined templates, generates phishing emails and SMS messages, and sends them to targeted users.

image 6. Generated fake screenshot (template on the left, template filled with sample text on the right)

First, attackers find their victims, then they try to earn their trust, so they fall for either a buyer scam, a seller scam, or a refund scam. When attackers think that a victim sufficiently trusts them, they use Telekopye to create a phishing web page from a premade template and then send the URL to the victim. For example, attackers trick a victim into buying a non-existent item and then send them a link to a phishing web page resembling the payment page of the legitimate online marketplace listing the reputed item.

After the victim submits card details via this page, the attackers use these card details to steal the victim’s money.

 

Kamran

In late 2023, ESET researchers identified a possible watering-hole attack on a regional news website that delivers news about Gilgit-Baltistan, a disputed region administered by Pakistan. When opened on a mobile device, the Urdu version of the Hunza News website offered readers the possibility to download the Hunza News Android app directly from the website; however, the app had malicious capabilities, specifically espionage.

The Kamran spyware in question displayed the content of the Hunza News website and contains custom malicious code. Upon launching, Kamran prompts the user to grant permissions to access various data stored on the victim’s device. If permissions are granted, Kamran spyware automatically gathers sensitive user data, including SMS messages, contacts list, call logs, calendar events, device location, list of installed apps, received SMS messages, device info, and images.

image 7. English (left) and Urdu (right) versions of Hunza News shown on a mobile device

 

EvilVideo

ESET researchers discovered a zero-day exploit that targets Telegram for Android, and appeared for sale for an unspecified price in an underground forum post on June 6, 2024. Using the exploit to abuse a software vulnerability that researchers named EvilVideo, attackers could share malicious Android content via Telegram channels, groups, and chat, and make them appear as multimedia files. The exploit only works on Android Telegram versions 10.14.4 and older. After ESET researchers approached Telegram, they fixed the issue.

The exploit seems to rely on the threat actor being able to create a malicious payload (content) that displays an Android app as a multimedia preview. Once shared in a chat, the payload appears as a 30-second video. Since media files received via Telegram are set to download automatically by default, it means that users with the option enabled will automatically download the malicious payload once they open the conversation where it was shared. The option can be disabled manually; in that case, the payload can still be downloaded by tapping the download button in the top left corner of the shared “apparent” video.

 

Threats targeting Hamster Kombat players

In mid-2024, ESET researchers discovered and analyzed two threats abusing the success of Hamster Kombat, an in-app Telegram clicker game where players earn fictional currency by completing simple tasks and incentives to log into the game daily.

The first threat is a fake, non-functional, malicious app resembling the Hamster Kombat app that contains Ratel Android spyware capable of stealing notifications and sending SMS messages. The malware operators use this functionality to pay for subscriptions and services with the victim’s funds without the victim noticing.

image 8. Malicious Hamster Kombat access requests

The second threat is a collection of fake websites that mimic app stores claiming to have Hamster Kombat available for download. However, tapping the “Install” or “Open” buttons only leads the user to unwanted advertisements.

 

Phishing in PWA applications

In mid-2024, ESET Research published a blog about an uncommon type of phishing campaign targeting mobile users who are clients of a prominent Czech bank. This technique is noteworthy because it abuses a Progressive Web Application (PWA), allowing the installation of a phishing app from a third-party website without the user having to allow third-party app installation.

The initial sources of this campaign included automated voice calls, SMS messages, and social media malvertising that ultimately encouraged victims to open a phishing URL redirecting them to a fake Google Play Store page for the targeted banking application, or a copycat website for the application.

image 9. Example of a malicious advertisement used in these campaigns

After visiting these fake websites, Android users saw a pop-up ad enticing them to install the malicious application resembling the legitimate banking application. The application was, in fact, created with WebAPK technology that enables the creation of web applications that can be installed on Android devices as if they were native, or legitimate. This allows users to install PWAs to their home screen on Android devices without having to use the Google Play Store.

 

NGate

While monitoring a malicious campaign that abuses Progressive Web Application (PWA) to steal banking credentials from targets in the Czech Republic, ESET researchers uncovered a truly novel attack related to the previous campaign. In August 2024, ESET published a blog about the same criminal group improving their techniques to enable unauthorized ATM withdrawals from the bank accounts of clients at three Czech banks.

image 10. NFCGate architecture (source: https://github.com/nfcgate/nfcgate/wiki)

First, cyber criminals deceived victims into believing that they were communicating with their bank and then tricked them into downloading and installing a fake banking app with a unique malware that ESET has named NGate. The malware clones near-field communications data (NFC) from victims’ payment cards using NGate and sends this data to an attacker’s device. That device was then able to imitate the original card and withdraw money from an ATM.

 

Nomani

In 2024, social media saw a flood of new scam ads propagating “secret” investment opportunities, miraculous dietary supplements, and legal or law enforcement assistance.

To make these offers appear credible, criminals abused brands of local and global businesses or use AI-generated deepfake videos featuring famous personalities apparently guaranteeing the legitimacy of the advertised products. The main goal of the fraudsters is to lead victims to phishing websites and forms that harvest their personal information.

 

Ghost Tap

Shortly after ESET researchers discovered the novel attack method — NGate stealing near-field communications data (NFC) from victims’ payment cards — cybercriminals improved upon the technique.

Using various phishing tricks, criminals persuade victims to reveal their payment card details together with a one-time passcode to confirm the card for a digital wallet. Then, with the card data and code at their disposal, the attackers register the stolen credentials in their own Apple or Google wallets, relay these loaded wallets to other devices, and make fraudulent contactless payments anywhere in the world.

image 11. Geographic distribution of NFC-related Android malware and scams in H1 2025

 

 

Conclusion

There are two main takeaways from these cases:

First, as you can see, some of these cyberattacks and scams can be spotted right away, if users pay attention and have some knowledge of security awareness. Research blogs, such as those previously mentioned, may serve as valuable sources. Android users who stay informed about newly discovered malware and emerging scams can enhance their risk awareness, enabling them to better safeguard against future online threats.

Second, certain malicious campaigns are more sophisticated and challenging to spot. Furthermore, cybercriminals often target vulnerable groups, including children and the elderly, who may be less prepared to confront such dangers. In any case, it is always good to have a reliable cybersecurity solution such as ESET Mobile Security that can detect and neutralize these threats — ideally before any damage occurs to your device or data.