New Android Spyware Alert—Delete All These Apps Now

With ironic timing, just as Samsung confirms its latest crackdown on apps installed from outside official app stores, here comes another alarming warning showing just why it’s making those changes. The latest threat has been discovered hiding inside dozens of apps. Installing any of them “enables the interception of user interactions, making it a powerful tool for surveillance and credential theft.”

Meet DroidBot, which Cleafy describes as “an advanced Android Remote Access Trojan (RAT) that combines classic hidden VNC and overlay capabilities with features often associated with spyware.” This includes keylogging and exfiltration of other dangerous and sensitive data from infected devices. There’s nothing especially clever about this RAT. But there doesn’t need to be. The trick is luring users into infecting their devices with malicious downloads. The rest is easy.

Cleafy has identified 77 infected apps, “including banking institutions, cryptocurrency exchanges, and national organisations, underscoring its potential for widespread impact.” The team note that the malware appears to be still under development, but has already successfully infected phones in the UK, Italy, France, Spain, and Portugal, and is making inroads into Latin America. The US will be next.

DroidBot is a Malware as a Service, available for rental by multiple threat actors. Cleafy says it has identified “17 distinct affiliate groups… multiple affiliates were found to be communicating over the same MQTT server, suggesting that some groups may collaborate or participate in demonstration sessions.”

DroidBot comes to users by mimicking popular apps and services from well known providers, including Google itself. This includes Play Store, Chrome and even an ‘Android Security’ app. “To lure victims into downloading and installing DroidBot, the threat actors leverage common decoys frequently observed in banking malware distribution campaigns. In this case, the malware is disguised as generic security applications, Google services, or popular banking apps.”

DroidBot executes the usual permission abuse to function secretly on infected phones, notably and unsurprisingly Accessibility Services. Agreeing access for any app to these powerful services controls is a major red flag unless you both know the app and need the added service. Android 15’s new live threat detection, which uses on-device AI to flag permission abuse and other bad behaviors should catch such activity once’s it’s fully up and running.

Cleafy warn that functions included in DroidBot include intercepting SMS messages—meaning OTPs, keylogging, creating and displaying fake login screens for real apps to capture credentials, screenshots and screen manipulation. This array of features is designed to steal usernames and passwords and then to intercept 2FA codes.

The infected package names can be seen above. As you can see, many of these mimic popular banking anc crypto apps and platforms. It’s impossible to overstate how bad an idea it is to install a banking app from an unofficial app store, and especially not from a direct download by way of an SMS or email.

Obviously don’t install any of these apps and if you have done so already, delete them right away. You then need to check your accounts and change passwords. Also make sure Play Protect is enabled on your device and your OS firmware is updated. You should never install apps—especially not from Google—from outside Play Store.

Here’s a recap on the golden rules for staying safe on Android:

1. Stick to official app stores—don’t use third-party stores and never change your device’s security settings to enable an app to load; also ensure Google Play Protect is enabled on your device.
2. Check the developer in the app’s description—is it someone you’d like inside your life? And check the reviews, do they look legitimate or farmed?
3. Do not grant permissions to an app that it should not need: torches and star-gazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you have a need.
4. Never ever click links in emails or messages that directly download apps or updates—always use app stores for installs and updates.
5. Do not install apps that link to established apps like Chrome unless you know for a fact they’re legitimate—check reviews and online write-ups.