Android Trojan Hit 800+ Apps

Android malware researchers say four active trojan campaigns are now targeting more than 800 banking, cryptocurrency, and social media apps on users’ phones. (zimperium.com) Zimperium’s zLabs team published the report on April 16, 2026 and named the campaigns RecruitRat, SaferRat, Astrinox, and Massiv. The firm said the malware is built for credential theft, unauthorized transactions, and data exfiltration. (zimperium.com) A banking trojan is malicious software that pretends to be a normal app, then steals passwords, one-time codes, or account details after it lands on a device. In this case, the malware also uses Android screen overlays — fake layers placed on top of real apps — to capture PIN entries in real time. (techrepublic.com) The campaigns rely on phishing, fake update prompts, cloned apps, and too-good-to-be-true offers that push users to install software from attacker-controlled sites. Zimperium said some samples abuse Android’s Native Session Installation API and request dangerous permissions under the cover of normal app setup. (techrepublic.com) Once installed, the malware tries to stay put. Zimperium said SaferRat can interfere with system navigation to frustrate removal, while RecruitRat can hide itself from the app drawer with transparency effects. (techrepublic.com) The report describes a mobile supply-chain problem in plain terms: users can install what looks like a trusted app or update, while the harmful code arrives through a fake store, a cloned package, or a tampered installation path. Zimperium said the families use anti-analysis tricks and APK tampering that keep detection rates near zero against older signature-based defenses. (zimperium.com) The scale fits a broader pattern. Bitdefender said in March 2025 that it had found at least 331 malicious apps on Google Play with more than 60 million downloads, showing that attackers can still slip harmful Android apps through store checks and then change behavior after installation. (bitdefender.com) For users, the practical warning is narrower than “every app is infected.” The 800-plus figure refers to apps these trojans are designed to target on infected phones, not 800 confirmed malicious listings in Google Play, according to Zimperium’s report and follow-up coverage. (zimperium.com) (forbes.com) The immediate fix is also familiar: avoid sideloaded “updates,” reject unexpected Accessibility or overlay requests, and remove apps installed from links in texts or cloned websites. The opening number is large, but the mechanism is old — trick the user first, then let the trojan do the rest. (techrepublic.com)