6 most notorious Android malware of all time

Nothing hampers up-and-coming trends as much as extreme popularity. Android, the world’s most common operating system, offers bad actors an opportunity to force malicious code on users, often without their knowledge. Nearly two decades after its birth, the OS integrates safeguards to minimize malware hazards. Along with tools like secure password managers and VPNs, your Android phone offers plenty of ways to bolster your security.

It wasn’t always this way. Various exploits over the years have leveraged vulnerabilities in Android, the Google Play Store, and third-party apps to extract sensitive data or rack up unapproved charges. In some cases, researchers caught the incursion before significant damage was done, and some hacks remain noteworthy due to their influence on app development and delivery frameworks. These are their stories.

6

FakePlayer opens the floodgates

Android malware gets an inauspicious start

Two years after Android’s launch, its expanding user base enticed threat actors enough to develop a targeted worm. The first widely publicized Android malware, designated SMS.AndroidOS.FakePlayer.a, posed as a video player but started firing off unauthorized text messages to premium numbers, costing users several dollars per stream of messages.

FakePlayer ran on simple code, and it’s impossible to quantify how much damage it did. Three more variants surfaced over the next year with varying complexity and attack vectors and roughly the same goal: siphon money from unknowing users to companies working with malware distributors.

The first well-known attack might not compete with big-money ransomware in terms of headline-worthy financial impact. Still, it marks the beginning of the onslaught of malicious code targeting Android users, with dozens of exploits arising over the following year. It marked the beginning of an arms race between thieves and developers. It took years for programmers to gain the upper hand in the fight, thanks to FakePlayer and other notable discoveries.

5

StageFright gives birth to recurring security patches

When bad actors push the industry forward

An Android Open Source Project code library called libstagefright contains various media playback codecs and lives deep inside the software’s code. Taking advantage of critical holes in how the library interacted with memory, it potentially allowed zero-click exploits, or malware that can activate without users installing or tapping anything suspicious. It reportedly put a majority of Android devices at risk.

Security firm Zimperium’s July 27, 2015, announcement of StageFright’s discovery sent shockwaves throughout the industry. Before then, security updates arrived in subtle form alongside minor OS updates but weren’t an industry focus, let alone any phone manufacturer’s selling point. The potential exploit inspired Android’s monthly security patches and the bulletins outlining them. After addressing StageFright, developers moved on to close various holes that enabled its existence.

The famous hack made huge waves. It pushed code frameworks toward compartmentalization, restricting apps’ privileges to only what they need to work correctly and disallowing rogue software from accessing sensitive data. The new focus inspired improvements like sanitizing memory access to limit buffer overflows, specific additions like Control Flow Integrity, and fortifications to protections like address space layout randomization. Those, and other changes under the hood, can prevent infected devices from being fully compromised.

StageFright will forever hold a place in the annals of Android security thanks to its outsize impact on software development and security research. A decade later, it’s unclear if the “Worst Android vulnerability in mobile OS history” was ever exploited in the real world, but it’s still the most famous.

4

HummingBad earns big bucks for months

A legitimate company, Yingmob, and its illegitimate practices

Not all malware campaigns have happy endings. The StageFright revelation didn’t eliminate the threat of malware, and a year later, a startling crime ring emerged. The HummingBad malware campaign reportedly garnered $300,000 per month while Check Point researchers (PDF) infiltrated the group responsible.

The engineers outlined how the software tried and obtained root access on countless devices. An estimated 85 million devices were exposed, with some 10 million falling victim to the campaign. After a compromised app was installed, it forced repeated behind-the-scenes installation of additional malicious software. The apps would then inject countless popup ads and use dark patterns and other illegitimate methods to get clicks.

HummingBad didn’t steal identities or money from its victims, but the vast capabilities of its root access could have. It affected millions of users’ experience and became the leading Android malware months after its discovery.

3

CovidLock and opportunistic attacks

Striking when stressed users least expect

Additional Covid-centric scam apps, like the above Corona Live 1.1, emerged around the same time.

Unscrupulous groups love taking advantage of worrying news like global health emergencies. That happened in 2020 when CovidLock hit the scene and promised to inform consumers about staying safe from COVID-19. It advertised infection heat maps and various statistics but locked affected devices until owners paid a ransom.

Failing to lock phones with passwords led to most vulnerabilities, which proved the average user was still learning about security five years ago. It also underlined how attackers take advantage of those in stressful medical situations. Threat vectors like Treatment for Diabetes and other health-related apps threaten to expose information like IP addresses and subject users to invasive, illegal ads. Eventually, ZScaler researchers uncovered a fix to remedy affected devices.

2

xHelper exemplifies improved hacking techniques

Exploits have come a long way, baby

Whether it’s injecting popup ads or stealing sensitive information, malicious code needs to stick around your system long enough to do damage. There’s no better way to ensure longevity than to make an app impossible to uninstall. That’s how xHelper continued fleecing users into downloading unnecessary apps, driving illicit revenue through pay-per-install initiatives.

xHelper stymied researchers for about a year before Malwarebytes outlined the removal process, and a Kaspersky researcher exposed the malware’s methods two months later. Its novel implementation and the relatively sophisticated design of malware contemporaries like CovidLock highlighted how far threat actors had come over the past dozen years.

1

Pegasus introduces state-sponsored spyware

Helping governments take what’s yours

An Israeli cyber-intelligence company called NSO Group Technologies launched Pegasus in 2021, claiming to provide “authorized governments with technology that helps them combat terror and crime.” The long-running tool has allowed governments worldwide to spy on individuals, including human rights activists and journalists.

The powerful hack targets iOS and Android and goes to great lengths to hide its activity and existence. Rather than attack a single exploit, it employs a complex suite of techniques utilizing various vulnerabilities. This kind of software requires a team of professional developers and plenty of investment. Pegasus has both.

The upside of a tool like Pegasus is that average users don’t have anything to worry about. While governments can likely spy on our every move, intensive surveillance costs a lot, and most users aren’t that important. The worrying part of a product like Pegasus is that it has the backing to continue threatening users. While it might never target you, a powerful, undetectable, root-access hack of lawyers, lawmakers, and human rights advocates isn’t great for society.

Staying safe from Android malware today

The indefatigable efforts of developers at Google, individual manufacturers, and software companies have led to an increase in malware detection and a decrease in its distribution. That would be good news, except ransomware groups made record profits in 2024. As smartphones become increasingly integrated into personal and professional lives, understanding how malware threatens devices is more important than ever.

After much refinement, Android does a good job mitigating threats at the hardware and software level today. Human behavior is, and always will be, the weak point in digital security. While a security patch will stop some malicious software in its tracks, exploits can maneuver around protections by convincing users to provide access to high-level permissions.

Common techniques, such as phishing, often result in users willingly offering login details. It’s important to avoid unfamiliar links and PDF files. Never provide private information in response to an email or text message outreach, and always navigate to a service of your own accord to make sure you’re not being defrauded. Only the right level of attention can fully protect you from ransomware and theft. Maybe, someday, Android can release a security patch for the human condition.