Current Android Malware
Here is the full list of Android-Malware-Families with their main capabilities. We will try to keep this table up-to-date. We took one sample of each family for the data within this table.
| Description | Capabilities |
| AccuTrack This application turns an Android smartphone into a GPS tracker. |
  |
| Ackposts This Trojan steals contact information from the compromised device and uploads them to a remote server. |
 |
| Acnetdoor This Trojan opens a backdoor on the infected device and sends the IP address to a remote server. |
 |
| Adsms This is a Trojan which is allowed to send SMS messages. The distribution channel of this malware is through a SMS message containing the download link. |
 |
| Airpush/StopSMS Airpush is a very aggresive Ad-Network. |
 |
| AnServer/Answerbot Opens a backdoor in Android devices and is able to steal personal information which will be uploaded to a remote server afterwards. |
|
| Antares/Antammi This is a Trojan which steals personal information from the infected device. |
|
| Arspam This malware represent the first stage of politically-motivated hacking (hacktivism) on mobile platforms. |
|
| AVPass This malware family tries to detect and circumvent Android security tools (like AntiVirus apps) installed on the infected device. Afterwards, the app tries to steal sensitive data and receives additional comands via SMS. |
 |
| BackFlash/Crosate This malicious app installs a fake Flash plugin that registeres itself as device administrator and leaks sensitive information. |
|
| Badaccents This malware claims to download a copy of “The Interview” but instead installs a two-stage banking Trojan onto victims’ devices. |
 |
| Badnews Once activated, BadNews polls its C&C-Server every four hours for new instructions while pushing several pieces of sensitive information including the device’s phone number and IMEI up to the server. |
|
| BankBot This malware tries to steal users’ confidential information and money from bank and mobile accounts associated with infected devices. |
|
| Basebridge Forwards confidential details (SMS, IMSI, IMEI) to a remote server. |
|
| BeanBot This is a Trojan which is allowed to send SMS messages and which is controlled by a C&C-Server. |
|
| Beita A simple info stealer. |
|
| Binv This malware is a classical Banking-Trojan that is targeting Brazilian users of Android devices. |
|
| BgServ Obtains the user’s phone information (IMEI, phone number, etc.). The information is then uploaded to a specific URL. |
|
| Biige This spyware records SMS messages, calls, location, etc. and uploads these data to a remote server. |
|
| Booster This application steals personal information and uploads these data to a remote server. |
|
| Boxer This trojan sends SMS messages to premium rated numbers. |
|
| Cajino This malware is a classical RAT that tries to exfiltrate sensitive information. What makes this sample special is that it is using Baidu Cloud Push service for communication. |
|
| Carberp Tries to steal confidential banking authentication codes (mTAN messages) sent to the infected device. |
|
| Cawitt This application steals personal information and uploads these data to a remote server. |
|
| Cellspy This application is a smartphone tracker. |
|
| Chulli This malware family was used within in targeted attack. The e-mail account of a high-profile Tibetan activist was hacked and used to send targeted attacks to other activists and human rights advocates. After a mobile device gets infected, it connects to a C&C-Server and waits for SMS commands to leak sensitive data to this server. |
|
| Code4hk/xRAT This malware has been used within targeted attacks in Asia and tries to exfiltrate the geolocation of the victim as well as voice recordings. The malicious sample is spreading through WhatsApp messages. |
|
| Coogos Backdoor Trojan which has the capability to receive a remote connection from a malicious hacker and perform actions against the compromised system. |
|
| CopyCat Is a aggressive and malicious ad network. The main goal is to generate revenue. |
|
| Cosha This applications monitor the infected device and send personal data to a remote server. |
|
| Counterclank Is no real malware but a very aggressive ad-network with the capability to steal privacy related information. |
|
| Crusewind Intercepts incoming SMS messages and forwards them to a remote server including informations like IMSI and IMEI. |
|
| Dogowar This Trojan sends spam SMS messages to all contacts. |
|
| Dougalek This application steals personal information and uploads these data to a remote server. |
|
| DroidDeluxe Exploits the device to gain root privilege. Afterwards it modifies the access permission of some system database files and tries to collect account information. |
|
| DroidDream Uses two different tools (rageagainstthecage and exploid) to root the smartphone. |
|
| DroidDreamLight Gathers information from an infected mobile phone (device, IMEI, IMSI, country, list of installed apps) and connects to several URLs in order to upload this data. |
|
| DroidJack/SandoRAT This malware has similar features to other Android RATs. Some of those features include the following: Install any APK, view all messages on the device, listen to call conversations made on the device, etc. |
 |
| DroidKungfu Collects a variety of information on the infected phone(IMEI, device, OS version, etc.). The collected informaiton is dumped to a local file which is sent to a remote server afterwards. |
|
| DroidSheep This application can capture and hijack unencrypted web sessions. |
|
| DSEncrypt Steals sensitive information (SMS messages, certificates and private keys, etc.) from infected smartphones and uploads the data to a remote server. |
|
| Extension/Monad This Trojan is able to intercept incoming and outgoing phone calls, open a browser and visit specific websites, execute clicks on advertisements and is able to upgrade its own malicious code. Furthermore, the corresponding app can make phone calls, send SMS messages and collects privacy related information like call history, contacts, GPS location and device ID which all will be uploaded to a remote server. |
|
| FaceNiff This application can capture and hijack unencrypted web sessions. |
|
| FakeAngry Backdoor Trojan which has the capability to receive a remote connection from a malicious hacker and perform actions against the compromised system. |
|
| FakeApp.AL A classical Adware for Android. |
|
| FakeAV The malware deceives users into paying for cleanup of other non-existent infections on their device. In addition to displaying fake messages of infection, the APK also has the functionality to intercept incoming and outgoing phone calls as well as messages. |
|
| FakeBank This app is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. Additionally, it is able to infect a connected Windows PC and tricks the user to exchange legit banking apps against malicious ones. |
 |
| FakeDaum/vmwol The Trojan gathers the following information from the compromised device: SMS messages, phone number and the IMEI of the infected device. |
|
| FakeDefender This app is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device. |
|
| FakeDoc This Trojan installs additional applications. |
|
| FakeFlash This Trojan redirects the user trough paid proxies. |
|
| FakeInst The most common Fraudware. These applications send premium SMS messages. |
|
| FakeJobOffer The malware displays a scam message which tries to make the victims to believe they have been selected as job candidates. In order to secure their placement in the company, they must make a deposit into a bank account. |
|
| FakeMarket The overall goal of this malicious app is simply to fraudulently boost the number of visits to about 20 different websites within google search. |
|
| FakeMart The Trojan may perform the following actions while it is hiding itself as a blackmarket app: Clear the XMBPSP.xml contents in shared preference and reconfigure it to send premium rated SMS messages to 81211 or 81308, set the device to silent mode, delete SMS received from 81211, etc. |
|
| FakeNefix This application steals user credentials. |
|
| FakeNotify This app sends premium rated SMS messages while using obfuscation and detection techniques to get around AV tools. |
|
| FakePlay The application will run in the background, gathering SMS activity and periodically send it to a proxy email address. Once executed, the Trojan requests Device Administrator privileges. |
|
| FakePlayer Sends SMS messages to preset numbers. |
|
| FakeRegSMS It sends SMS messages to premium rated numbers and tries to hide this action from the malware investigators by using some kind of steganography. |
|
| FakeTaoBao This malware tries to steal user credentials for TaoBao and ZhifuBao. Combined with another app of the same developer it is also able to send SMS messages. |
|
| FakeTimer Sends personal information to a remote server and opens pornographic websites |
|
| FakeUpdate/Apkqug This malware family acts as automated downloader for further apps. |
|
| FakeVertu SMS Trojan targeting Vertu consumers in Japan. This Trojan receives all incomming SMS messages and uploads them to a remote Server. |
|
| Find and Call/Fidall Sends personal information (address book) to a remote server. |
|
| Finspy This Trojan is a component of a commercial surveillance product that monitors user activity. |
|
| Fjcon This Trojan connects to a C&C-Server and has the ability to install additional packages and send premium rated SMS messages. |
|
| Flexispy This malware tracks phone calls, SMS messages, internet activity and GPS location. |
|
| Foncy This Trojan sends premium rated SMS messages. |
|
| Fonefee/Feejar This Trojan sends premium rated SMS messages. |
|
| Fokange/Fokonge Is a information stealing malware which uploads the stolen data to a remote server. |
|
| Gamex Opens a back door and installs additional applications. |
|
| Gazon This malware tries to exfiltrate sensitive information and is displaying ads. The malicious sample is spreading through WhatsApp and SMS messages. |
|
| Geinimi Opens a back door and transmits information from the device (IMEI, IMSI, etc.) to a specific URL. |
|
| GGTracker Sends various SMS messages to a premium rated number. It also steals information from the device. |
|
| GingerBreak GingerBreak is a root exploit for Android 2.2 and 2.3 |
|
| GingerMaster/GingerBreaker Gains root access and is harvesting data on infected smartphones. This data is send to a remote server afterwards. |
|
| Godwon This app tries to steal contact and personal data from the local address book and the Skype app. |
|
| GoldenEagle/GlodEagl This Trojan steals personal information and receives commands via SMS. |
|
| GoneIn60Seconds Steals information (SMS messages, IMEI, IMSI, etc.) from infected smartphone and uploads the data to a specific URL. |
|
| GPspy Tracks the location of the infected device. |
|
| HeHe This Trojan steals text messages and intercepts phone calls. |
|
| HideIcon Steals information (SMS messages, IMEI, IMSI, etc.) from infected smartphone and uploads the data to a remote server. Adtionally, it displays full-screen ads to the user. |
|
| HippoSMS Sends various SMS messages to a premium rated number and deletes the incoming SMS messages from this numbers. |
|
| HongTouTou/Adrd Is an information stealing malware which uploads the stolen data through a local proxy to a remote server. The data is encrypted beforehand. |
|
| Iconosys This application steals personal data. |
|
| Imlog This application steals personal data. |
|
| Jifake This application sends premium rated SMS messages. |
|
| JollyServ The Trojan may send premium rated SMS messages, send SMS messages to all contacts of the infected user and intercepts incomming SMS messages. |
|
| Jsmshider/Xsider Opens a backdoor and sends information to a specific URL. |
|
| Kidlogger This Trojan steals personal information and sends it to a remote server. |
|
| KMIN Attempts to send Android device data to a remote server. |
|
| Ksapp This Trojan has the capabilities to remote access connection handling, perform DoS or DDoS, capture keyboard inputs, delete files or objects, or terminate processes. |
|
| LeNa LeNa needs a rooted device for the following actions: Communicating with a C&C-Server, downloading and installing other applications, initiating web browser activity, updating installed binaries, and many more…. |
|
| Lien/ After installation, the application will collect sensitive user information such as phone number, incoming and outgoing SMS, and recorded audio to an email address. Then it makes use of SMTP servers to send the stolen data back to the attacker. |
|
| Locker/SLocker Ransomware This Trojan is the first crypto locker for Android. |
 |
| Loicdos This Trojan has the capability to perform DoS or DDoS. |
|
| Loozfon This Trojan steals personal data. |
|
| Lovetrap/Luvrtrap Sends SMS messages to premium rated numbers and steals smartphone information. |
|
| Luckycat Opens a backdoor and is listening for commands from a remote server. |
|
| Maistealer This Trojan steals personal data |
|
| Malap Another simple info stealer. |
|
| Mania This Trojan sends SMS messages to premium rated numbers. |
|
| MMarketPay This Trojan can automatically buy applications in Chinese Android marketplaces. |
|
| MobiDash Classical Adware that displays full-screen ads to the user. |
|
| MobileSpy/Godwon This Trojan steals personal data. |
|
| MobileTx This Trojan steals personal data and sends it via SMS messages or HTTP. |
|
| Mobinauten This application tracks the location of the infected smartphone. |
|
| Moghava Compromises all pictures of the smartphone by merging them with a picture of Ayatollah Khomeini. |
|
| Nandrobox This Trojan steals personal data and deletes certain SMS messages. |
|
| Netisend Gathers information from infected smartphones and uploads the data to a specific URL. |
|
| Nickispy Gathers information from infected smartphones (IMSI, IMEI, GPS location, etc.) and uploads the data to a specific URL. |
|
| Obad One of the most sophisticated malware families until 2013. A detailed analysis can be found here. |
|
| Oldboot/MouaBad It gains root permission by system vulnerabilities and reflashing the system partition. It also tries to run malicious code in the early stage of system’s booting to prevent to be cleaned by AV apps. Afterwards, some versions of this family send out premium rated SMS messages and act as a bot. |
|
| OpFake The second most common Fraudware. These applications send premium SMS messages. |
|
| PDAspy This Trojan steals personal data and location information. |
|
| Penetho This application is a hack tool to crack WiFi passwords. |
|
| Photsy/Phopsy This malware tries to leak all jpg and mp4 files from an infected device. |
|
| Pincer This malware is able to forward SMS messages and perform other actions based on commands it receives from its remote server. |
|
| Pjapps Opens a backdoor and steals information from the device. This malware has capabilities of a bot implemented. |
|
| Placms This Trojan has the capabilities to remote access connection handling, perform DoS or DDoS, capture keyboard inputs, delete files or objects, or terminate processes. |
|
| Plankton This malware has the capabilities to communicate with a remote server, download and install other applications, send premium rated SMS messages, and many many more…. |
|
| Podec This trojan sends SMS messages to premium rated numbers and is able to bypass the Advice of Charge system that Android displays the user normally when sending premium rated messages. |
|
| PoisonCake This malware can setup itself, decrypt and drop other payloads, create background services, and is able to perform the following malicious actions: Inject com.android.phone, send and intercept SMS, visit WAP site, collect phone info and upload them to a remote server…. |
|
| ProxyTrojan/NotCompatible/NioServ This Trojan steals personal data. |
|
| Qicsomos It sends SMS messages to premium rated numbers. |
|
| Raden This malware is sending one SMS message to a Chinese premium number. |
|
| Repane A simple information stealer. |
|
| Roidsec/Sinpon An simple Android info stealer. |
|
| RootSmart/Bmaster This malware is taking advantage of the GingerBreak exploit to gain root privileges. This exploit is not embedded into the application instead it is dynamically downloaded from a remote server together with other malicious apps. |
|
| RuFraud Sends premium rated SMS messages. This is the first malicious app of this kind which was specially build for European countries. |
|
| Saiva This Trojan has the capabilities to remote access connection handling, perform DoS or DDoS, capture keyboard inputs, delete files or objects, or terminate processes. |
|
| Samsapo This malware spreads through malicious SMS messages and communicates with a C&C-Server. The corresponding samples have the ability to install additional packages and send premium rated SMS messages. |
|
| SaveMe/SocialPath This malware steals SMS messages, contacts call logs as well as device information and uploads those to a remote server. |
|
| Scavir Sends SMS messages to premium rated numbers. |
|
| Scipiex A simple information stealer. |
|
| SeaWeth This Trojan has the capabilities to remote access connection handling, perform DoS or DDoS, capture keyboard inputs, delete files or objects, or terminate processes. |
|
| Selfmite This SMS worm used a legal advertising platform and pay-per-install for monetization and is spreading through SMS messages. |
|
| Skullkey The Trojan hides using the Android Master Key vulnerability to keep the legitimate app signature valid. It allows attackers to perform the following actions: Open a back door, steal sensitive data (such as IMEI and phone number) and sends it to a remote server, send premium rated SMS messages, etc. |
|
| Smack The spyware is based on XMPP Smack Openfire and has the following capabilities: Upload users’ contact information, short messages, phone records, GPS location and date, hide its icon and intercepts specified short messages. |
|
| SMSpacem Gathers information from the smartphone and uploads this data to a specific URL. This malware also sends SMS messages. |
|
| SMSreg Registers the infected smartphone to non-free services. |
|
| SMSilence/SMSCatcher SMS Trojan targeting Starbucks consumers in South Korea. This Trojan receives all incoming SMS messages and uploads them to a remote Server. |
|
| SMSspy Banking Trojan targeting consumers in Spain. |
|
| SMSsniffer Sends copies of SMS messages to other devices. |
|
| Sndapps/Snadapps The malware is able to access various information from the device: the carrier and country, the device’s ID, e-mail address and phone number and uploads this information to a remote server. |
|
| SpamBot Sends SMS spam messages. The application gets the content of the spam message and the receiver numbers through a C&C-Server. |
|
| Spitmo Is one of the first versions of the SpyEye Trojans for the Android OS which steals information from the infected smartphone. The Trojan also monitors and intercepts SMS messages from banks (mTAN messages) and uploads them to a remote server. |
|
| SPPush This malware is sending premium rated SMS messages and is posting privacy related information to a remote server. From the same server the malware is downloading new applications. |
|
| SpyBubble This Trojan steals personal data. |
|
| SpyOO This Trojan records and steals personal data. |
|
| Ssucl This Trojan is the first Android Trojan which is able to infect a connected Windows PC. Additionally, it is able to send SMS messages, enable Wi-Fi, gather information about the device and its user (like contacts, photos, GPS data) which is uploaded to a remote server. Furthermore, this Trojan is able to upload the whole SD card and all SMS messages stored on the device. |
|
| Steek/Fatakr Is a fraudulent app advertising an online income solution. Some of the samples have the capability to steal privacy related information and send SMS messages. |
|
| TapSnake/Droisnake Posts the phone’s location to a web service. |
|
| Tascudap This application connects to a remote server (gzqtmtsnidcdwxoborizslk.com) and monitors incoming SMS messages for comands. The infected device can be used for DDoS attacks. |
|
| Tetus This Trojan receives all incomming SMS messages and uploads them to a remote server. The corresponding app is also allowed to delete SMS messages on the infected device and is able to send SMS messages. Additionally, the Trojan sends a list of all installed apps to a remote server. |
|
| TigerBot This malware is communicating with a C&C-Server via SMS messages, is able to download and install other applications, initiate web browser activities, update installed binaries, and many more…. |
|
| Titan This malware has been used within targeted attacks in Asia and tries to exfiltrate sensitive information. The malicious sample is spreading through SMS messages. |
|
| Tonclank Opens a backdoor and downloads files onto the infected devices. It also steals information from the smartphone. |
|
| TGloader/Stiniter Listens to a C&C-Server for commands. This Trojan can install additional applications and send premium rated SMS messages. |
|
| Tracer Commercial Spyware – see http://killermobile.com/manuals/TRa.pdf for more information |
|
| TypStu This Trojan steals personal data. |
|
| UpdtBot This malware spreads through malicious SMS messages and communicates with a C&C-Server. The corresponding samples have the ability to install additional packages and send premium rated SMS messages. |
|
| UpdtKiller This Trojan detects and disables installed AV applications. |
|
| Uracto This malware is used to trick mothers, anime fans, gamers, and more to install the malicious apps and steals sensitive data afterwards. |
|
| USBcleaver When the device is connected to a Windows computer that does not have autorun disabled, the Trojan tries to gather a bunch of information from the computer, including: Default gateway, Google Chrome password, IP address, Microsoft Internet Explorer password, WiFi passwords, etc. |
|
| Uten When the Trojan is executed, it reports the status of the device back to the attacker and then downloads a configuration file that contains lists of phone numbers. Afterwards, the Trojan sends SMS messages to phone numbers listed in this configuration file. It may also perform the following additional actions: modify device settings, download and install new packages, attempt to get root privileges, etc. |
|
| Uxipp This malware attempts to send premium rated SMS messages. |
|
| Vdloader This malware opens a backdoor on the infected device and steals personal data. |
|
| Walkinwat/Pirater Sends SMS messages to all numbers within the phone book and steals information from the infected device. |
|
| Waps/Simhosy This malicious app tries to steal SMS messages and contact entries from an infected device. |
|
Wroba/HijackRAT This malicious app tries to leak privacy related data or banking credential from an infected device and combines it with a RAT. |
|
| YZHC This malware is sending premium rated SMS messages and blocks any incomming message that informs the user about this services. As another malicious behaviour the malware is uploading privacy critical information to a remote server. |
|
| Zeahache Opens a backdoor and uploads stolen information to a specific URL. It also sends SMS messages. |
|
| ZergRush ZergRush is a root exploit for Android 2.2 and 2.3 |
|
| ZertSecurity This malicious apps try to trick a compromised user to insert his banking account details which will then be sended to the attackers. |
|
| Zitmo/Citmo Tries to steal confidential banking authentication codes (mTAN messages) sent to the infected device. |
|
| Zsone Sends SMS messages to premium rated numbers related to subscription for SMS-based services. |
|
(last update 2nd of January 2016)
|
Functionality of a Botnet |
|
Gains root access or at least tries to convince the user to root his phone |
|
Downloaded through the official Google-Play Market |
|
Sends paid or malicious SMS messages |
|
Steals location information |
|
Information stealing to a remote server |
|
Installs other applications or binaries |
|
Potentially unwanted application (“Hacker”-Tools) |
|
Banking Trojan which is able to intercept and modify banking authentication codes (mTAN messages). |
|
Trojan which is able to infect a connected Windows PC. |
|
Trojan which is encrypting all personal data on the device. |
Any information available on
Android.Monitor.MobileTrack.B
I have an uncategoried malware on my Android HTC that I got from “YouTube to mp3 converter”
It takes away all control from the phone by removing my ability to hard reset and factory reset, and gives me a good 15 seconds before my phone resets itself I was using my SD card for everything and it might transfer the virus to a computer any ideas?
Do you still have the apk-file or the download link of that app?
Hi Michael,
I like the list you’ve compiled. If I give you a bunch of malware names, do you think you can add them to your list? I have samples as well.
Thanks!
yes, just send them to me and I will add them
I am doing research and experimentation on “known malicious android apps” – Could you provide the apk for BadNews please.
Please let me know where can I get those malware?
From where I can get malicious android apps. I am a research scholar and working on security of android apps.
where can i get malware sample?
Unfortunately we can’t share the samples
Is there a list of apps in the play store that are infected with these? And how to remove them?
I am an android security enthusiast. Could you please provide me a dataset of malicious android APKs?
If yes, please mail them to me.
If not, could you please tell me about the sources where I could get the malicious APKs from.
Thank you.
The Drebin dataset is a very good one: https://www.sec.cs.tu-bs.de/~danarp/drebin/
My phone has, at least 2 of these disgusting applications.I believe STARZ is responsible for horrific re-directs and fake virus notifications when I go to movie sites not theirs (I see their name, asking for paid subscriptions and memberships). What can I do to erase, fix this? PLEASE ADVISE. Thanks!