Hundreds of malicious Android apps on Google Play were downloaded more than 40 million times over the past year, targeting users searching for productivity and workflow apps, according to a new report from cybersecurity firm Zscaler.
The Zscaler ThreatLabz 2025 Mobile, IoT, and OT Threat Report pointed to a worrying 67% year-over-year rise in malware attacks on mobile devices between June 2024 and May 2025, driven largely by spyware and banking trojans. Many of these apps disguised themselves as everyday productivity or utility tools, taking advantage of users’ trust in popular app categories.
Cybercriminals Target Mobile Payments
The report shows a clear shift in criminal tactics. Instead of traditional card fraud, attackers are now focusing on mobile payment scams using phishing links, fake SMS messages (phishing), SIM-swapping, and malicious apps to trick users into revealing banking credentials and personal data.
Zscaler discovered 239 harmful apps on the Google Play Store — up from 200 the previous year — which were collectively downloaded 42 million times. Among them were banking trojans like Anatsa, spyware families such as SpyNote and SpyLoan, and adware (now making up nearly 70% of all Android malware detections) and spyware, which surged 220% compared to 2024.
Global Hotspots And Rapid Growth
The report identified India (26%), the United States (15%), and Canada (14%) as the top three countries hit by mobile malware, together accounting for 55% of all mobile attacks. India remained the top target, which alone saw a 38% rise in threat activity compared to last year.
On the IoT front, the U.S. tops the list with 54% of global malicious traffic directed at American networks, followed closely by Hong Kong, Germany, India, and China. Manufacturing and transportation sectors were the most targeted industries, each representing about 20% of IoT malware incidents.
Meanwhile, the energy sector saw a staggering 387% increase in cyberattacks, underscoring growing threats to critical infrastructure.
“Attackers are pivoting to areas with maximum impact. We’re seeing a YoY rise of 67% in malware targeting mobile devices and 387% in IoT/OT attacks on energy sectors often hosting critical infrastructure, which is a massive swing,” said Deepen Desai, EVP and Chief Security Officer at Zscaler.
Top Malware Families
According to Zscaler’s report, the following three active malware families particularly stood out:
- Anatsa – A sophisticated banking trojan that infiltrates Google Play through productivity apps and can steal data from over 800 financial institutions.
- Android Void (Vo1d) – A backdoor infecting 1.6 million Android TV boxes, primarily in India and Brazil.
- Xnotice – A new remote access trojan (RAT) targeting job seekers in the oil and gas sector through fake job application apps, particularly in the Middle East and North Africa.
Staying Safe
Zscaler warns that even the Google Play Store isn’t entirely safe. Hence, it recommends users to:
- Install apps only from trusted developers
- Avoid giving unnecessary permissions (especially Accessibility)
- Keep devices up-to-date
- Run Google Play Protect scans regularly
For businesses, Zscaler recommends implementing Zero Trust security models — a system that continuously verifies every user and device — and integrating AI-driven threat detection networks to spot anomalies early.
“A Zero Trust everywhere approach, combined with AI-powered threat detection, is imperative to reducing the attack surface, limit lateral movement, and provide organizations the defense they need against ever-evolving attacks,” added Desai.
As mobile and connected devices become deeply woven into everyday life, the report warns that the line between personal and enterprise risk is rapidly blurring — making them increasingly attractive targets for cybercriminals.
