I am not clear if we need to count these potential apps within our numbers but this is something that you Android users need to know about.
On today’s newsletter, it says that there are over 5,280 different applications that could in thery take your data, some of which can actually bypass multi-factor or what is known as two-factor information.
The article starts out:
There are plenty of phish in the sea, and the latest ones have little interest in your email inbox.
In 2024, Malwarebytes detected more than 22,800 phishing apps on Android, according to the recent 2025 State of Malware report. Of those malicious apps, 5,200 could subvert one of the strongest security practices available today, called “multifactor authentication,” by prying into basic text messages sent to a device. Another 4,800 could even read information from an Android device’s “Notifications” bar to obtain the same info.
If this number holds, and someone I’ve asked to look at the accompanying article, this plus the 27 apps we know have been named will potentially blow IOS out of the water.
very interesting time. The reason that they can survive in the Google App store is because they aren’t doing malicious things to begin with. They just look to the average user like an app that serves ads.
By disguising themselves as legitimate apps—including for services like TikTok, Spotify, and WhatsApp—Android phishing apps can trick victims into typing in their real usernames and passwords on bogus login screens that are controlled entirely by cybercriminals. If enough victims unwittingly send their passwords, the cyber thieves may even bundle the login credentials for sale on the dark web. Once the passwords are sold, the new, malicious owners will attempt to use individual passwords for a variety of common online accounts—testing whether, say, an email account password is the same one used for a victim’s online banking system, their mortgage payment platform, or their Social Security portal.
This could be a
Same Trick, New Deliveries
For more than a decade, phishing was often understood as an email threat. Cybercriminals would send emails disguised as legitimate communications from major businesses, such as Netflix, Uber, Instagram, Google, and more. These emails would frequently warn recipients about a problem with their accounts—a password needed to be updated, or a policy change required a login.
But when victims followed the links within these malicious emails, they’d be brought to a website that, while appearing genuine, would actually be in complete control of cybercriminals. Fooled by similar color schemes, company logos, and familiar layouts, victims would “log in” to their account by entering their username and password. In reality, those usernames and passwords would just be delivered to cybercriminals on the other side of the website.
There never was a problem with a user’s account, and there never was a real request for information from the company. Instead, the entire back-and-forth was a charade.
This section talks about the fact that you’d get an email or maybe a text saying there’s a problem at some site you may or may not even use.
Some Android phishing apps are disguised as regular videogames or utilities which may ask users to connect with a separate social media account for the primary app to function. The requests are bogus and simply a method for harvesting passwords. Other Android phishing apps pose as popular apps, including TikTok, WhatsApp, and Spotify. These decoy apps are often hosted on less popular mobile app stores, as the protections of the Google Play store often flag and remove these apps, should they ever sneak onto the marketplace.
The article continues:
Most concerning, though, is the recent development from Android phishing apps that pierces one of the strongest security practices in use today: multifactor authentication.
Multifactor authentication is a security measure offered by most major online platforms including banks, retirement systems, social media companies, email providers, and more. With multifactor authentication, a username and password are no longer enough to sign into an account. Instead, the platform will send a separate “code,” typically a six-digit number, that the user must also enter to complete the login process. This code is often sent as a text message directly to the user, who has registered their phone number with the platform.
Do the typical thing, says the article, including check reviews to see if anything is amis. Use that multi-factor authentication on your sensitive things. Uniquue passwords will be the key. Finally, if you download off the Google Play store, you should be fine in practice, but never just search for an app you’re looking for, I say get someone to send you the link to the app they want you to use or find a link to the app in the store on the page of the company you’re interested in.
Phishing evolves beyond email to become latest Android app threat is the article from Malwarebytes. Have fun with this one.
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.