Full Report
April 1, 2026 According to detection statistics collected by Dr.Web Security Space for mobile devices, the trojans Android.MobiDash and Android.HiddenAds, which display intrusive ads, continued to decline in activity in the first quarter (Q1) of 2026. Compared to the fourth quarter of last year, they were detected on protected devices 32.70% and 7.09% less often, respectively. They lost their lead to Android.Banker banking trojans, whose activity increased by more than 2.5 times over the course of the last three months. As a result, they have become the most widespread Android threats. Such malicious apps intercept SMS containing transaction confirmation codes coming from banks, display phishing windows, and can also imitate the appearance of real banking software to steal confidential data. Users were most likely to encounter trojans from the Android.Banker.Mamont subfamily, which includes a variety of malicious programs. In Q1, widely common were apps to which junk code had been added to obfuscate their logic (these accounted for 15.35% of all detections registered). This modification is performed using NP Manager hacker tools for modding Android software. Since last fall, these tools are actively being used in the Android.Banker.Mamont trojan family to evade anti-virus detection. That is why we warn users when a particular app has been altered in such a way. Dr.Web Anti-virus products detect such apps as Tool.Obfuscator.TrashCode. Other widespread potentially dangerous software, despite a 31.65% decrease in the number of detections, was again software modified with the help of the NP Manager tool. (Dr.Web detects them as Tool.NPMod). This tool contains various modules for protecting and obfuscating the apps’ code as well as for bypassing digital signature verification once apps are modified. Cybercriminals use it to protect malware so that anti-viruses have a harder time detecting it. The most prevalent unwanted software was Program.FakeAntiVirus—fake anti-viruses that allegedly detect threats and demand that users purchase the full version to “cure” the infection. Moreover, users again encountered apps from the Program.FakeMoney and Program.CloudInject families. The former supposedly allow users to earn money by completing various tasks. The latter are apps modified using the CloudInject cloud service. Via this service, the programs are given dangerous system permissions as well as an obfuscated code whose functionality cannot be controlled. The most frequently detected adware programs were Adware.Bastion.1.origin optimization apps. These periodically create notifications containing misleading messages that inform users about alleged low memory and system errors. Their goal is to display ads during “optimization”. Another popular adware was Adware.Opensite.15—programs which cybercriminals pass off as cheat tools for obtaining resources in games. In reality, such apps load various ad-filled websites. Adware.AdPush—programs with built-in ad-displaying modules—were also widespread once again. In January, Doctor Web informed users about a new family of trojan clickers, dubbed Android.Phantom. Our virus analysts identified several distribution sources for these malicious apps. One was the official app catalog for Xiaomi devices—GetApps, where the trojans were found to be embedded in several games. Moreover, threat actors distributed the clickers within the mods of popular software via various Telegram channels, Discord servers, online software collections, and malicious websites. Using Android.Phantom trojans, cybercriminals manipulate ad clicks on websites with the help of both machine-learning technologies and WebRTC, a technology for transmitting streaming data (including video) through a browser. The trojans load target websites along with JavaScript code for simulating user actions in WebView. Interaction with ads occurs in one of two modes. If a device supports WebRTC, Android.Phantom clickers broadcast a virtual screen with the loaded website to the attackers, who then control the website manually or using an automated system. If WebRTC is not available, automated JavaScript scripts utilizing the TensorFlowJS framework are used. The clickers download the required behavioral model from a remote server as well as JavaScript containing the framework itself and all of the functions necessary for the model to operate and interact with target sites. Over the course of Q1, Doctor Web’s anti-virus laboratory identified new threats on Google Play. Among them were many Android.Joker trojans as well as the malicious apps Android.Subscription.23 and Android.Subscription.24. All of them are designed to subscribe users to paid services. Principal trends of Q1 2026 Android.Banker banking trojans became the most common Android threats. Cybercriminals have begun using Android app modding tools more often to protect banking trojans. The ad-displaying trojans Android.MobiDash and Android.HiddenAds continued to be less active. The spread of Android.Phantom trojan apps, which utilize machine learning and video broadcasts to boost clicks on websites, was notable. New malware was detected on Google Play. According to statistics collected by Dr.Web Security Space for mobile devices Android.Banker.Mamont.80.origin A banking trojan that intercepts SMS containing one-time codes from credit organizations, hijacks the contents of notifications, and collects other confidential information. This includes technical data about the infected device, the list of installed apps, and information about the SIM card, phone calls, and sent and received SMS. Android.FakeApp.1600 A trojan app that loads the website hardcoded into its settings. Known modifications of this malicious program load an online casino site. Android.HiddenAds.675.origin A trojan app designed to display intrusive ads. Members of the Android.HiddenAds family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu. Android.Packed.57.origin The detection name for an obfuscator used to protect apps, including malicious ones (for example, some Android.SpyMax banking trojan versions). Android.Click.1812 The detection name for malicious WhatsApp messenger mods that can covertly load various websites in the background. Program.FakeAntiVirus.1 The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version. Program.FakeMoney.11 The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps. Program.CloudInject.5 Program.CloudInject.1 The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, modders can remotely manage these apps—blocking them, displaying custom dialogs, tracking when other software is being installed or removed from a device, etc. Program.SnoopPhone.1.origin An application designed to monitor the activity of Android device owners. It allows intruders to read SMS, collect call information, track device location, and record the surroundings. Tool.Obfuscator.TrashCode.1 Tool.Obfuscator.TrashCode.2 The detection name for Android programs to which junk code has been added, using hacker tools for modifying Android apps. Such modification is performed to scramble the apps’ logic. This technique is often found in banking trojans and pirated software. Tool.NPMod.3 Tool.NPMod.1 The detection name for Android programs that have been modified using the NP Manager utility. This tool contains modules for obfuscating and protecting the apps’ code as well as for bypassing their digital signature verification after they have been modified. The obfuscation it adds is often used to make the malware more difficult to detect and analyze. Tool.LuckyPatcher.2.origin A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads from the Internet specially prepared scripts, which can be crafted and added to a common database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat. Adware.Bastion.1.origin The detection name for optimization programs that periodically create notifications containing misleading messages. They inform users about alleged low memory and system errors in order to display ads during “optimization”. Adware.AdPush.3.origin An adware module that can be built into Android apps. It displays notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, this module collects a variety of confidential data and is able to download other apps and initiate their installation. Adware.Opensite.15 Apps passed off as cheat tools for obtaining resources in games. In fact, they are created to display ads. These programs receive a configuration from a remote server and use it to open a target website containing ads like banners, pop-up windows, video clips, etc. Adware.Fictus.1.origin An adware module that malicious actors embed into cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display obnoxious ads. Adware.Airpush.7.origin Adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server. Threats on Google Play In Q1 2026, Doctor Web’s anti-virus laboratory experts discovered more Android.Joker malicious programs, which subscribe victims to paid services. The trojans were concealed in a number of tools for optimizing the operation of Android devices, and were distributed under the guise of messengers, multimedia, and other software. In total, they have been installed at least 370,000 times. Examples of Android.Joker malware detected on Google Play in Q1 2026. Android.Joker.2511 was built into the messenger Private Chat Message, and Android.Joker.2524—into the camera app Magic Camera Moreover, our malware analysts discovered the malicious programs, Android.Subscription.23 and Android.Subscription.24, which are also designed to subscribe users to paid services. These trojans load websites, where a paid mobile subscription is activated with the help of Wap Click technology. On these sites, users are asked to provide their mobile phone number, after which an attempt is made to automatically activate a subscription. Both trojans were downloaded from Google Play over 1.5 million times in total. The Android.Subscription.23 and Android.Subscription.24 malicious programs were distributed as Stream Hive and Prime Link, apps for managing personal finances, but their only functionality was loading websites to subscribe Android device owners to paid mobile services To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android. Indicators of compromise
Analysis Summary
# Tool/Technique: Android.Phantom
## Overview
Android.Phantom is a sophisticated family of trojan clickers identified in early 2026. Its primary purpose is to generate fraudulent ad revenue by manipulating ad clicks on websites. It distinguishes itself from traditional clickers by utilizing machine learning (ML) and WebRTC technologies to simulate human behavior and bypass fraud detection systems.
## Technical Details
- **Type:** Malware family (Trojan Clicker)
- **Platform:** Android
- **Capabilities:** Machine learning-driven interaction, WebRTC video streaming, JavaScript injection, automated browser interaction (WebView).
- **First Seen:** January 2026
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **T1474 - Supply Chain Compromise:** Embedded in games on official catalogs (Xiaomi GetApps) and modified "mods" of popular software.
- **[TA0009 - Collection]**
- **T1513 - Screen Capture:** Broadcasts a virtual screen via WebRTC for manual or automated control.
- **[TA0007 - Discovery]**
- **T1420 - Device Information Discovery:** Checks for WebRTC support to determine the operational mode.
- **[TA0011 - Command and Control]**
- **T1105 - Ingress Tool Transfer:** Downloads TensorFlowJS frameworks and behavioral models from remote servers.
## Functionality
### Core Capabilities
- **Simulated Interaction:** Loads target websites in a hidden `WebView` and executes JavaScript to simulate user clicks.
- **Dynamic Framework Loading:** Downloads the **TensorFlowJS** framework and specific behavioral models from a C2 server to execute complex interaction logic.
- **Distribution:** Distributed via Xiaomi's GetApps, Telegram channels, Discord servers, and malicious websites.
### Advanced Features
- **Hybrid Operation Modes:**
1. **WebRTC Mode:** If the device supports WebRTC, the trojan broadcasts a virtual screen of the loaded website to attackers, allowing for manual human interaction or remote automated control.
2. **Machine Learning Mode:** If WebRTC is unavailable, it uses local ML models (TensorFlowJS) to predict where to click to best mimic human behavior and avoid bot detection.
---
# Tool/Technique: NP Manager (Tool.NPMod / Tool.Obfuscator.TrashCode)
## Overview
NP Manager is a mobile application modding utility used by legitimate users for "modding," but heavily co-opted by cybercriminals (notably the Mamont banking trojan family) to obfuscate malicious code and evade signature-based detection.
## Technical Details
- **Type:** Attack Tool / Framework (Android Modding Utility)
- **Platform:** Android
- **Capabilities:** Code obfuscation, junk code injection, digital signature bypass, app logic scrambling.
- **First Seen:** Active usage spike noted in Fall 2025/Q1 2026.
## MITRE ATT&CK Mapping
- **[TA0005 - Defense Evasion]**
- **T1406 - Obfuscation:** Scrambling application logic and adding "TrashCode" (junk code).
- **T1459 - Digital Certificate Validation Bypass:** Bypasses signature verification after modification.
## Functionality
### Core Capabilities
- **TrashCode Injection:** Adds large volumes of "junk" or non-functional code to change the file's hash and scramble its logic, making static analysis difficult.
- **Signature Bypassing:** Includes modules that allow modified `.apk` files to run even after the original digital signature has been invalidated.
### Advanced Features
- **Protection Modules:** Contains specialized modules designed specifically to protect malicious code from being reversed by security researchers.
---
# Tool/Technique: Android.Banker.Mamont
## Overview
A prolific subfamily of banking trojans that became the most widespread Android threat in Q1 2026. It focuses on financial theft through credential harvesting and SMS interception.
## Technical Details
- **Type:** Malware family (Banking Trojan)
- **Platform:** Android
- **Capabilities:** SMS interception, Phishing, Information Theft (PII), Anti-virus evasion.
- **First Seen:** Longstanding family, significant activity surge (2.5x) in Q1 2026.
## MITRE ATT&CK Mapping
- **[TA0006 - Credential Access]**
- **T1411 - Input Injection:** Displaying phishing windows over legitimate banking apps.
- **[TA0009 - Collection]**
- **T1636.002 - SMS Messages:** Intercepting transaction confirmation codes (OTPs).
- **[TA0007 - Discovery]**
- **T1420 - Device Information Discovery:** Collecting SIM data, call logs, and installed app lists.
## Functionality
- **SMS Interception:** Steals one-time passwords (OTPs) and transaction codes sent via SMS.
- **Social Engineering:** Imitates the UI of real banking software to trick users into entering credentials.
- **Notification Hijacking:** Captures the content of system notifications to monitor user activity or steal data.
---
## Indicators of Compromise (General Q1 2026)
*Note: Specific hashes are maintained in Dr.Web's linked GitHub repository.*
- **File Names (Associated Apps):**
- `Private Chat Message` (Android.Joker.2511)
- `Magic Camera` (Android.Joker.2524)
- `Stream Hive` (Android.Subscription.23)
- `Prime Link` (Android.Subscription.24)
- **Network Indicators (Defanged):**
- hxxp[://]Wap Click service domains
- Telegram/Discord distribution channels
- Remote servers hosting TensorFlowJS models
- **Behavioral Indicators:**
- Hidden `WebView` activity.
- Requests for high-risk permissions (SMS access, Notification access).
- Presence of `Tool.NPMod` or `Tool.Obfuscator.TrashCode` signatures within APKs.
## Mitigation Strategies
- **Market Source Control:** Restrict installation to official sources; however, exercise caution even on GetApps/Google Play by vetting developer reputation.
- **Permission Hardening:** Strictly deny SMS and Notification Listener permissions to apps that do not fundamentally require them (e.g., calculators, cameras).
- **Security Software:** Utilize mobile anti-virus capable of detecting obfuscated "TrashCode" and signature-bypass tools.