July 1, 2026 According to detection statistics collected by Dr.Web Security Space for mobile devices, Android.Banker banking trojans were less active in the second quarter (Q2) of 2026—by 31.83%, compared to the first quarter (Q1). At the same time, they remained the most widespread Android malware: this family accounted for 23.28% of all malware detections. These trojans steal various confidential data, such as SMS containing one-time codes from credit organizations and logins and passwords for accessing online bank accounts, and they can also display phishing windows. As in the previous quarter, users were more likely to encounter the Android.Banker.Mamont subfamily, which includes various malicious apps. Over the last three months, the ad-displaying trojans Android.MobiDash and Android.HiddenAds continued to be less active. However, they remain some of the most common malicious Android programs, and some of their modifications are still among the leaders in terms of the number of malware detections. With a share of over 66%, the most widespread potentially dangerous software was again programs to which junk code had been added to obfuscate their logic; these are detected as Tool.Obfuscator.TrashCode. Such modification is performed using the hacker modding tool NP Manager. Threat actors also use these tools to protect malicious apps like the Android.Banker.Mamont banking trojans from being detected by anti-viruses. In second place again were apps that had also been modified with the help of the NP Manager tool but by using its other functionality. For instance, this tool provides various modules for protecting and obfuscating the apps’ code as well as for bypassing digital signature verification once apps are modified. Malware creators use this functionality to protect malicious software from anti-viruses. Dr.Web anti-virus products detect programs modified in this way as Tool.NPMod. Programs modified using the Tool.LuckyPatcher utility were again among the most frequently detected potentially dangerous apps. To make modifications, this tool downloads specially crafted scripts from the Internet. The most active unwanted programs in Q2 were Program.FakeAntiVirus apps, which behave like anti-virus software. They supposedly detect various threats and then ask users to buy the full version of the software to “cure” the infection. Such programs accounted for over 44% of all unwanted apps detected on Android devices. The most widespread adware programs were Adware.AdPush modules, which can be built into Android apps. They display notifications containing misleading ads. These modules also collect various personal data. In addition, users encountered Adware.Bastion.1.origin. These are optimization apps that periodically create notifications with misleading messages about alleged system errors and low memory. The programs display ads during “optimization”. Once again Adware.Opensite.15 programs were highly active. Fraudsters promote them as apps offering cheats that can supposedly help users obtain various game resources. However, these apps only load websites with advertisements. At the beginning of June, Doctor Web’s experts informed users about Android.MagicAd.1, which can bypass Android OS security limitations and display background ads. To do this, Android.MagicAd.1 exploits third-party programs and also uses specific techniques, which it selects, based on the infected device’s manufacturer. Details about this trojan can be found in the corresponding news release on our website. Over the course of Q2, Doctor Web’s malware analysts discovered more malicious programs on Google Play that subscribe victims to paid services. Among them were members of the Android.Subscription and Android.Joker trojan families. PRINCIPAL TRENDS OF Q2 2026 Android.Banker banking trojans remain the most common malicious Android programs. Malware creators continued actively using Android software modding tools to protect banking trojans from being detected by anti-viruses. The activity of the ad-displaying trojans Android.MobiDash and Android.HiddenAds decreased again. The Android.MagicAd.1 trojan was discovered; it uses third-party programs to bypass Android OS restrictions for displaying background ads. New malicious programs emerged on Google Play. According to statistics collected by Dr.Web Security Space for mobile devices Android.Click.1812 The detection name for malicious WhatsApp messenger mods that can covertly load various websites in the background. Android.HiddenAds.675.origin Android.HiddenAds.4236 Trojan apps designed to display intrusive ads. Members of the Android.HiddenAds family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu. Android.Banker.Mamont.80.origin A banking trojan that intercepts SMS containing one-time codes from credit organizations, hijacks the contents of notifications, and collects other confidential information. This includes technical data about the infected device, the list of installed apps, and information about the SIM card, phone calls, and sent and received SMS. Android.FakeApp.1600 A trojan app that loads the website hardcoded into its settings. Known modifications of this malicious program load an online casino site. Program.FakeAntiVirus.1 Program.FakeAntiVirus.4 Program.FakeAntiVirus.4.origin Program.FakeAntiVirus.5 The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version. Program.FakeMoney.11 The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps. Tool.Obfuscator.TrashCode.1 Tool.Obfuscator.TrashCode.2 The detection name for Android programs to which junk code has been added, using hacker tools for modifying Android apps. Such modification is performed to scramble the apps’ logic. This technique is often found in banking trojans and pirated software. Tool.NPMod.3 Tool.NPMod.1 The detection name for Android programs that have been modified using the NP Manager utility. This tool contains modules for obfuscating and protecting the apps’ code as well as for bypassing their digital signature verification after they have been modified. The obfuscation it adds is often used to make the malware more difficult to detect and analyze. Tool.LuckyPatcher.2.origin A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads from the Internet specially prepared scripts, which can be crafted and added to a common database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat. Adware.Bastion.1.origin The detection name for optimization programs that periodically create notifications containing misleading messages. They inform users about alleged low memory and system errors in order to display ads during “optimization”. Adware.Opensite.15 Apps passed off as cheat tools for obtaining resources in games. In fact, they are created to display ads. These programs receive a configuration from a remote server and use it to open a target website containing ads like banners, pop-up windows, video clips, etc. Adware.AdPush.3.origin An adware module that can be built into Android apps. It displays notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, this module collects a variety of confidential data and is able to download other apps and initiate their installation. Adware.Fictus.1.origin An adware module that malicious actors embed into cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display unwanted ads. Adware.Airpush.7.origin Adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server. Threats on Google Play During Q2 2026, Doctor Web’s virus analysts discovered several new trojan apps from the Android.Subscription family, which subscribe users to premium services. They were distributed under the guise of various programs: the ShowLounge - TV & Dramas online cinema (Android.Subscription.25), the AIM: Crosshair Asist app for gamers (Android.Subscription.26), the True Cargo Drive game (Android.Subscription.27), the Battery 3D: Charge Effects tool (Android.Subscription.28), and the PixStudio - Photo Editor picture-editing software (Android.Subscription.29). In total, these were downloaded at least 2.6 million times. Examples of Android.Subscription trojan apps detected on Google Play in Q2 2026 Malicious programs of this type load websites that subscribe users to paid mobile services via the Wap Click technology. Potential victims are asked for their mobile phone number, and, once they provide it, an attempt is made to activate the corresponding services. Android.Joker trojan apps, which also subscribe victims to paid services, were again distributed via Google Play. Malicious actors passed them off as the messengers Chat Messages (Android.Joker.2625) and Easy Messages (Android.Joker.2632), and also as the system optimization tools Smart File Cleaner, Junk Clean Master, and Fast Cleaner (Android.Joker.2614, Android.Joker.2618, and Android.Joker.2626, respectively). One of the malicious programs in which Android.Joker trojans were concealed To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android. Indicators of compromise