Android Malware 101: Top Variants, How to Detect and Remove It

In a previous guide, we’ve covered the elusive topic of iPhone malware: if it exists or not and how to handle it if you’re among the few users to get infected with one of its versions. When it comes to Android malware, things are much simpler: everyone knows that numerous forms of Android malware exist, so there’s no need to establish its existence first.

But since there are so many forms of Android malware out there, both known and some still in the wild and undiscovered, how should Android users defend themselves? How serious are the known strains of Android malware? What are some wide-spread examples people should know about? How can someone tell if their Android phone is infected with malware? We’ll discuss all these topics and more below, in this dedicated guide on Android malware.


Origins of Android Malware


Although mobile malware dates from June 2000, when the ‘Timofonica’ virus was first observed in Spain, Android malware was first noticed much later. Officially, the first mobile virus capable of infecting the Android operating system was a trojan type of virus with a pretty self-explanatory name: Trojan-SMS.AndroidOS.FakePlayer.a. It was first spotted in 2010, and the source of the infection was an app in Google’s Play Store.

Back in that day, people still needed to pay a premium in order to send SMS messages to select numbers, and the trojan worked by sending lots of such messages and leading to a huge bill at the end of the month on the client’s account without their knowledge.


The Most Common Forms of Android Malware


Today, Android malware can take on many forms and serve different purposes, though the source of the infection is more or less constant: Google’s Play Store. Considering that’s how most malicious apps get into smartphone, tightening the controls and scans for the apps being hosted on the Play Store is really the best way to fight Android malware in the future. Focusing efforts in this direction could make a huge impact on the state of mobile security.

For now, let’s take a look at the most common forms of Android malware and see how each of them works. Most malicious apps which infect Android phones can be divided into one of these categories:


    • Worms – the type of malware which perpetuates itself continuously and then spreads to other devices;


    • Trojans – masquerading as something else, these will only activate their true purpose after the user interacts with them;


    • Spyware – data stealing and spreading without the user’s knowledge or consent;


    • Expanders – viruses created for the purpose of creating additional costs for the user’s mobile phone line;


  • Backdoors – Android malware which allows third parties (malicious hackers) a free entry into the user’s mobile phone; once they are able to enter the system untracked, they can install further damaging apps inside.


Top 5 Variants of Android Malware


Here are the most dangerous Android malware currently still threatening the landscape of mobile users.


#1. Andr/HiddnAd-AJ

This is an example of a malicious content which was distributed through the Google Play Store for a long time before being taken down. It was part of several apps which promised functionalities such as QR code scanning, compass simulator and so on. The Andr/HiddnAd-AJ virus is still in the wild so you could still get infected with it even if you don’t install one of the corresponding apps anymore.

Once an app infected with the Andr/HiddnAd-AJ Android malware gets installed and run, it will connect to the hackers’ C&C server. Then, the app will start spamming your phone with ads and pop-ups, causing to the phone becoming unusable and the hackers gaining fraudulent ad revenue.


#2. RedDrop

This is a very dangerous data stealer Android malware, which gets into your phone through image editors, adult themed apps or calculators and so on. Once the bogus app is installed on your phone, it begins its malicious activity by installing several more APK files, which run their own separate malicious function. It will then proceed to steal data from your phone, including messages, images, passwords etc.

The stolen data is hosted in the servers of the attackers and later used in ads which show up on your phone. If you click on them, you will be redirected to some malicious URLs from where you will unwittingly install even more malware. RedDrop is difficult to remove and can pose a serious threat, considering that it steals most sensitive data (just think about your credentials to internet banking). It’s best if you avoid installing any third-party software altogether.


#3. Geinimi

This is another spyware type of Android malware, which gathers sensitive data from your phone and passes them over to attackers, which can then use it to hack even more of your accounts or for blackmail. Geinimi acts like a Trojan virus and it usually enters your phone through Android game apps. The game Monkey Jump 2 is said to be the main source for this malware.


#4. Maikspy

This Android malware spying app gets onto phones through an adult-themed Android game called Virtual Girlfriend. Users usually find out about the game from Twitter fake accounts (bots) which promote it. Once installed, the Maikspy malware will scan your phone for all sensitive information, including credentials to email, internet banking, social platforms and everything else which requires a password to enter.

Once the attackers get hold of your data, they can use it to empty your bank accounts, blackmail you, for criminal impersonation and all manners of illegal actions. If the user realizes something is wrong and tries to uninstall the app, the following message will be displayed: ‘Error: 401. App is not compatible. Uninstalling..’

Unfortunately, this is just a ruse to get the user to think that they managed to successfully uninstall the Maikspy app; it doesn’t really go away unless you use a powerful anti-malware product.


#5. Godless

The Godless Android malware targets all devices which are running on the Android 5.1. or earlier versions of the operating system. Since this is true for more then 90% of all Android devices in the world, this makes Godless one of the most dangerous strains of Android malware currently active.

It is usually downloaded by users in third-party Google PlayStore apps and once run, it installs powerful spyware and changes system administrator settings on your phone. Furthermore, while hiding in the initial app that was downloaded, it gains access to the root and starts installing different other apps on your phone, leading to a complete take-over.


How to Detect Android Malware on a Phone


Theoretically, Google’s own AVG anti-virus software can detect threats on any Android system. Here is what you can do to check if your phone is infected with anything.


    • Go to Google’s Play Store and search for the AVG AntiVirus for Android


    • Download and install the app


    • Run the app and press the ‘Scan’ button


  • Wait for the results, you will find out if you’re infected in no time


If you are dealing with Android malware on your phone, the app should return the result so you can then take the next steps of removing the infection.

However, there are some things which are harder to detect for Google’s AVG AntiVirus for Android. If you still feel you have something weird happening with your phone, you need to use a different scan software.


Warning signs that you might have Android malware on your phone:


    • A sudden spike in data usage or phone call / texting limits


    • Sudden pop-ups, even if you are not browsing anything


    • Your battery is draining faster than usual


    • You notice text messages, emails or phone calls sent by your phone but which you don’t remember sending


    • You don’t notice any weird sent texts, but your friends or family complain or ask you about messages they received from you


    • Unfamiliar apps show up in your interface


    • The phone is working much slower than usual and even overheating more


  • If you don’t keep your internet connection on all the time (and that is the recommended path for your security), now you notice it connecting on its own


If you see any of these, it’s very likely that you got infected with a form of Android malware. If the scan from Google’s AVG AntiVirus app doesn’t return any results, it’s time to proceed differently.

For cases of over-usage of data or battery, go to your phone’s settings and select ‘Battery’ or ‘Data’. You can see there what apps are using the most resources. Identify the app that’s been causing the trouble and immediately unistall it.

If you’re not experiencing any signs of data or battery over-usage, you can go directly to the next step: get a scan from a different AV software. Some cybersecurity products can be better than others for detecting malicious apps, either because they are updating their database faster or because they are including more types of malicious apps into it.

Kaspersky Labs made the headlines by including spyware apps into their list of malicious apps on which they notify the user, at a time when none of the other AV apps reported on them.


How to Remove Android Malware from Phones


Once you manage to identify the Android malware your phone is infected with (by scanning it with an anti-virus tool, either from Google or a different cybersecurity product), you should be able to continue with the process of disinfecting the phone easily.

If you haven’t reached the phase of anti-virus scanning yet and you’re just in the recon phase of finding out why your phone is behaving in a weird way, pay attention to the apps in your system.

If you see anything suspicious, it’s time to get cleaning.


    • Restart your phone in safe mode (by pressing the power button and selecting safe mode from the list of options displayed)


    • Look for suspicious apps in Settings (any apps which you don’t recognize or which cause an upwards spike into your traffic usage, data or battery usage)


    • Immediately uninstall them or force close these apps; while this won’t get you rid of the Android malware completely it will still help with damage control


    • Follow up with installing an Android anti-malware solution (like Google’s own AVG or some different commercial product)


  • Make sure the anti-virus (anti malware) product you install is safe and vetted. Go for big names and install them directly from the company’s website. As much as two thirds of no-name anti-virus apps in the Play Store are useless or even viruses themselves. *


To prevent your phone from getting infected with Android malware in the future, or from getting re-infected, here are some precautions you need to take:


    • Get and maintain an active subscription to a good Android anti-malware product;


    • Install all the app and operating system updates as soon as they are available, don’t postpone;


    • If you receive suspicious messages from friends (saying nothing much but introducing a link or an attachment), don’t click those links or attachments;


    • Use strong passwords and good password hygiene (change each password every 6 months), and use a password manager to remember them;


    • Never use public wi-fi; invest in a VPN if you must and never connect to a new network without it;


    • Use similar protection methods for all your other devices which can connect to the internet – if your laptop gets infected your phone will probably get infected soon as well;


    • Never install apps from untrusted sources (outside the Google Play Store);


    • If an app is hosted in the official Google Store, it still doesn’t mean that it’s safe. Read reviews on it from a different source to make sure;


  • If an app you want to install seems to be asking for too many permissions, don’t install it- why would a simple game app need access to your microphone, anyway?


*According to data from the analysis of TomsGuide.


Final thoughts

If you’re dealing with a particularly weird form of Android malware or if you’re not sure how to proceed with removing it, or if this guide fails to answer all of your questions, please feel free to ask us in the comment section below. We’re happy to help.



Avatar photo
Amar Basic


No Comments

Post a Comment