Phishing evolves beyond email to become latest Android app threat

February 17, 2025

Phishing has always been a multifaceted threat, but in the public perception, phishing is usually tied up with email. The process, as stereotyped, is clear: a fraudster sends an email with a bogus message from a trusted company, which tricks the user to login to a fake webpage and give their real address. It is a classic piece of con artistry, and hopefully after years of efforts to promote cyber fraud education, most users are at least aware of the concept of email phishing. However, emails are far from the only avenue of access a threat actor could have to their targets.

Android phones, unlike the tightly locked down iOS phones, have the ability to download apps from outside their native app store with relative ease. There are advantages to this, but the major disadvantage is that it makes them considerably more open to threat actors. Some threat actors exploit this access through the use of phishing apps. The basic idea behind the phishing app is the same as the phishing email: the goal is to trick the user into giving the threat actor login information. Only the delivery method has changed.

These phishing apps have a few different forms. Some of them are copies of popular Android apps, such as TikTok, WhatsApp, or Spotify, which collect login information simply from users trying to log into their favorite services. These copies are unlikely to be hosted on the Google Play Store and are likely served via some form of malvertising. Other phishing apps may seem more legitimate, taking the form of regular videogames or utilities which may serve users bogus requests to connect with a separate social media account in order to harvest their login information. A third kind, potentially more dangerous than the others, does not use any programmatic instructions to retrieve the data. Instead, it simply redirects the user from the app to an attacker-controlled website in an attempt to harvest login data. This is more dangerous because these applications are apparently innocuous enough to be hosted on the Google Play Store.

These applications may seem simple, but they are quite dangerous. In the year 2024 alone, more than 22,800 phishing apps were detected on Android. Of these apps, 5200 had functionality that could subvert multi-factor authentication by intercepting SMS messages. Another 4800 could attempt the same by reading data from the notification bar. These possibilities make phishing apps extremely dangerous. In order to reduce risk, it is highly recommended that users only obtain apps from the Google App Store, which takes steps to prevent malware being sold there.

More from Blackwired

July 9, 2025

Sixfold surge of ClickFix attacks threatens corporate defenses

ClickFix exploits user ignorance by tricking them into running malicious code as fake errors or CAPTCHAs; awareness is key.

Read more
July 2, 2025

SquareX: Browser AI Agents Are The Weakest Link

Browser AI agents pose major security risks, often falling for phishing and OAuth attacks due to lack of built-in safeguards.

Read more
June 25, 2025

US Homeland Security warns of escalating Iranian cyberattack risks

US-Iran conflict escalates; DHS warns of rising cyber, terror threats from Iran, allies, and hacktivists targeting US infrastructure.

Read more