Quick Heal Technologies Limited has highlighted the growing sophistication of Android malware that is increasingly able to evade app store security checks by exploiting trusted application marketplaces, according to findings from its India Cyber Threat Report 2026.
The company said the Android threat landscape continued to evolve in 2025, with attackers using fake applications, staged malware delivery techniques and permission abuse to target users while bypassing conventional review mechanisms.
According to the report, threat actors are increasingly distributing malware through applications that initially appear legitimate but later activate malicious functionality using WebView redirects, external payload downloads or behaviour triggered only under specific conditions such as geographical location or device profiles.
Attack techniques becoming more sophisticated
The report notes that attackers are moving beyond conventional malware distribution methods by combining social engineering, cloned brand identities and trusted app storefronts to increase the likelihood of downloads.
Several malware campaigns were found disguising themselves as financial, utility and service applications before redirecting users to external APK files or malicious content designed to steal credentials and sensitive information.
Quick Heal said such techniques allow malicious applications to remain within trusted ecosystems long enough to evade detection while building credibility among users.
Beyond nuisance malware
According to the findings, mobile threats are increasingly capable of accessing sensitive information stored on devices, including SMS messages, contact lists, banking credentials, device identifiers and location data.
The report also highlights that some malware campaigns extend beyond credential theft to include extortion, blackmail and the resale of stolen data.
The company observed that attackers are increasingly employing geo-targeting, conditional activation, hidden web content and staged payload downloads to minimise the chances of detection during application review processes.
As a result, an application may appear benign when downloaded but activate malicious behaviour only after installation or when executed under predefined conditions.
Mobile security remains critical
Quick Heal said the findings underscore the importance of treating mobile devices as a critical component of an organisation’s cybersecurity posture, particularly as smartphones are increasingly used for banking, enterprise applications and access to sensitive information.
The company advised users not to assume that applications available through trusted marketplaces are inherently safe. It recommended regularly updating devices, avoiding applications from unverified sources, carefully reviewing requested permissions and using trusted mobile security solutions to help detect suspicious activity.
The findings form part of the company’s broader assessment of India’s evolving cyber threat landscape, which indicates that mobile malware is becoming increasingly sophisticated in its use of layered attack techniques designed to bypass both platform security controls and user awareness.