Android malware is harmful or unwanted code that puts a phone, account, data, or payment method at risk. On Android it usually appears as an app, sideloaded APK, fake update, browser notification abuse, or a permission request that gives the app more control than it should have.
The fastest way to understand the risk is to look at behavior. A screen locker acts differently from banking malware, stalkerware, SMS fraud, adware, or a fake cleaner. If you already see pop-ups, unknown apps, suspicious permissions, or account abuse, use our Android malware removal guide for cleanup steps. This page explains the main types and how to recognize them.
Common types of Android malware
| Type | What to look for |
|---|---|
| Ransomware and screen lockers | Locks the phone, blocks removal, encrypts files, or shows a full-screen demand for payment. Android ransomware often abuses Device Admin, Accessibility, or overlay permissions. |
| Banking trojans | Targets banking, crypto, payment, or shopping apps. Watch for fake login overlays, Accessibility requests, SMS interception, and unexpected transaction prompts. |
| Spyware and stalkerware | Collects messages, call logs, location, photos, microphone data, browser history, or app activity. Risky signs include hidden tracking, persistent background access, and monitoring tools installed without clear consent. |
| SMS, call, and toll fraud | Sends premium SMS messages, makes paid calls, or signs the user up for carrier-billed subscriptions. The bill may change before the phone shows obvious malware symptoms. |
| Adware and notification spam | Shows aggressive ads, redirects searches, opens browser tabs, or pushes fake virus alerts. If the alert appears only inside Chrome, it may be a website permission problem rather than an installed infection. |
| Phishing apps and fake login pages | Pretends to be a bank, wallet, social network, game, delivery service, or security app, then asks for credentials, recovery codes, card data, or one-time passwords. |
| Trojans and fake apps | Looks like a normal game, cleaner, flashlight, VPN, video player, or update, but runs hidden harmful behavior after installation or first launch. |
| Backdoors and hostile downloaders | Lets attackers send commands, download more harmful apps, or use the phone as part of a larger operation. The first app may look small because the real payload arrives later. |
| Rooting and elevated privilege abuse | Attempts to break the Android app sandbox, gain root-like control, disable security settings, or make itself hard to remove. This is more dangerous on old or unpatched devices. |
| Riskware and uncommon apps | Uses obfuscation, cloaking, dynamic code loading, or unusual behavior. It may not be confirmed malware at first, but it deserves caution if the source, permissions, or behavior do not fit the app. |
How Android malware usually gets installed
- Sideloaded APKs: fake game mods, cracked apps, streaming tools, crypto apps, or “premium unlocked” installers from websites and chat groups.
- Fake updates: pages or messages that claim Chrome, Google Play, a video codec, or a security component must be updated manually.
- Malicious or compromised apps: apps that pass as useful tools but hide fraud, spyware, adware, or downloader behavior.
- SMS and messenger links: delivery notices, prize claims, bank warnings, job offers, or romance scams that push an APK or login page.
- Browser notification abuse: sites that persuade the user to allow notifications, then send fake virus alerts or scam prompts.
- Old Android versions: outdated devices are more exposed to known privilege-abuse and WebView-style issues, especially when they no longer receive security updates.
Where the old examples fit today
This article originally ran as a three-part 2017 series. The examples are still useful as history, but the practical advice needed an update.
- PowerOffHijack: a historical example of malware abusing the shutdown experience on older Android devices. Today, treat any app that fakes system screens, blocks shutdown, or resists removal as a high-risk permission and persistence problem.
- Old WebView attacks: a reminder that outdated Android versions can keep known browser-component vulnerabilities. Updating Android, Chrome, Android System WebView, and Google Play services matters as much as deleting bad apps.
- Godless-style fake apps: an example of a normal-looking app becoming harmful after launch. The modern lesson is to distrust apps that request Accessibility, SMS, Device Admin, notification access, or install-unknown-apps permission without a clear reason.
Which type matches your symptoms?
| Symptom | Likely category |
|---|---|
| Full-screen lock, removal blocked, payment demand | Ransomware, screen locker, Device Admin abuse |
| Banking prompts, stolen one-time codes, strange payment activity | Banking trojan, phishing app, SMS interception |
| Unknown tracking, microphone/location use, private data exposure | Spyware, stalkerware, monitoring abuse |
| Carrier bill changes, premium SMS, unwanted subscriptions | SMS fraud, call fraud, toll fraud |
| Pop-ups, redirects, fake virus warnings, notification spam | Adware, browser notification abuse, fake cleaner scam |
| Unknown apps return after removal or install more apps | Downloader, backdoor, privilege abuse |
| A security app flags a Google component after a vendor update | Possible false positive. Compare the alert with our Android:TrojanSMS-PA Google app warning notes before removing core services. |
What to check first
- Open Settings and review recently installed apps, especially APKs from outside Google Play.
- Run Google Play Protect and keep Android, Google Play services, Chrome, and Android System WebView updated.
- Check high-risk permissions: Accessibility, Device Admin, VPN, notification access, SMS, contacts, overlay, and install unknown apps.
- If the problem is a browser warning, remove notification permission for the suspicious site before installing anything it recommends.
- If an APK or app still looks suspicious, scan it with Gridinsoft Trojan Scanner for Android for a free second opinion.
- If the phone shows active symptoms, continue with the step-by-step Android malware cleanup guide.
FAQ
What is the most common type of Android malware?
For everyday users, the most common visible problems are fake apps, adware, notification spam, phishing, and trojanized APKs. Banking trojans, spyware, SMS fraud, and ransomware are less visible but more damaging when they succeed.
Can apps from Google Play still be harmful?
Google Play is safer than random APK sites, but it is not a promise that every app is harmless forever. Check the developer, reviews, permissions, recent behavior, and Play Protect warnings, especially for cleaners, VPNs, games, file managers, and finance tools.
Is a fake Android virus alert real malware?
Often it is a scam page or browser notification, not a real infection. Close the tab, remove the site’s notification permission, and do not install the suggested cleaner. If alerts appear outside the browser, check installed apps and permissions.
Can Android malware survive a factory reset?
Most ordinary malicious apps are removed by a reset. Problems can return if the same bad APK, account session, or backup is restored. Firmware-level or preinstalled malware is much rarer and usually needs vendor support or replacing the device.
References
- Google for Developers. “Malware.” Google Play Protect Potentially Harmful Applications, last updated August 12, 2025, accessed June 7, 2026. https://developers.google.com/android/play-protect/phacategories
- Google Play Help. “Use Google Play Protect to help keep your apps safe & your data private.” Google, accessed June 7, 2026. https://support.google.com/googleplay/answer/2812853
- Google Chrome Help. “Remove unwanted ads, pop-ups & malware – Android.” Google, accessed June 7, 2026. https://support.google.com/chrome/answer/2765944?co=GENIE.Platform%3DAndroid
