When it comes to malware, simplicity never goes out of fashion. In fact, years of trial and error by cybercriminals has surfaced a set of simple tools and tactics that are stubbornly resistant to detection or user education.

Chief among them is phishing—tricking people into giving up sensitive information, like passwords, using fake websites. The credentials harvested from phishing attacks can be used to log in to business computers remotely, or to access sensitive data held in Cloud applications like Microsoft 365.

Although we tend to associate phishing attacks with emails, on Android they often come from innocent-looking apps.

Phishing apps need minimal coding and often need fewer permissions than other types of malware, which makes slipping them onto app stores like Google Play an easier task for malicious developers. These apps can sit dormant for days after installation, delaying their attack to avoid any obvious association with a newly-installed app.

Phishing apps typically disguise themselves as legitimate utilities, such as games or weather apps, and phishing capabilities can also be added to pirated copies of popular applications like WhatsApp, TikTok, or Spotify, which are distributed through third-party app stores.

Some use phishing screens that are embedded in the apps themselves and relay the captured credentials to a server, and some use ad functionality to open phishing websites in a phone’s browser. Relaying users to phishing sites like this exposes victims to a wide variety of lures and ensures that the app does not contain any phishing code, making detection even harder.

Multi-factor authentication (MFA) is often touted as a technical solution to the phishing problem—sadly, it is not. While it’s true that one specific type of MFA—passkeys—is resistant to phishing, the much more commonly used one-time passcodes (OTPs) that come via authenticator apps or SMS messages are not.

Last year, we detected phishing-capable apps 22,800 times. Disturbingly, we also detected malicious apps equipped to read one-time passwords (OTPs) from SMS messages 5,200 times, and apps that could read OTPs from the notification bar 3,900 times.

In the end, protecting your organization from phishing comes down to vigilance and choosing security solutions capable of detecting the thinnest sliver of malicious code.

To learn more about how criminals are attacking the world’s most popular operating system, and what you can do to defend against it, read the 2025 ThreatDown State of Malware report.