Trojan Spyware, RiskTools, and Adware: Major Mobile Threats to Crypto Users

Trojan technologies, including trojan spyware, banking malware, and droppers, can lead to cryptocurrency loss if they manage to infect Android-based devices

Hacker working on a laptop while riding a horse
Cryptocurrency miners are often designed to utilize the resources provided by personal computers, but they also leverage the power of mobile devices

Coinbase, Robinhood, Kraken, OpenSea, CoinMarketCap, TradingView, MetaMask, and CoinBase Wallet are just a few tools and platforms highly popular among cryptocurrency users that can be accessed not only through an Internet browser but also through a standalone mobile application. More and more teams behind NFT marketplaces, cryptocurrency price trackers and charting tools, wallets, and crypto tax software are realizing dedicated mobile applications to make it easier for their users to leverage their services on the go.

While standalone mobile software streamlines work with cryptocurrency-related applications, it also brings real cybersecurity threats.

According to the 2023 mobile threat report from cybersecurity firm Kaspersky, based on detection statistics shared by users with the Kaspersky Security Network, the security solution blocked almost 33.8 million attacks last year. Among these, malware, adware, and riskware threats were dominant. While not all software designed by cybercriminals is intended to help threat actors capitalize on cryptocurrency users, the crypto community is definitely one of the most lucrative target groups.

To protect your digital assets, credentials, devices, data, and even your identity, understanding mobile threats is invaluable. This article provides a detailed overview of particularly common mobile threats, many of which can pose dangers to both Android and iOS-based devices.

Trojan spyware, trojan-banker, trojan dropper, and other trojan technologies

As per statistics provided by Kaspersky, various forms of trojan technologies accounted for nearly 46.19% of all mobile malware threats affecting mobile devices.

Another leading cybersecurity firm, Avast, explains that "Trojan horse malware is a file, program, or piece of code that appears to be legitimate and safe, but is actually malware."

Trojans do not fall under the category of viruses because they lack the distinct feature of computer viruses: they do not self-replicate. Instead, trojans require user intervention for installation. However, viruses, worms, and trojan horses are all examples of malware.

Read also: Wallet Drainers Target Almost 5 Million Video Game Players

The extent of damage inflicted on a mobile device user depends on the specific design of a Trojan program. Disruption of the device’s performance, theft of personal information, installation of additional malware, file removal, and modification of stored data are just a few examples of activities Trojans can execute.

Trojan-banking and trojan spyware: mobile device risks for cryptocurrency users

The range of Trojan technologies posing potential harm to cryptocurrency users who own smartphones and tablets is extensive and continually evolving. For example, although Kaspersky reported a significant decrease in the activity of Trojan-SMS-type malware, dropping six positions from 2022, it also emphasized that "Many malware families that were not in 2022’s top 20 joined the list in 2023."

Among the newly emerged Trojan variants threatening Android users are WhatsApp malware programs such as, Trojan.AndroidOS.Triada.ex, Trojan-Spy.AndroidOS.CanesSpy.a, and Trojan-Spy.AndroidOS.Agent.afq.

Banking trojans, traditionally focused on online banking, have recently adapted to target cryptocurrency users as well, aiming to access credentials to drain cryptocurrency wallets.

In 2022, cybersecurity solution DR.Web warned the cryptocurrency community about Trojan applications designed to "hijack secret seed phrases that provide access to crypto wallets," impacting not only Android device users but also owners of Apple tablets and smartphones.

Historically, a major distribution channel for such Trojan technologies was popular wallet software modified by malicious actors.

"Known modifications of uncovered threats are detected by Dr.Web as trojans from the Android.CoinSteal and IPhoneOS.CoinSteal families," the team reported. The Dr.Web cybersecurity specialists added that threats like Android.CoinSteal.7, Android.CoinSteal.8, Android.CoinSteal.10, IPhoneOS.CoinSteal.1, IPhoneOS.CoinSteal.2, and IPhoneOS.CoinSteal.3 were prevalent. Wallet applications like MetaMask, Bitpie, imToken, and TokenPocket were commonly abused by threat actors to function as trojan transfer programs.

These wallets were then distributed through malicious websites designed to mimic the appearance and functionality of legitimate crypto wallet platforms. Often, these sites had URLs strikingly similar to the authentic ones, making it challenging for users to spot the fake sites.

Kaspersky's Top 20 most frequently detected mobile malware programs
Source: SecureList by Kaspersky

DR.Web noted a slight difference in the strategy for spreading trojans on Android and iOS devices. "Android-based versions of the trojans are most often downloaded directly from the malicious site," the team explained, "while iOS-based device owners are typically redirected to another site designed to resemble the official Apple app catalog."

Despite default security measures built into both Android and iOS devices, which restrict app installations from third-party sources, cybercriminals have found ways to bypass these restrictions. On Android devices, certain system settings can easily enable app installation from unofficial sources. Meanwhile, exploiters utilized a special installation mechanism using provisioning profiles, sometimes employed for distributing internal applications within companies without involving the App Store.

"Importantly, the installation in such scenarios does not require a cracked (unlocked), jailbroken iOS device," Dr.Web emphasized.

These specific instances of mobile Trojan technologies targeting cryptocurrency users aimed to steal seed phrases, granting criminals easy access to victims' digital funds.

The functionalities of trojan spyware and banking trojan malware can sometimes overlap, especially when targeting cryptocurrency users.


One of the mobile Trojan technologies that can potentially affect cryptocurrency users is a trojan-ransom program. As explained by Kaspersky, "If a computer or network is infected with ransomware, the ransomware blocks access to the system or encrypts its data." To regain access to their data, cybercriminals demand payment of a ransom, often in cryptocurrency.

Furthermore, as many articles on cybersecurity suggest, even if you pay a substantial amount of money that you worked hard to earn and the transfer of a ransom payment is accepted, the malicious person may still resign to decrypt your data.

Fortunately, this specific threat is not yet widespread on mobile devices, although its prevalence has slightly increased according to Kaspersky's statistics. While this threat accounted for 0.64% of mobile-related cybersecurity risks in 2022, it rose to only 0.85% last year.

Cryptojacking trojan technologies

Another prevalent threat stems from cryptojacking trojan programs, affecting both cryptocurrency users and those who have not yet adopted this technology.

Cryptojacking refers to the unauthorized use of a device's computing power to support cryptocurrency mining, which typically demands substantial resources and incurs significant costs for miners.

While many PC owners are aware that their machines can be valuable targets for malicious actors looking to minimize their mining expenses, not everyone realizes that smartphones, despite being perceived as less powerful than full-fledged computers, are also frequently hijacked for mining.

"While individual phones have relatively limited processing power, when attacks occur on a large scale, they collectively provide enough strength to justify the efforts of cryptojackers," Kaspersky claims. According to the team, mobile device infections can occur in ways similar to those affecting desktop computers and laptops.

Additionally, cybersecurity experts caution smartphone users about the risks of visiting suspicious websites. Some of these sites may be infected, leading to persistent pop-unders on your screen. Clicking on these can trigger the download and installation of cryptojacking trojan technology.

Although cryptojacking primarily aims to exploit the computing power of devices, it can severely impact their performance. The Palo Alto cybersecurity firm identified smartphone malfunctions, overheating, battery depletion, and the potential for generating excessive data traffic, which can result in additional costs for users on mobile plans without unlimited data, as common threats affecting users of hijacked devices.

Reportedly, particularly resource-intensive cryptojacking trojan programs can cause irreparable damage to mobile devices within just two days of installation.

Read also: Everything You Need to Know about Revoking Approvals and Revoke.Cash

Perfect trojan transfer plan: trojan-dropper and trojan downloader

One more prevalent type of trojan technologies affecting mobile users, according to Kaspersky, is a trojan dropper. This can be considered a trojan transfer program designed to deliver other types of malware to the device. To deceive potential victims into installation, cybercriminals disguise trojan droppers as useful applications, which play a crucial role in the trojan transfer plan.

Kaspersky points out that trojan droppers already come with a payload, which is the malicious code or tools that can harm the infected device. "Upon launch, it extracts the payload and saves it to the device's memory," Kaspersky explains, adding that "A dropper can also initiate malware installers."

Exploiters often use droppers as a part of the trojan transfer plan that allows them to spread malware that is known to antivirus programs and the built-in cybersecurity mechanisms of operating systems. If these trojans are distributed directly to the device, they are likely to be detected and neutralized. However, spreading these trojans through a dropper helps bypass malware detection during the downloading stage.

Along with other trojans, droppers can also distribute other types of malware, including adware and risk tools, as discussed further in this article.

Although droppers may appear similar to another type of malware used in the trojan transfer plan known as downloaders, the latter is considered a separate group of malware as it requires contacting a server to receive its payload. In fact, without Internet connection, trojan downloaders cannot download additional malicious programs and infect the device.

Another distinction between droppers and downloaders is their means of distribution. Downloaders often come as attachments to spam emails, which typically employ social engineering tactics to entice users into downloading these files.

Although downloaders are primarily used to fetch more malicious files, they can also be leveraged for more complex attacks or to steal confidential information.

According to Kaspersky's 2023 statistics, the popularity of trojan droppers decreased by almost 4%. In 2022, they accounted for 10.20% of all Android threats, while in 2023, this number declined to 6.63%. In contrast, downloaders, which remain less popular than droppers, were used more frequently by cybercriminals, accounting for 2.23% of all mobile threats in 2023 compared to only 0.63% in 2022.

Number of malicious programs blocked on mobile devices by Kaspersky.png
Source: SecureList by Kaspersky

Trojan spyware alert - trojan scams

While trojans pose a significant threat to cryptocurrency users, they have also inspired phishing scammers constantly looking for new ways to deplete victims' funds.

One notable example of such a fraud, prevalent in 2021 and 2022, was the "Threat Detected: Trojan Spyware" technical support scam. Although the trojan spyware alert fraud primarily targeted Windows users, it is crucial to highlight it, as similar tactics could easily be adapted by cybercriminals targeting Mac computers and mobile device users.

According to the report by Malwaretips, this scam "poses as a message from Microsoft, claiming your computer has crashed or a virus has been detected," accompanied by a persistent fake error message. Some victims even reported that the trojan spyware alert popped up as a video with loud audio.

The scam aimed to intimidate users into calling one of the provided numbers, promising technical support. Those who called were often persuaded by scammers to install a program, granting the criminals remote access to their computers.

To enhance their credibility and further deceive victims, scammers frequently utilized built-in Windows utilities like Event Viewer. Once they gain trust, they might pressure victims to contact specific "support" services and pay for their unnecessary assistance or attempt to steal sensitive information, such as credit card details.

In some instances, the trojan spyware alert scam would hijack the browser, forcing it into full-screen mode and bombarding users with persistent pop-up messages that seemed impossible to close, effectively locking the browser. However, the control can be regained relatively easily by using the Windows Task Manager to close the browser, which effectively stops the intrusive pop-ups.

Note that the fake alert described above is only one of the numerous forms of a tech support scam.

What is Android adware and why is it dangerous to crypto users?

Adware, malicious software designed to generate intrusive advertisements, especially in the form of pop-ups, forcefully redirects users to websites they otherwise would not visit intentionally and collects personal information for targeted advertising.

Certainly, users do not install adware on their Android devices purposefully. Typically, such malicious apps are promoted by their developers as legitimate software. While the primary sources of these programs are third-party app stores and platforms distributing pirated or free software, adware can even infiltrate Google Play.

Another common distribution method involves bundling adware with legitimate apps.

One significant threat of Android adware for cryptocurrency users is the distribution of phishing links embedded in deceptive ads. While phishing scams in the crypto community often come through social platforms, adware serves as another avenue to expose cryptocurrency users to deceptive ads that, similar to X or Discord phishing scams, often mimic legitimate Web3 projects.

Engaging with such ads can result in the theft of private keys and login credentials, the installation of malware for automated fund theft, or the downloading of additional adware apps.

Kaspersky reported a surge in adware distribution on mobile devices. In 2022, adware, already a major cybersecurity threat affecting mobile users, accounted for 24.33% of all threats. However, this figure rose even further, reaching 40.80% last year.

It is important to note that these statistics only refer to detected malware installation packages. Meanwhile, the percentage of adware installation packages among newly developed types of malware last year was even higher, comprising almost 66% of all threats.

How to identify adware on Android?

The process of detecting adware on both Android and iOS is quite similar. However, let’s focus on instructions for Android users, as they are often more vulnerable to malware due to the less stringent quality requirements for apps on Google Play.

Using antivirus or antimalware software for Android devices can help detect adware that may potentially compromise your cryptocurrency. However, even with dedicated Android security products, knowing how to manually scan your operating system is beneficial, as malware evolves faster than antivirus software.

One effective tactic is booting the device in safe mode, which prevents third-party applications from running. Then, navigate to "Apps" or "Application Manager" in the Settings menu to review the list of installed apps.

How to remove adware from Android?

After following the instructions above and reviewing your applications, you can remove any suspicious apps from "Apps" or "Application Manager."

How to prevent adware on mobile devices?

Downloading apps exclusively from Google Play significantly reduces the risk of malware infection. However, Google Play has occasionally failed to detect certain malicious software. Therefore, while it offers a safer environment, it is not entirely foolproof.

Using reputable antivirus applications and performing regular scans can further enhance your protection against adware.

An example of the installation process of IPhoneOS.CoinSteal.2 by Doctor Web’s classification on iOS
Source: Dr. Web


Kaspersky defines RiskTools as programs that interfere with device performance in undesirable ways, exhibiting "various functions, such as concealing files within the system, hiding active application windows, or terminating running processes." Kaspersky emphasizes that this category of software also encompasses cryptocurrency miners that utilize a device’s resources for coin generation. System monitors, keyloggers, and Remote Access Tools (RATs) are other examples of RiskTools.

Moreover, the defining characteristic of RiskTools is their ambiguous nature. In fact, many of these programs can serve legitimate purposes. For instance, the same cryptocurrency miners can be employed by legitimate miners who use their own resources for mining, while system monitors and RATs can be invaluable in technical support services.

For this reason, the cybersecurity firm stresses that such programs are not inherently malicious, despite their covert operations. A major challenge associated with RiskTools is their stealthy installation mode, which allows them to operate discreetly and evade detection.

However, these tools are undeniably linked to risks. Unauthorized access to system functionality and data theft are the two primary threats associated with RiskTools.

Additionally, RiskTools can introduce indirect risks to systems. For instance, they can establish backdoors for more sophisticated and targeted cyberattacks in the future. For instance, RiskTools can also facilitate Denial of Service (DoS) attacks by overwhelming a system with excessive traffic. As a result, performance is compromised to the extent that the system becomes unresponsive or inoperable.

Unlike adware and various Trojan variants, the popularity of RiskTools slightly declined in 2023 compared to 2022. In the past, such programs accounted for 26.82% of malware threats affecting Android devices, whereas last year, this percentage decreased by almost 5%.

Detecting riskTools

As previously mentioned, RiskTools can pose significant risks to cryptocurrency users and cause various issues for device owners.

How can you determine if you have a keylogger? Is there a way to detect system monitor widgets that you didn't intend to install? What about identifying the presence of a RAT remote access tool?

Often, after installing RiskTools on your device, they utilize resources, potentially leading to decreased device performance, overheating, and unexpected battery drain. This is particularly common with cryptocurrency miners, which require substantial resources to operate. However, even if you haven't noticed any of these symptoms, your device could still be infected by a RiskTool, especially if the phone or tablet is powerful and the RiskTool does not consume a significant amount of energy.

While many RiskTools specialize in collecting and transmitting data to malicious actors, many of them are actually downloaded from the internet. For example, what appears to be a remotely installable keylogger is often a program bundled with a keyboard installation package. Therefore, you might discover download files containing unwanted software on your device.

For a more precise assessment of the presence of a keylogger, system monitor, remote access tool, or other RiskTools on Android, you can utilize reputable antivirus software.

RAT remote access tool, remote system monitor software, and keylogger removal

As a rule, the success of removing RiskTools that have compromised your Android device depends on how effectively you have managed to detect it. If manual removal of malicious programs does not help, you can try using antivirus programs, which will handle the removal for you.

However, if for any reason you want to avoid using an antivirus program or find it ineffective, you can perform a factory reset of your device. This is usually an efficient way to remove any applications and files that were not originally on your device. Remember to make a thorough backup of all your data, as a factory reset will erase it.

Distribution of detected installation packages by type
Source: SecureList by Kaspersky


In cybersecurity terms, a hackTool is an application that helps attackers exploit vulnerabilities present in an operating system. However, these same tools can also be valuable additions to penetration testing performed by cybersecurity professionals to identify vulnerabilities.

According to Kaspersky, hackTools have not gained significant popularity among cybercriminals targeting Android devices yet. Nevertheless, such software does exist in the industry, and some programs are developed specifically for mobile devices, posing potential risks to cryptocurrency users.

For instance, PhoneSploit-Pro is a robust open-source hacking tool written in the Python programming language, utilizing the Metasploit Framework and Android Debug Bridge (ADB).

"With just one click, this tool can fully hack an Android smartphone by automatically creating, installing, and running a payload on the target device using the Metasploit Framework and ADB," reports GeeksforGeeks. Although this tool was developed to assist penetration testers, there is always a risk of malicious use.

AIRAVAT is a multifunctional Android RAT (Remote Access Tool) used for gaining remote control of infected devices.

Ghost Framework is another tool that exploits ADB. It can be used by threat actors to perform tasks remotely after the initial exploit of the Android device.

Another tool that can compromise an Android device, although not limited to smartphones and tablets and also applicable to computers, is CamPhish. This tool can capture camera shots taken with the target’s phone.

Lockphish is another cross-platform tool with unique functionality that allows attackers to obtain Android PINs using an HTTPS link. Lockphish can be a potent addition to phishing attacks.

Backdoor malware

An even smaller fraction of all cybersecurity threats affecting users of mobile devices consists of backdoor malware, which can be quite powerful and enable attackers to gain unauthorized access to infected devices, potentially leading to cryptocurrency theft.

One such recent development was reported by the team behind the security solution McAfee on December 22, 2023.

"Dubbed Android/Xamalicious, it tries to gain accessibility privileges with social engineering and then, it communicates with the command-and-control server to evaluate whether or not to download a second-stage payload that is dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps among other actions financially motivated without user consent," McAfee explained the functionality of the new threat.

The powerful accessibility services granted to Xamalicious during the first-stage payload enable the malware to gain complete control of the compromised device during the second-stage payload. These services also include functions that enable self-updates of the main Android package (APK). This provides the malware with the ability to perform virtually any task without needing to interact with the user, including enabling a banking trojan or spyware.

In the specific case of Xamalicious, experts from McAfee identified a connection between this malware and the ad-fraud app Cash Magnet, which is designed to "automatically click ads, install apps, and perform other actions to fraudulently generate revenue," while users, who install it, "may earn points that are supposed to be redeemable as a retail gift card."

According to McAfee, at least twenty-five malicious apps were used to distribute Xamalicious at the end of last year. The team emphasized that "Some variants have been distributed on Google Play since mid-2020."

Although the malicious apps carrying Xamalicious reported by McAfee were proactively removed by Google, there remains a threat that some newly released applications may still contain this malware.

Read also: How to Recover Stolen Cryptocurrency: A Guide for Victims

Other mobile threats not related to cryptocurrency

All the common threats discussed above that pose severe risks to mobile users have the potential to steal cryptocurrency from victims in various ways or hijack compromised devices for cryptocurrency mining.

However, some of the types of threats mentioned by Kaspersky in its 2023 report include malware that is less likely to be used for the theft of digital assets or cryptojacking.

One such threat is trojan SMS malware, which appears to be gradually losing its popularity despite its long history as a tool to exploit mobile phone users. These trojans primarily have two major functions: intercepting incoming messages with the potential to compromise sensitive information and secretly sending messages that incur charges.

Security best practices for mobile users

Some of the mobile security best practices have already been discussed in this article. Let's recap those protective measures and delve into additional ones that have not been mentioned yet.

Beware of phishing attempts

Phishing is one of the most persistent threats in the cryptocurrency community. It is highly recommended to avoid interactions with any suspicious media, including messages sent through social platforms, emails, or SMS, as they can potentially distribute malware aimed at gaining access to your digital funds or redirect you to the wrong page, which can persuade you to share credentials for cryptocurrency wallet account.

Use the maximum authentication and verification capabilities of your device

Leverage your device's security features for maximum protection. Enable a password, pattern lock, or a strong PIN, and prioritize biometric authentication, such as face recognition or fingerprint scanning, whenever possible.

Update your device regularly

If the manufacturer of your device still provides active support for the model you use, you are likely to receive regular updates. It is highly recommended to install them, as they may contain security patches that can enhance the security of your phone or tablet by addressing known vulnerabilities.

Avoid using public Wi-Fi

Connections offered by public Wi-Fi networks can be insecure and carry potential threats. To be on the safe side, it is better to avoid using such networks altogether. However, in situations where this cannot be avoided, it is recommended to refrain from conducting transactions involving sensitive data while using public Wi-Fi.

If you must use public Wi-Fi, especially for interactions requiring your sensitive information, make sure to use a virtual private network (VPN) to encrypt your internet traffic. Ensure that the VPN you are using is functional and reliable, as some applications may only work with paid subscriptions. Additionally, be aware that VPN tools themselves can be abused by cybercriminals and may contain malware.

Regularly back up your data

Backing up the data stored on your device can be particularly useful in two threat scenarios.

The first scenario is a ransomware infection, which can encrypt your data and block access to it unless you pay a ransom for its decryption.

The second scenario involves your device being infected with other types of malware that are difficult to remove. As mentioned earlier, in many cases, you can get rid of unwanted and harmful software by performing a factory reset on your device, which will erase all data. Regularly backing up your data is a good risk mitigation practice that will help you recover any necessary information after a factory reset.

Choose the source of file downloads carefully

As mentioned throughout this article, malware is often spread through compromised or fake applications distributed via third-party platforms rather than official mobile app stores.

However, while Google Play is less likely to distribute malicious files, there is still a chance it could happen. Malicious apps may impersonate legitimate ones, making it more difficult to identify them. If you are downloading a popular app, consider navigating directly to its official website to download it from there. However, stay vigilant, as scammers also create fake websites.

If a tool is not available through Google Play or has not been downloaded by a significant number of users, it may be safer to avoid installing it if possible.

Remember the importance of checking app reviews and ratings, even for popular apps downloaded from Google Play. Additionally, always read reviews for business applications released by reputable companies for their customers, as they may still contain malicious payloads or exploit security vulnerabilities in the Android system.

Always review app permissions

During the installation of new applications, carefully review the permissions they request and select the minimum necessary configuration. While some permissions may seem logical based on the functionality of the installed app, particularly suspicious requests should be considered red flags. For instance, it is suspicious for a calculator app to request access to your contacts.

It is also recommended to regularly review the permissions you have granted to your applications and disable any unnecessary ones.

Do not forget about optimizing your browser setting configuration. Cookie transfer admission for every site along with accepted requests to send notifications can easily infest the working space of your mobile device or PC with windows and pop-ups that you may not be able to shut down.

Bottom line

The ever-evolving landscape of mobile threats poses significant risks to Android users, especially those who use their smartphones and tablets for cryptocurrency transactions.

Kaspersky's 2023 mobile threat report highlights the dominance of malware, adware, and RiskTools, with trojan technologies accounting for a significant portion of mobile malware threats. These trojans, including banking trojans and spyware, continue to target cryptocurrency users by exploiting vulnerabilities in popular wallet applications and through deceptive distribution methods. Meanwhile, adware has the potential to be incorporated into sophisticated scamming tactics aimed at draining cryptocurrency wallets.

While mobile security best practices cannot completely eliminate mobile threats for cryptocurrency users, they are likely to significantly minimize risks. A regular antivirus scan itself can reduce the transfer of a virus and other malicious applications to your device, whereas a constantly enabled antimalware program can immediately disrupt the process of transferring and installing malicious files.