Kaspersky SAS 2025 – Tatyana Shishkova highlights emerging Android malware and stalkerware threats

As the Lead Malware Analyst at Kaspersky GReAT, Tatyana Shishkova specialises in reverse engineering malware on both the Windows and Android platforms, threat intelligence and network intrusion detection. 

At the Kaspersky Security Analyst Summit 2025 in Phuket, Thailand, we caught up with Tatyana for her insights on emerging Android malware trends and the growing threat of stalkerware. 

[Hitech Century] Many Malaysians with Android devices still download apps directly from websites or third-party stores especially for access to modded or region-locked content. What should everyday users look out for before installing apps outside of the official Google Play Store? What red flags or security checks should we keep in mind?

[Tatyana Shishkova] It’s important to note that malware is found not only in third-party stores but also in legitimate stores as well including the Google Play Store and Apple App Store. In every online app store, users should thoroughly check information about the developer and their reputation, the reputation of their app and reviews before even downloading it.

You must also be aware that an application that looks legitimate may not necessarily be safe. An example is downloading a banking app from a third party store, it could be loaded with malware. Instead, users should check the official website of the app or company to see if there is an official legitimate link to download the app. If the app is not available on the Google Play store or Apple App Store, that raises a red flag.

Another potential red flag is if you receive a link to some third party market from an unknown sender via social messaging apps. I advise not to follow these links even if you receive a link from a known contact; you still need to check if this is a person you know and not someone faking their identity or that this known contact’s social media has been compromised. Cybercriminals often hijack social media accounts to send malicious links to their contacts.

Ultimately, I advise not to install anything from any link you get in social media. You also still need to be wary of apps when it starts asking for too many permissions such as access to your phone contacts, your camera, your location and more. Always consider if the app needs these permissions. 

Some permissions should be given intensive scrutiny such as access to your contact list. Another suspicious permission an app shouldn’t request is ‘accessibility services’ which allows the app to gain access to the contents of the display. Accessibility services are originally intended for users with visual or physical disabilities who need assistance to see or use the display, hence the name. When used together with ‘device administrator permission’, malware can gain full access to a device and provide itself with other permissions on its own.

if you download an application from an untrusted source you definitely should not provide these permissions. 

[Hitech Century] There have been cases where fraudulent apps that mimic popular, legitimate apps have managed to slip onto the Google Play store. What red flags should everyday users watch out for before hitting the install button even in app stores?

[Tatyana Shishkova] You must check a developer’s reputation on the app store, the date when the company was founded and the app was created. If both the app and developer are too new without a solid track record, it’s a red flag. If the reviews are poor, mostly negative or other users complain about issues, that’s another red flag. 

However, this isn’t definitive as there were instances when malware remained on the Google Play store for several years. Usually apps like this have a relatively low number of downloads – usually several thousand – rarely more than 100,000 installs. 

Even if there are hundreds of reviews, they could be written by bots, a common tactic by malicious actors. The telltale sign that reviews are written by bots is that they all sound repetitive, monosyllabic and provide no specific feedback about the app. 

A positive indicator that an application is authentic is a developer who has been active for several years, with their applications that have millions of installs with unique, detailed user reviews that contain no reports of scams. 

[Hitech Century] Is stalkerware a big issue in Malaysia or Southeast Asia? How do people unknowingly end up with it on their phones? Are there any indicators that stalkerware is hidden on a device?

[Tatyana Shishkova] Signs of stalkerware existing include people knowing information they logically shouldn’t have access to or if someone seems to constantly know your location. These are the signs that there could be stalkerware installed on your device. 

Another indicator is that your battery is draining faster than usual or if your phone is always hot because some processes are running constantly in the background. Another sign that stalkerware is around is that the phone camera can suddenly turn on or off without user interaction and that the device can swap between WiFi and data on its own. All these behaviours point to the existence of stalkerware on your device.

The most efficient way to check for it is to install a security application that will scan all of your installed apps and check if they are stalkerware. In our Kaspersky Mobile solution we have the means to detect and deal with stalkerware.

Sometimes, stalkers use parental control apps, which were originally developed as a legitimate means to help parents keep track of their children but these can be abused and installed on someone else’s phone without their knowledge.

Stalkerware requires the attacker to gain physical access to your device to install the application. Do not leave your phone unattended especially if you didn’t lock it. Always lock your phone and ensure that no one else has access to the devices. Statistics show that most stalkers are close to the victim so be cautious of who can  access your phone.

[Hitech Century] You spend a lot of time researching Android malware, what are the sneakiest tricks used by attackers to spy on users and to steal valuable data?

[Tatyana Shishkova] One interesting example was discovered by my colleague earlier this year. We discovered the SparkCat app in both the Android and iOS official app stores that masquerades as a legitimate app but is intended to steal crypto wallet data but which can be repurposed to steal other valuable information. 

To find crypto-wallet data, the SparkCat malware has a built-in optical character recognition module that attempts to upload all photos containing valuable text like cryptocurrency pass phrases to an attacker’s servers. The malware was also extremely selective of its targets and has minimal malicious activity especially for users who are not a target to minimise the risk of getting negative user reviews and the app itself has a number of checks to determine if a victim is of interest and worth the risk. 

In some cases, it’s not so much a trick but amusing easter eggs hidden inside the malware by its creators. More often, they simply add junk strings to make the size of a file bigger and to obfuscate detection. In one case, one of these junk strings was a poem about pool parties which was amusing and when we tried to find its origin, it led nowhere and was likely an original piece of work by an AI or the cybercriminal. Another interesting example was a message hidden in the code of the malware sample that was addressed to our cybersecurity researcher that simply said, ‘stop reversing the binary’.

We also discovered a new version of trojan spyware called Mandrake on the Google Play Store that had a complicated chain with a final payload that was only sent to devices that were of interest to the attackers. 

To minimise detection and the potential removal of their apps from current app stores, the main Mandrake application had several checks. Firstly, there was also a check on the device’s battery life to see how long it was working since the last reboot to detect if it was operating in a real device and not in an emulated environment. It also checked the country of the user, the mobile operator and then the list of apps installed on the phone. If the credentials and device looked legitimate, the final payload will then be loaded up to the device. 

We have yet to determine if Mandrake is from an APT or was a targeted attack. From what we can determine, it was designed to steal financial data from users from a specific list of countries from certain mobile operators who were selected as targets.

[Hitech Century] What’s the best steps that Android users can take right now to protect themselves?

[Tatyana Shishkova] Install a trust mobile security solution, do not click on links from unknown contacts and if you receive from a known contact, make sure that their account was not hacked and the contact is who they say they are. You must also check the permissions you give to apps that you have installed and scrutinise if they are asking for more permissions than necessary. Ultimately, a bit of caution and cybersecurity awareness goes a long way. [End]

You can also check out our other features at Kaspersky SAS 2025 about Dante spyware here, the BlueNoroff APT group here and critical cybersecurity flaws in connected vehicles here. You can also check out our prior interview with Sergey Lozhkin, Head of the Kaspersky Global Research and Analysis Team (GReAT) East at Kaspersky SAS 2025 here.