The ecosystem of Android malware in Latin America It is going through a particularly delicate moment. In 2025, the combination of outdated mobile devices, legacy applications, and unreliable distribution channels has resulted in an environment where old exploits and adapted Trojans still have plenty of room to operate.
In this region, where the The mobile phone is the main device To connect to the Internet, recent terminals coexist with older models. They stopped receiving security patchesThis combination, along with the ease of installing APKs from outside official stores and SMS or messaging campaigns with malicious links, has placed Latin America among the regions with the highest activity of malicious code for Android, with a particular impact on countries such as Mexico and Brazil.
An ideal environment for malware on Android in Latin America
Security analysts agree that the region presents a high fragmentation of Android versionswith devices ranging from very new models to phones stuck in versions from years ago. This diversity, combined with the lack of updates in many brands And in low-end models, it offers a very wide attack surface for malicious code that exploits old vulnerabilities.
According to recent research, the problem is not limited to the operating system: numerous applications continue to use legacy componentsThis is especially true for misconfigured WebViews or libraries that haven't been updated in a long time. In practice, this means that even on a relatively modern mobile device, an outdated app can open the door to attacks that were thought to be overcome.
Added to this is the importance of alternative distribution channels. In Latin America, these continue to be common. SMS campaigns, instant messaging and social media that distribute direct links to download APKs. The use of applications promising "premium" features, free content, or access to unofficial streaming services is also common, often without even a minimum of reviews or signs of legitimate activity in the app stores where they are published. These channels have been exploited by large campaigns such as BadBox 2.0.
This scenario facilitates both the recirculation of known malware families such as the constant emergence of new or unsophisticated variants that, nevertheless, manage to reach a large number of users. Thus, 2025 has solidified a clear pattern: the malware that most severely affects Android phones in the region is not always the most innovative, but rather the one that best exploits the ecosystem's structural weaknesses. In some cases, campaigns similar to ToxicPanda that combine phishing techniques and mass distribution.
Meanwhile, global cybersecurity reports point to a sustained increase in malicious files detected daily, with rises in categories such as backdoors, password thieves, and spywareLatin America is among the regions with the most pronounced growth, reinforcing the idea of ​​an environment increasingly exposed to cybercrime. Along these lines, threats focused on information theft, such as Spylend stand out among the detections.
Exploit CVE-2012-6636: an old vulnerability that refuses to disappear
Among the malicious codes that have most affected Android in Latin America during 2025, the following stand out Trojan.Android/Exploit.CVE-2012-6636This is an exploit that takes advantage of a vulnerability known for years, related to the insecure use of WebView in applications compiled with versions prior to Android 4.2.
The flaw appears when an app integrates a WebView with loose configuration This allows web pages loaded within that component to improperly interact with the application's internal code. In other words, a malicious website displayed within the app itself can perform actions it shouldn't be able to, opening the door to unauthorized behavior.
What's most striking is that this exploit remains relevant not so much because of older devices, but because of the persistence of applications that do not updateEven on a recent smartphone, an app that carries over this insecure implementation can still be vulnerable. This explains why CVE-2012-6636 continues to appear in current campaigns, especially when it is distributed packaged in APKs that circulate outside of official channels.
Furthermore, the existence of public exploits and ready-to-use modules In attack frameworks like Metasploit, this vector becomes very accessible to malicious actors with limited technical resources. Reports from previous years already placed this exploit among the most frequently used on Android, and data from 2025 confirms that its impact remains considerable in Latin America.
In the European context, the level of device and application updates is generally higher, which reduces the prevalence of such old vulnerabilities. However, the presence of poorly maintained apps or internal developments without auditing can reproduce the same pattern, so the Lesson for users and organizations in Europe It's clear: ignoring software updates keeps alive bugs that should have been fixed long ago.
Lotoor: the family of exploits that seeks total control of the device
Another threat that has hit the region hard is Trojan.Android/Exploit.LotoorA set of privilege escalation exploits designed to gain root access on Android devices. This term encompasses techniques that take advantage of various operating system vulnerabilities, primarily identified between 2010 and 2013.
These exploits focus on errors in drivers, system services, and memory management These vulnerabilities, when properly chained together, allow the execution of code with permissions exceeding those of a normal application. Although many of these vulnerabilities have been patched in later versions of Android, the presence of older devices and the lack of patches from some manufacturers keep them vulnerable to exploitation.
In practice, Lotoor still appears integrated within malicious tools and rooting packages These are distributed as legitimate utilities, but they conceal additional functions. Once they gain root privileges, these components can uninstall security solutions, alter internal settings, install more malware, or even incorporate the device into larger attack networks.
Research teams have been detecting Lotoor in prominent positions within mobile threat statistics for years, and 2025 was no exception. Its resilience is explained by the combination of three factors: a large base of vulnerable devices, code widely shared in forums and repositories and a constant demand for rooting tools from users seeking to fully customize their devices.
For Europe and Spain, where device replacement rates are typically higher and many brands offer longer support, the impact of these types of exploits is relatively smaller, but not nonexistent. Installing modified firmware, unofficial ROMs, or rooting tools downloaded from [unspecified sources] can lead to vulnerabilities. unverified sources It can reintroduce threats that, on paper, were already mitigated by official system updates.
Pandora: the malware that turns Android into part of a botnet
The third major malware family that has stood out in Latin America during 2025 is Trojan.Android/PandoraThis malicious code is associated with a variant of Mirai adapted to the Android ecosystem. This threat has been detected especially on devices such as Android TV Box and sticks that are used to access streaming content, often outside of official channels.
The usual infection method involves applications that present themselves as functional streaming platformsThese apps appear legitimate but contain a hidden component designed to enroll the device in a botnet. In some cases, researchers have even found modified firmware that was already infected from the factory, significantly increasing the reach of this threat.
Once installed, Pandora establishes communication with a command and control server (C&C), from which it receives orders to execute various actions. Its main focus is on carrying out distributed denial-of-service (DDoS) attacks, using the processing power and connectivity of thousands of compromised devices.
This type of campaign is especially worrying because it affects devices that often go unnoticed For the user: TV boxes, sticks, and other connected devices that are left on all the time, rarely updated, and in many cases don't even have a security solution installed. All of this makes them ideal candidates for recruitment by botnets.
The experience in Latin America also serves as a warning for the European market, where the use of IoT devices and streaming devices It is equally massive. In Spain and other EU countries, the rise of smart TVs, set-top boxes, and low-cost connected devices poses very similar challenges: many of these devices receive few patches, are configured with weak factory passwords, and allow the installation of apps from dubious sources.
A constantly evolving ecosystem of threats
A review of the malware families that have most frequently attacked Android phones in Latin America during 2025 shows a clear pattern: It's not all about banking Trojans or the more high-profile campaigns. While code aimed at stealing financial credentials or fraudulent loans remains active and has a direct impact on the user's finances, a large part of the detection volume is concentrated on exploits and Trojans that take advantage of the lack of updates.
Cybersecurity experts emphasize that mobile threats combine vectors already established —such as vulnerabilities in older components or modified APKs— with increasingly sophisticated emerging techniques. Examples of malware capable of exploiting these vulnerabilities have been observed. technologies like NFC for cloning cardsas well as campaigns that integrate spying functionalities or massive data theft.
This context is reinforced by global figures that point to a sustained increase in malicious files detected every day due to security solutions, with significant percentage increases compared to the previous year. Categories such as backdoors, password stealers, and spyware stand out in particular, placing regions like Latin America among the hardest hit by these types of threats. In this sense, the functioning of real time scanning This takes on special importance.
At the same time, organizations are not immune to this trend: the exploitation of vulnerabilities in corporate software, the use of stolen credentials, and attacks on the supply chain—including open-source projects—have become common practices among cybercriminal groups. Although this reality is global, the patterns identified in the Latin American region serve as a guide. early indicator of tactics which may extend to other markets, including Europe.
All of this paints a picture in which the line separating threats aimed at end users and those targeting businesses is becoming increasingly blurred. A single compromised Android phone, whether in Latin America or Spain, can become the entry point for broader attacks against corporate networks.
What can users do to reduce the risk?
Given this scenario, the recommendations for reducing the impact of malware on Android are quite clear and apply to both Latin America and Europe. The first step involves keep the device as up-to-date as possibleAvoid using older versions of Android when there's an option to install newer versions. Ignoring security patches leaves vulnerabilities exposed that many attackers continue to exploit.
Another essential practice is to limit the installation of applications to official stores and verified sourcesWhile not infallible, regulated platforms typically apply stricter controls than alternative repositories or direct links circulating via messaging apps and social media. Being wary of APKs promising free "premium" features, illegal content, or miraculous access remains a basic rule; for example, threats such as SparkKitty They often take advantage of these types of deceptions.
It is also worth calmly reviewing the permissions requested by each application...as well as the developer's actual activity and the volume of genuine reviews before installing anything. Apps with few reviews, suspiciously homogeneous ratings, or no clear presence on other official channels are usually a red flag worth paying attention to. For this, a guide on permissions in Android can help identify abuses.
In parallel, the use of specialized security solutions for mobile devices It allows the detection of exploits, Trojans, and anomalous behavior that might go unnoticed by the average user. While they don't replace best practices, they act as an additional layer of defense against mass campaigns or silent infections; Google and other providers have introduced advanced detection functions to improve these capabilities.
Finally, it's crucial to avoid disabling built-in system protections, such as Google Play Protect or restrictions on installing apps from unknown sources, except in very justified cases and when you know exactly what you're doing. Similarly, it's advisable to be wary of messages, links, or ads promising impossible discountsQuick access or special functions, as these types of hooks remain a favorite tactic for cybercriminals; campaigns such as Steam have used similar claims.
The picture painted by the most common malware attacks against Android phones in Latin America during 2025 is one of an environment where Veteran threats coexist with increasingly sophisticated techniquesThese vulnerabilities are fueled by outdated devices and applications, as well as unreliable distribution channels. This reality, which particularly affects Latin American countries, should also serve as a warning to users and organizations in Spain and the rest of Europe: mobile security is no longer a secondary issue, but a central element of daily digital protection.