Google recently published its June 2026 Fraud and Scams Advisory. It highlights numerous attacks targeting mobile devices, a favoured vector for attackers. Between techniques designed to evade controls and campaigns industrialised by AI, mobile threats keep evolving.
The report points to the rise of mobile extortion through fake banking and finance applications. Disguised as personal finance tools, they request permissions unrelated to their stated function: access to contacts, SMS history or photos. Applications of this kind have already reached more than eight million downloads.
This type of threat is not new. What is changing is the way these applications reach users. As Google Play tightens its controls, attackers increasingly turn to versioning. They first submit a legitimate-looking application that passes the app store review, then push an update containing the malicious code once the application is installed. It then exploits the device's accessibility services. To counter these tactics, Google's teams say they prioritise the detection of so-called dormant permissions.
Google's report also describes phishing in full mutation, multiplying techniques to bypass traditional protections. Among those mentioned, quishing, or QR code phishing, directly targets mobile. A booby-trapped QR code is scanned with a phone and immediately opens a fraudulent link on the device, without the user being able to check the destination and beyond the reach of email filters. These QR codes themselves rely on evasion techniques such as layering or fragmentation to defeat analysis tools.
Beyond these new techniques, these campaigns have above all become industrialised. They are now sold turnkey, as phishing-as-a-service, and generative AI multiplies their reach.
Google has actually filed a lawsuit last month against one of these networks, named Outsider Enterprise. For a subscription starting at 88 dollars per week, the kit gave access to more than 290 fake website templates and was used to send 2.5 million fraudulent SMS to Android devices over two weeks in May. To generate these fake sites at scale, the operators misused Gemini, Google's generative AI. It is precisely this misuse that prompted this first lawsuit targeting the malicious use of its own AI. The case illustrates the scale mobile phishing now reaches, where automation lowers the level of skill required to run large-scale campaigns.
Mobile devices are favoured attack vectors, yet still too poorly secured. The Pradeo Mobile Threat Defense solution protects enterprise mobile fleets by automatically detecting threats across all vectors (applications, network and system):