Nigeria’s cyber incident response authority has issued a high-risk warning alerting millions of mobile users to multiple Android malware threats capable of stealing sensitive data, hijacking smartphones, and enabling financial fraud.
In a statement seen by Technology Times, the Nigeria Computer Emergency Response Team (ngCERT), Nigeria’s national cyber incident response centre, issued the advisory after detecting several malware families actively targeting devices running the Android platform widely used across the country.
Nigeria, home to a booming mobile population, accounts for over 182.2 million phone and 151.5 internet subscriptions respectively as of January 2026, according to official telecoms market information from the Nigerian Communications Commission (NCC).
According to the ngCERT alert, the malware families involved include Android Backdoor, Prizmes (linked to BADBOX), Hummer (also known as HummingBad), Rootnik, Triada, and Uupay.
ngCERT warned that these malicious programs exploit known software vulnerabilities, including CVE-2012-6422 and CVE-2013-6282, which allow attackers to gain root-level access to infected devices. Once attackers obtain such privileges, they can maintain persistent control of the smartphone and manipulate core system processes.
Successful exploitation could expose sensitive information such as device identifiers, contact lists, SMS messages, and login credentials. The compromised devices may also be weaponised for cybercrime activities including distributed denial-of-service (DDoS) attacks, proxy abuse, botnet operations, and even disinformation campaigns.
“The combined impact of these malware variants is severe,” ngCERT warned, “with consequences including loss of sensitive data, financial fraud, device instability, large-scale botnet participation, and erosion of user trust in mobile ecosystems.”.
ngCERT: Android malware spread through firmware and rogue apps
According to ngCERT, the malware typically spreads through pre-installed malicious firmware, repackaged mobile applications, and downloads from untrusted third-party app stores.
Once installed, the malicious software can escalate privileges, harvest confidential information, intercept communications, and enable remote control of the device.
Some of the variants, particularly Triada and Prizmes/BADBOX, embed themselves deep within system partitions, allowing them to remain active even after users attempt a factory reset.
The agency explained that once root access is obtained, attackers may inject malicious code into key Android system processes such as Zygote, enabling long-term persistence and additional cyber-criminal activities.
“Once root access is gained, injections into system processes like Zygote are carried out for persistence. This further enables activities such as data theft, credential interception, ad fraud, botnet integration, remote control, additional malware deployment, and evasion of security measures,” the advisory stated.
Given the widespread use of Android smartphones in Nigeria, ngCERT urged government agencies, businesses, and individual users to adopt stronger security measures to mitigate the risks posed by these threats.
Android malware: Recommended security measures
Keep Android OS and security patches up to date
Users are advised to ensure their devices are running the latest version of the Android operating system and security patches released by manufacturers. Security updates typically address newly discovered vulnerabilities that attackers could exploit to gain unauthorised access to devices. When users delay updates, their phones remain exposed to known exploits such as the vulnerabilities identified in the ngCERT advisory. Keeping systems patched significantly reduces the attack surface available to malware.
Download apps only from trusted sources like Google Play Store
Downloading applications from unofficial app marketplaces increases the likelihood of installing malware disguised as legitimate software. Trusted platforms such as the Google Play Store apply security screening processes that scan apps for malicious code before publication. While no system is perfect, official app stores significantly reduce the risk of malware distribution compared with third-party platforms that often lack strict security controls.
Enable Google Play Protect for real-time security scanning
Google Play Protect is a built-in Android security feature that continuously scans apps on a device to detect harmful behaviour. When enabled, the system checks installed applications for known malware signatures and suspicious activities, warning users or automatically removing malicious apps. Real-time monitoring adds an additional defensive layer by detecting threats even after they are installed.
Use reputable antivirus or Endpoint Detection and Response (EDR) tools
Security software designed for mobile devices can help detect malware that bypasses standard operating system protections. Advanced antivirus or EDR tools rely on behavioural analysis to identify suspicious activities such as privilege escalation, abnormal network traffic, or attempts to modify system files. These tools are particularly useful in enterprise environments where large numbers of devices require continuous monitoring and protection.
Inspect new devices for pre-installed malware
Some malware families, including variants linked to supply-chain compromises, can be embedded directly into a device’s firmware before it reaches the consumer. This means the malicious code may already be present when the smartphone is first activated. Users and organisations are therefore advised to inspect newly purchased devices, install updates immediately, and verify that the software environment is legitimate and secure.
Implement Multi-Factor Authentication (MFA)
Multi-Factor Authentication adds an additional security layer beyond passwords when accessing sensitive accounts such as banking, email, and corporate platforms. Even if malware manages to capture login credentials, MFA requires a second verification factor, such as a one-time code, authentication app, or biometric confirmation, before granting access. This significantly reduces the likelihood of account compromise following data theft.
Enforce Mobile Device Management (MDM) policies
For organisations managing large fleets of mobile devices, Mobile Device Management systems enable administrators to enforce security policies across all devices. MDM platforms can restrict unauthorised app installations, enforce encryption requirements, monitor device compliance, and remotely wipe compromised devices. These controls help organisations maintain consistent security standards across their workforce.
Educate users on risks of third-party app stores, phishing
Human behaviour remains one of the most common entry points for cyberattacks. Users who are unaware of the risks associated with downloading apps from unknown sources or clicking malicious links may inadvertently expose their devices to infection. Cybersecurity awareness training helps individuals recognise phishing attempts, fraudulent apps, and suspicious online activity, thereby reducing the likelihood of successful malware deployment.
Android remains the world’s most widely used mobile operating system, powering billions of smartphones globally, and a large share of mobile devices in Nigeria.
Security experts warn that Android-focused malware has become increasingly sophisticated in recent years, with attackers deploying techniques such as privilege escalation, supply-chain attacks, and firmware-level infections to bypass traditional security defences.
Variants such as Triada-related malware, which embed themselves within core system partitions, are particularly difficult to remove and often require specialised remediation techniques.
ngCERT advised users and organisations across Nigeria to remain vigilant and adopt proactive security practices to reduce exposure to these evolving mobile threats.
Home
