In 2025, a novel Android infostealer was discovered that exploits the Termux terminal emulator environment to execute Python scripts on Android devices without requiring root access. Termux provides a Linux-like environment on Android, enabling the installation of packages such as Python. The malware sample, undetected by VirusTotal at the time of discovery, uses Termux command-line tools to collect extensive user data: contacts, SMS messages, call logs, and geolocation information. It also attempts to access data from popular apps like Facebook and WhatsApp by reading files from their storage directories, contingent on the user granting storage permissions via the Termux storage setup prompt. The infostealer searches for banking-related files by scanning storage for filenames containing bank-related keywords, indicating a focus on financial data theft. Data exfiltration is performed through Telegram bot APIs, sending stolen information to attacker-controlled channels. Additionally, the malware installs a persistent backdoor script within Termux that periodically collects location data every five minutes, maintaining ongoing surveillance. The infection vector remains unknown, raising questions about how Termux and the malware script are initially installed on victims’ devices. The presence of Vietnamese comments in the source code suggests possible origin or targeting. This threat exemplifies attackers’ increasing attention to mobile platforms, leveraging legitimate tools like Termux to bypass traditional Android security restrictions and evade detection. The malware’s reliance on user consent for storage access is a critical factor in its success, highlighting social engineering risks. Although no known exploits are reported in the wild beyond this sample, the potential for widespread impact exists given Termux’s popularity among advanced users and developers.

For European organizations, this infostealer represents a significant risk to data confidentiality and privacy, particularly for employees using Android devices for corporate communication or storing sensitive information. The theft of contacts, call logs, SMS, and location data can facilitate targeted phishing, social engineering, and espionage campaigns. Access to app-specific data from Facebook and WhatsApp could expose personal and professional communications, undermining trust and compliance with data protection regulations such as GDPR. The exfiltration of banking-related files raises concerns about financial fraud and identity theft. The persistent backdoor enables continuous monitoring, increasing the window of exposure. Given the malware’s stealthy nature and low detection rates, organizations may remain unaware of compromises, complicating incident response. The requirement for user permission to access storage means that user awareness and behavior critically influence impact severity. Overall, the threat could lead to data breaches, reputational damage, regulatory penalties, and financial losses for European entities.

European organizations should implement strict mobile device management (MDM) policies that restrict installation of unauthorized apps like Termux, especially on corporate devices. User education campaigns must emphasize the risks of granting storage and other sensitive permissions to unfamiliar apps, highlighting social engineering tactics. Monitoring network traffic for unusual connections to Telegram APIs or suspicious data exfiltration patterns can aid early detection. Endpoint protection solutions should be updated to detect and block Python-based malware and scripts running within Termux environments. Organizations should enforce application whitelisting and regularly audit installed apps on employee devices. Encouraging the use of secure communication apps with end-to-end encryption and limiting storage of sensitive data on mobile devices can reduce exposure. Incident response plans should include procedures for analyzing Termux usage and potential data leakage. Finally, collaboration with mobile OS vendors and security communities to improve detection and mitigation of Termux-based threats is recommended.