As of the end of February 2026, more than ten thousand Russian users lost control of their Android smartphones due to an updated version of the Falcon malware. Specialists at F6 company recorded that the program has learned to remove antiviruses, independently grant itself permissions, and steal data from three dozen popular services — from banking applications to VPN services and marketplaces.
The file with the malware is distributed through phishing links and messages in messengers. The user is prompted to install a fake "update" which, when launched, requests access to special accessibility features. After confirmation, the program activates the FalconRAT module and starts working in the background. Some built-in protection systems, including solutions on Xiaomi devices, do not recognize the threat.
Falcon tracks the launch of target applications and, at the right moment, replaces the interface with an exact copy of the login screen. Experts warn that any data entered on such a fake — login, password, or two-factor authentication code — instantly falls into the hands of attackers. Outwardly, the process may look like a normal technical failure, so the user often does not notice the attack.
Specialists at F6 company advise not to install applications and updates from unverified sources, to carefully check the requested permissions, and to use two-factor authentication. If infection is suspected, it is recommended to disconnect the internet, delete suspicious files, check the device with a reliable antivirus, and change passwords for important accounts.