Research from security company Trend Micro lists premium service abuse as the most common type of Android malware, where text messages are sent from infected phones to premium-rate telephone numbers without the consent or even knowledge of the user. Other malware displays unwanted and intrusive advertisements on the device, or sends personal information to unauthorised third parties. Security threats on Android are reportedly growing exponentially; however, Google engineers have argued that the malware and virus threat on Android is being exaggerated by security companies for commercial reasons, and have accused the security industry of playing on fears to sell virus protection software to users. Google maintains that dangerous malware is actually extremely rare, and a survey conducted by F-Secure showed that only 0.5% of Android malware reported had come from the Google Play store.

In 2021, journalists and researchers reported the discovery of spyware, called Pegasus, developed and distributed by a private company which can and has been used to infect both iOS and Android smartphones often – partly via use of 0-day exploits – without the need for any user-interaction or significant clues to the user and then be used to exfiltrate data, track user locations, capture film through its camera, and activate the microphone at any time. Analysis of data traffic by popular smartphones running variants of Android found substantial by-default data collection and sharing with no opt-out by this pre-installed software. Both of these issues are not addressed or cannot be addressed by security patches.
Extract from this article the most common Android security threats and simple descriptions of each threat, in a bullet pointed list.
The most common types of android security threats are: 
- Premium service abuse: where text messages are sent from infected phones to premium-rate telephone numbers without the consent or even knowledge of the user
- Malware: that displays unwanted and intrusive advertisements on the device, or sends personal information to unauthorized third parties
- Spyware: such as Pegasus, which can and has been used to infect both iOS and Android smartphones and can then be used to exfiltrate data, track user locations, capture film through its camera, and activate the microphone at any time.