Android 17 is launching later this year, bringing with it new platform-level security expectations including mandatory Certificate Transparency enforcement for applications targeting the latest SDK.
While platform upgrades are routine, their implications are not. Each new Android release subtly reshapes the trust boundary between applications, devices, and the backend. And in an environment where mobile malware increasingly operates inside authenticated sessions, that boundary matters more than ever.
In this edition of the Layers Bulletin, we’ll explore:
- What Android 17’s security changes mean in practice
- Why runtime integrity remains foundational in a hostile device environment
- And how evolving malware techniques are reinforcing the need for trusted signals
What's new with Licel's solutions?
Looking Forward to Android 17
Android 17 is an important upcoming release not only for Google and device vendors, but also for us. Since the DexProtector Runtime Engine works very close to the system, especially for RASP and device attestation checks, new platform updates can sometimes require targeted changes to maintain full compatibility.
For this reason, we test very early in the Android release cycle and coordinate closely with Google to make sure DexProtector is ahead of the curve. Our testing of the latest versions of DexProtector with Android 17 Beta 1 and Beta 2 has been very positive, confirming full compatibility with existing versions of DexProtector, and DexProtected apps are running smoothly and securely on Android 17.
Android 17 also brings a notable security enhancement: Certificate Transparency (CT) is enabled by default for HTTPS connections in apps targeting Android 17 (API level 37) or higher. This is a welcome development and closely aligns with the direction we have supported for years.
At Licel, we have long been strong proponents of CT-based verification and introduced this capability in DexProtector 12.0.11 back in 2021. Importantly, DexProtector’s CT checks are not limited to the latest Android releases or to a specific target SDK level: they can be applied across Android versions from 4.4 through to the latest releases, regardless of the app’s targetSdkVersion.
This provides both broad compatibility and meaningful security advantages. With DexProtector's custom CT verification mechanism, the app's certificate has greater resistance to reverse engineering, hooking, and tampering. As a result, attempts to interfere with certificate validation become significantly more difficult, strengthening the resilience of the protected app against man-in-the-middle attacks and data theft by malware.
And we are pleased to announce an enhancement to DexProtector’s Certificate Transparency capabilities: over-the-air (OTA) updates for CT log lists. This will allow protected apps to stay aligned with the latest trusted CT logs automatically, reducing maintenance effort, improving long-term compatibility, and ensuring that applications remain resilient as the CT ecosystem evolves.
We’re looking forward to the upcoming Android 17 release and will keep you updated here in the Layers Bulletin about DexProtector developments happening in parallel.
Attack trends
GhostSpy and the Shifting Malware Threat
In the last year or so there has been a structural shift in the nature of the mobile malware threat. These days banking trojans can operate inside trusted sessions; it isn’t always obvious to the server that a device’s environment has been compromised.
Take the banking trojan, GhostSpy, for example. Our threat intelligence solution, Alice, has tracked it spreading rapidly in recent months. GhostSpy is capable of:
- Stealing banking app credentials to commit financial fraud
- Capturing screen content and automating clicks (even in screenshot-restricted apps)
- Blocking and controlling the display by hiding the real UI, and fully covering the screen to prevent user interaction or detection
- Using keyloggers to capture passwords, private chats from social media and messaging apps, credit card numbers, OTPs and other sensitive, personal info typed by the user
- Reading 2FA codes from authenticator apps such as Google / Microsoft Authenticator by reconstructing their UI via Accessibility Services
- Performing unauthorized financial transactions via Accessibility Services abuse
- Spying on user activity via screen capture, even in protected apps (bypass FLAG_SECURE by accessibility functions).
- Sending malicious / phishing messages to trick victims and spread itself even further
GhostSpy provides evidence that accessibility abuse is now fully industrialized, session hijacking is operationally scalable, OTP interception is completely routine, the UI reconstruction of authenticator apps is achievable, and protected flags like FLAG_SECURE are no longer so secure.
This is the operational reality of malware in 2026. Enforcement cannot be blanket and blunt; it must be informed by visibility and trusted runtime data.
Mobile App Malware Protection for Banking and Payment Applications
GhostSpy is a good example of an evolving malware threat that requires a layered defense comprised of runtime integrity, resistant execution, and trusted signals. Here at Licel, our solutions combine to mitigate the structural risk malware poses for our clients in banking, payments, and beyond.
Malware in 2026 is more automated, more modular, more commoditized, and integrated more fully into mobile fraud pipelines. It’s no longer just a detection and prevention problem, but also an operational risk management problem.
The threat of malware isn’t binary; it’s layered. And the threat landscape is scaling not only in sophistication but in accessibility. In this murky landscape, backend-based detection isn’t enough.
To see the malware threat more clearly, you need tamper-proof signals you can trust. Signals that allow you to properly categorize threat levels, track prevalence over time, adjust levels of enforcement dynamically, and prevent support teams from being completely overwhelmed.
If you’d like to find out more about how we go about mitigating malware here at Licel, click below:
Thanks for reading this edition of the Licel Layers Bulletin. We'll be back next month with more product improvement updates and threat intelligence insights.
