Mobile Banking Malware and Broader Mobile Threat Trends in 2025
Reporting on mobile threats in 2025 highlighted sustained, high-volume malicious activity against Android devices, with adware dominating detections and a large number of mobile banking Trojans observed in the wild. Kaspersky’s telemetry-based review cited 14,059,465 blocked attacks involving malware/adware/unwanted software during 2025, 62% of detections attributed to adware, and 815,000+ malicious installation packages identified, including 255,000 mobile banking Trojan packages; it also noted discovery of notable threats such as the Keenadu preinstalled backdoor, reportedly injected at the manufacturing stage by modifying libandroid_runtime.so to load into the address space of apps.
Separate analysis of the Android Massiv malware described an active mobile banking fraud campaign delivered via a trojanized IPTV app, emphasizing the risk from apps sourced outside official stores. Massiv was reported to request extensive permissions and use overlay techniques to capture credentials and manipulate banking sessions, including monitoring user interactions and enabling fraudulent transactions with limited user visibility—reinforcing that mobile banking threats remain a material subset of the broader mobile malware ecosystem described in 2025 trend reporting.
Timeline
Mar 4, 2026
Zimperium analyzes Massiv banking malware disguised as IPTV app
Zimperium published analysis of the Android malware Massiv, describing how it masquerades as an IPTV application, abuses extensive permissions, and uses overlay techniques to steal credentials and conduct fraudulent banking transactions on infected devices.
Dec 31, 2025
Kaspersky records 14 million blocked mobile attacks in 2025
For 2025, Kaspersky said its mobile security products blocked 14,059,465 attacks involving malware, adware, and other unwanted software, with adware accounting for 62% of detections. It also observed 815,735 new unique Android installation packages during the year, down nearly one-third from the prior year.
Dec 31, 2025
Mamont and Creduz lead Android banking Trojan prevalence
Kaspersky found that banking Trojan activity increased in 2025, with Mamont and Creduz emerging as the most prevalent families among observed Android banking threats.
Dec 31, 2025
Triada and Fakemoney dominate mobile malware activity in 2025
Kaspersky reported that the Triada family remained a leading Android threat in 2025, often spread through trojanized messaging apps and virtual-environment lures, while Fakemoney scam apps were also highly prevalent.
Dec 31, 2025
Regional Android malware campaigns intensify in 2025
Throughout 2025, Kaspersky observed regionally concentrated campaigns including Coper/Hqwar in Türkiye, Rewardsteal and Thamera in India, a residential-proxy campaign in Germany, and Pylcasa activity in Brazil.
Dec 31, 2025
LunaSpy spyware campaign discovered targeting Russia
In 2025, LunaSpy was observed masquerading as an antivirus app while functioning as spyware, with activity primarily aimed at users in Russia.
Dec 31, 2025
Kimwolf botnet targets Android TV boxes
In 2025, researchers documented the Kimwolf malware family infecting Android TV boxes and using them for DDoS activity and reverse-proxy operations.
Dec 31, 2025
Keenadu preinstalled Android backdoor identified
During 2025, researchers identified Keenadu, a backdoor embedded into Android devices at the firmware or manufacturing stage, highlighting supply-chain style mobile compromise.
Jul 1, 2025
Kaspersky updates KSN statistical methodology in Q3 2025
Kaspersky said it changed its Kaspersky Security Network-based statistical methodology starting in Q3 2025 and recalculated prior-year figures to keep year-over-year comparisons consistent.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Surge in Mobile Malware and Banking Trojan Threats in 2025
Threat intelligence reports from multiple security vendors highlight a significant escalation in mobile malware activity and the evolution of attack strategies targeting mobile devices in 2025. Kaspersky's Q3 2025 statistics reveal that over 47 million attacks involving malware, adware, or unwanted mobile software were prevented, with trojans being the most prevalent threat. The Zscaler Threatlabz report, corroborated by Zimperium's research, documents a 67% year-over-year increase in Android malware and a 50% rise in trojan deployments, with 18% of sampled mobile devices found to be infected. These reports emphasize the growing adoption of a mobile-first attack strategy by threat actors, exploiting the expanded enterprise attack surface as remote and hybrid workforces rely more heavily on mobile devices. A notable trend is the persistence and evolution of mobile banking malware. Zimperium's analysis details the emergence of the Android/BankBot-YNRK trojan, which masquerades as legitimate apps, abuses accessibility services, and automates fraudulent transactions, reinforcing the risk to mobile banking users. The convergence of phishing techniques—such as smishing, vishing, and quishing—under the term "Mishing" further illustrates the sophistication of mobile-targeted social engineering. Collectively, these findings underscore the urgent need for organizations to strengthen mobile security controls and user awareness as mobile devices become a primary vector for credential theft, financial fraud, and enterprise compromise.
1 months ago
Surge in Mobile Malware Activity and Targeted Threats in Q4 2025
A significant increase in mobile malware activity was observed in Q4 2025, with Doctor Web reporting that adware trojans such as Android.MobiDash and Android.HiddenAds remained the most prevalent threats, though their detection rates declined. Conversely, banking trojans, particularly from the Android.Banker family, saw a 65.52% rise in activity, targeting users by intercepting SMS one-time codes and mimicking legitimate banking apps. The review also highlighted the widespread use of unwanted software like CloudInject, which adds dangerous permissions and obfuscated code to apps, as well as riskware programs modified with NP Manager. Additionally, Doctor Web identified new threats such as the Android.Backdoor.Baohuo.1.origin, distributed via modified Telegram X apps to steal credentials, and the unique Trojan.ChimeraWire, which manipulates website popularity metrics. Globally, India experienced a 38% year-over-year increase in mobile malware attacks, accounting for 26% of all mobile malware traffic worldwide, according to Zscaler. Hundreds of malicious apps, many disguised as productivity tools, infiltrated trusted platforms like the Google Play Store, with over 42 million downloads. Attackers focused on high-value industries, with retail, hospitality, and manufacturing sectors being primary targets. The escalation in Android malware transactions and the strategic targeting of consumer-facing and operations-heavy environments underscore the evolving tactics of threat actors and the growing risks to mobile device users and organizations worldwide.
1 months ago
Android Banking Trojans and Financial Malware Targeting User Data and Payments
Multiple new Android malware campaigns have been identified targeting users' financial data and payment methods. Researchers uncovered advanced banking trojans such as BankBot-YNRK and DeliveryRAT, which harvest sensitive information from compromised devices and employ sophisticated evasion techniques, including emulator detection and device-specific targeting. These trojans often masquerade as legitimate apps, such as Indonesia's digital ID application, and can mute device notifications to avoid detection by victims. In addition, a next-generation Android banking trojan has been observed hiding within digital ID apps, automating the theft of cryptocurrency wallets and evading analysis environments. A separate large-scale scam involves over 760 malicious Android apps exploiting NFC and HCE technologies to steal payment card data globally. These apps facilitate unauthorized transactions by leveraging contactless payment features. The surge in Android-targeted financial malware highlights the growing risk to users' banking credentials, payment cards, and cryptocurrency assets, with attackers employing increasingly sophisticated methods to bypass security controls and evade user awareness.
1 months ago