In the second quarter of 2025, users of Android and iOS devices faced relentless cyberthreats, with Kaspersky Security Network reporting nearly 143,000 malicious installation packages detected across its mobile security products.
Although the overall number of mobile attacks—including malware, adware, and potentially unwanted software—dropped to 10.71 million in Q2, Trojans remained the predominant danger, accounting for 31.69 percent of all detected threats.
Between April and June 2025, Kaspersky solutions blocked 10.71 million mobile attacks. This represented a decline from Q1, largely driven by a significant reduction in campaigns related to RiskTool.AndroidOS.SpyLoan—loan apps embedded with frameworks that harvest borrower data such as contacts lists, sometimes found pre-installed on devices.
Within this period, Kaspersky identified 142,762 installation packages for Android malware and unwanted apps, including:
- 42,220 mobile banking Trojans
- 695 mobile ransomware Trojans
Banking Trojans held the top share among malware types, with the Mamont family dominating. Spy Trojans fell to fifth place as the surge of SMS-stealing Trojan-Spy.AndroidOS.Agent.akg subsided, and Agent.amw spyware disguised as casino apps also waned. RiskTool-type unwanted apps and adware followed in prevalence, while Triada family Trojans comprised most of the generic Trojan category.
Several new and unusual threats emerged in Q2:
A cross-platform stealer dubbed SparkKitty addressed both Android and iOS users by exfiltrating images from device galleries.
Analysis linked this campaign to the earlier SparkCat malware discovered on app stores, with malicious app pages mimicking legitimate installs.
SparkKitty chief objective is believed to be the theft of cryptocurrency wallet recovery codes saved as screenshots.
In a novel twist, attackers embedded a DDoS-capable SDK within adult content viewer apps. Once installed, these apps transform consenting mobile devices into bots capable of sending configurable traffic floods to attacker-designated addresses—underscoring cybercriminals’ creativity in exploiting unsuspecting users
Posing as a privacy-enhancing VPN client, this Trojan harnesses Android’s Notification Listener service to intercept one-time passwords (OTPs) from messaging apps and social networks.
Instead of providing VPN coverage, it silently relays intercepted codes to attackers via Telegram bots, facilitating account takeovers.
Geographic Hotspots
Region-specific malware trends highlighted local outbreaks:
- In Türkiye, Coper banking Trojans (variants .c and .a) struck over 97 percent of users targeted by these families.
- India saw Rewardsteal droppers and banking Trojans affecting 95 percent of their victimized user base.
- Uzbekistan grappled with Fakeapp.hy and Piom.bkzj Trojans masquerading as job search and utility apps, collecting personal data from 85–87 percent of their attacked users.
- Brazil encountered Pylcasa droppers disguised as simple tools like calculators, which then redirected victims to phishing or illicit casino webpages.
Mobile banking Trojans, although slightly lower in Q2 than Q1, remained alarmingly prevalent. Kaspersky detected 42,220 banking Trojan packages, with Mamont variants comprising 57.7 percent of this total.
Among the top 10 banking Trojan families, Mamont.da increased from 26.68 percent to 30.28 percent of attacked users, while newcomer Mamont.ev jumped to 17 percent share.
Despite a modest decline in overall mobile attacks during Q2 2025, the mobile threat landscape continues to evolve with sophisticated Trojan campaigns, regional outbreaks, and cross-platform stealers.
Banking Trojans, led by the prolific Mamont family, along with novel DDoS-capable and OTP-stealing Trojans, underscore the persistent risks mobile users face. Vigilance, regular software updates, and robust mobile security solutions remain essential defenses against these ever-adaptable adversaries.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
