IT threat evolution in Q1 2025. Mobile statistics

IT threat evolution in Q1 2025. Mobile statistics
IT threat evolution in Q1 2025. Non-mobile statistics

Quarterly figures

According to Kaspersky Security Network, in the first quarter of 2025:

• A total of 12 million attacks on mobile devices involving malware, adware, or unwanted apps were blocked.
• Trojans, the most common mobile threat, accounted for 39.56% of total detected threats.
• More than 180,000 malicious and potentially unwanted installation packages were detected, which included:
  • 49,273 packages related to mobile bankers
  • 1520 mobile ransomware Trojans.

Quarterly highlights

Attacks on Android devices involving malware, adware, or potentially unwanted apps in the first quarter of 2025 increased to 12,184,351.

Attacks on users of Kaspersky mobile solutions, Q3 2023 – Q1 2025 (download)

This growth was largely due to the activity of Mamont banking Trojans and Fakemoney scam apps, along with the discovery of fake popular brand smartphones that came preloaded with the Triada backdoor, capable of dynamically downloading any modules from a server. Triada’s modules possess a variety of features. They can substitute URLs in the browser, block connections to specific servers, or steal login credentials for social media and instant messaging services like TikTok, WhatsApp, Line, or Telegram. A module that steals crypto from wallets is worth separate mention. We tracked down several of the scammers’ wallets, the balances suggesting that a total of at least $270,000 had been stolen. The stolen amount in TRON cryptocurrency alone was $182,000.

A profitability chart for the threat actor’s TRON wallets (download)

The first quarter saw the discovery of a new banker that attacks users in Turkey: Trojan-Banker.AndroidOS.Bankurt.c. It masquerades as an app for viewing pirated movies.

The Trojan uses DeviceAdmin permissions to gain a foothold in the system, obtains access to Accessibility features, and then helps its operators to control the device remotely via VNC and steal text messages.

Mobile threat statistics

The number of detected Android malware and unwanted app samples increased compared to the fourth quarter of 2024, totaling 180,405.

Detected malicious and potentially unwanted installation packages, Q1 2024 – Q1 2025 (download)

Looking at the distribution of detected installation packages by type, we see that the typical frontrunners, RiskTool and adware, dropped to the third and fourth spots, respectively, in the first quarter. Banking Trojans (27.31%) and spy Trojans (24.49%) ranked as the most common threats.

Distribution of detected mobile apps by type, Q4 2024* – Q1 2025 (download)

* Data for the previous quarter may differ slightly from previously published data due to certain verdicts being retrospectively revised.

The revision was prompted by a sharp increase in Mamont banker installation packages in the first quarter. Agent.akg, which steals text messages, accounted for the largest number of spy Trojan installation packages.

Share* of users attacked by the given type of malicious or potentially unwanted apps out of all targeted users of Kaspersky mobile products, Q4 2024 – Q1 2025 (download)

* The total may exceed 100% if the same users experienced multiple attack types.

The first quarter saw a sharp rise in the number of users attacked by Trojans. This was driven by a large number of detected devices preloaded with the Triada Trojan and the increased activity of Fakemoney scam apps, which tricked users into sharing their personal data by promising easy money. The increase in the number of users who encountered banking Trojans was, again, due to the activity of the Mamont family.

TOP 20 most frequently detected types of mobile malware

Note that the malware rankings below exclude riskware and potentially unwanted apps, such as adware and RiskTool.

* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.

Nearly the entire list was occupied by the aforementioned Fakemoney apps and various Mamont banking Trojan variants, along with preloaded Backdoor.AndroidOS.Triada.z, and Trojan.AndroidOS.Triada.hf malicious apps. Additionally, remaining among the most prevalent Android malware were modified messengers with the embedded Triada Trojan (Triada.fe, Triada.gn, Triada.ga, Triada.gs) and the preloaded Dwphon Trojan. What is interesting is the inclusion of the Trojan-Clicker.AndroidOS.Agent.bh sample on the list. This is a fake ad blocker that, conversely, inflates ad views.

Region-specific malware

This section describes malware families that mostly focused on specific countries.

* The country where the malware was most active.
** Unique users who encountered this Trojan variant in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same variant.

The first quarter saw a somewhat smaller number of “selective” malicious apps than before. As usual, Turkey experienced a prevalence of banking Trojans: Coper, equipped with RAT capabilities enabling attackers to steal money through remote device management; BrowBot, which pilfers text messages; and the banking Trojan droppers Hqwar and Agent.sm. In India, users faced Rewardsteal banking Trojans which stole bank details by pretending to offer money. Additionally, the UdangaSteal Trojan, previously prevalent in Indonesia, and the SmForw.ko Trojan, which forwards incoming text messages to another number, also spread to India.

Mobile banking Trojans

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q1 2024 – Q1 2025 (download)

The increase in the number of installation packages for banking Trojans was primarily driven by Mamont. Its creators apparently follow a MaaS model, enabling any scammer to get a custom variant generated for a fee. As a result, a large number of unrelated cybercriminals are spreading distinct versions of Mamont.

When it comes to the percentage of users targeted, various versions of Mamont are also mainly at the top.

Top 10 mobile bankers