Cybersecurity

In the second quarter of 2025, Android and iOS users faced significant cyber threats, with Kaspersky Security Network identifying approximately 143,000 malicious installation packages through its mobile security products.

The total number of mobile threats, including malware, adware, and potentially unwanted software, decreased to 10.71 million incidents. However, Trojans remained the most prevalent threat, accounting for 31.69% of all detections.

From April to June 2025, Kaspersky solutions blocked 10.71 million mobile attacks, down from the previous quarter. This decline was mainly due to a reduction in campaigns involving RiskTool.AndroidOS.SpyLoan, which includes loan apps embedded with data-harvesting frameworks. These apps sometimes come pre-installed on devices.

During this period, Kaspersky identified 142,762 installation packages related to Android malware and unwanted applications, including:

• 42,220 mobile banking Trojans
• 695 mobile ransomware Trojans

Banking Trojans were the most common type of malware, with the Mamont family being the most dominant. Spy Trojans fell to the fifth position as the surge of SMS-stealing Trojan-Spy.AndroidOS.Agent.akg decreased, and Agent.amw spyware disguised as casino apps also saw reduced activity. RiskTool-type unwanted apps and adware followed in prevalence, while Triada family Trojans made up most of the generic Trojan category.

Several new and unusual threats emerged in Q2:

A cross-platform stealer named SparkKitty targeted both Android and iOS users, exfiltrating images from device galleries. This campaign was linked to the earlier SparkCat malware found on app stores, with malicious app pages mimicking legitimate installations. SparkKitty’s primary objective is believed to be the theft of cryptocurrency wallet recovery codes saved as screenshots.

A novel threat involved embedding a DDoS-capable SDK within adult content viewer apps. Once installed, these apps could transform mobile devices into bots capable of sending configurable traffic floods to attacker-designated addresses.

Another Trojan posed as a privacy-enhancing VPN client, using Android’s Notification Listener service to intercept one-time passwords (OTPs) from messaging apps and social networks. Instead of providing VPN services, it silently transmitted intercepted codes to attackers via Telegram bots, facilitating account takeovers.

Geographic Hotspots

Region-specific malware trends highlighted local outbreaks:

• In Türkiye, Coper banking Trojans (variants .c and .a) affected over 97% of users targeted by these families.
• India experienced Rewardsteal droppers and banking Trojans impacting 95% of their targeted user base.
• Uzbekistan faced Fakeapp.hy and Piom.bkzj Trojans masquerading as job search and utility apps, affecting 85–87% of their targeted users.
• Brazil encountered Pylcasa droppers disguised as simple tools like calculators, redirecting victims to phishing or illicit casino webpages.

Mobile banking Trojans, although slightly reduced in Q2 compared to Q1, remained prevalent. Kaspersky detected 42,220 banking Trojan packages, with Mamont variants comprising 57.7% of this total.

Among the top 10 banking Trojan families, Mamont.da increased its share from 26.68% to 30.28% of attacked users, while newcomer Mamont.ev rose to a 17% share.

Despite a modest decline in overall mobile attacks during Q2 2025, the mobile threat landscape continues to evolve with sophisticated Trojan campaigns, regional outbreaks, and cross-platform stealers. Banking Trojans, particularly from the Mamont family, along with novel DDoS-capable and OTP-stealing Trojans, highlight the ongoing risks for mobile users. Regular software updates and robust mobile security solutions remain critical defenses against these threats.