{“lastseen”:”2025-09-05T10:05:12″,”description”:”\\n\\n**IT threat evolution in Q2 2025. Mobile statistics** \\nIT threat evolution in Q2 2025. Non-mobile statistics\\n\\nThe mobile section of our quarterly cyberthreat report includes statistics on malware, adware, and potentially unwanted software for Android, as well as descriptions of the most notable threats for Android and iOS discovered during the reporting period. The statistics in this report are based on detection alerts from Kaspersky products, collected from users who consented to provide anonymized data to Kaspersky Security Network.\\n\\n## Quarterly figures\\n\\nAccording to Kaspersky Security Network, in Q2 2025:\\n\\n * Our solutions blocked 10.71 million malware, adware, and unwanted mobile software attacks.\\n * Trojans, the most common mobile threat, accounted for 31.69% of total detected threats.\\n * Just under 143,000 malicious installation packages were detected, of which: \\n * 42,220 were mobile banking Trojans;\\n * 695 packages were mobile ransomware Trojans.\\n\\n\\n\\n## Quarterly highlights\\n\\nMobile attacks involving malware, adware, and unwanted software dropped to 10.71 million.\\n\\n_Attacks on users of Kaspersky mobile solutions, Q4 2023 \u2014 Q2 2025 (download)_\\n\\nThe trend is mainly due to a decrease in the activity of `RiskTool.AndroidOS.SpyLoan`. These are applications typically associated with microlenders and containing a potentially dangerous framework for monitoring borrowers and collecting their data, such as contacts lists. Curiously, such applications have been found pre-installed on some devices.\\n\\nIn Q2, we found a new malicious app for Android and iOS that was stealing images from the gallery. We were able to determine that this campaign was linked to the previously discovered SparkCat, so we dubbed it SparkKitty.\\n\\n\\n\\nFake app store page distributing SparkKitty\\n\\nLike its \\”big brother\\”, the new malware most likely targets recovery codes for crypto wallets saved as screenshots.\\n\\n`Trojan-DDoS.AndroidOS.Agent.a` was this past quarter’s unusual discovery. Malicious actors embedded an SDK for conducting dynamically configurable DDoS attacks into apps designed for viewing adult content. The Trojan allows for sending specific data to addresses designated by the attacker at a set frequency. Building a DDoS botnet from mobile devices with adult apps installed may seem like a questionable venture in terms of attack efficiency and power \u2013 but apparently, some cybercriminals have found a use for this approach.\\n\\nIn Q2, we also encountered `Trojan-Spy.AndroidOS.OtpSteal.a`, a fake VPN client that hijacks user accounts. Instead of the advertised features, it uses the Notification Listener service to intercept OTP codes from various messaging apps and social networks, and sends them to the attackers’ Telegram chat via a bot.\\n\\n## Mobile threat statistics\\n\\nThe number of Android malware and potentially unwanted app samples decreased from Q1, reaching a total of 142,762 installation packages.\\n\\n_Detected malware and potentially unwanted app installation packages, Q2 2024 \u2014 Q2 2025 (download)_\\n\\nThe distribution of detected installation packages by type in Q2 was as follows:\\n\\n_Detected mobile malware by type, Q1 \u2014 Q2 2025 (download)_\\n\\n_* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised._\\n\\nBanking Trojans remained in first place, with their share increasing relative to Q1. The Mamont family continues to dominate this category. In contrast, spy Trojans dropped to fifth place as the surge in the number of APK files for the SMS-stealing `Trojan-Spy.AndroidOS.Agent.akg` subsided. The number of `Agent.amw` spyware files, which masquerade as casino apps, also decreased.\\n\\nRiskTool-type unwanted apps and adware ranked second and third, respectively, while Trojans \u2013 with most files belonging to the Triada family \u2013 occupied the fourth place.\\n\\n_Share* of users attacked by the given type of malicious or potentially unwanted apps out of all targeted users of Kaspersky mobile products, Q1 \u2014 Q2 2025 (download)_\\n\\n_* The total may exceed 100% if the same users experienced multiple attack types._\\n\\nThe distribution of attacked users remained close to that of the previous quarter. The increase in the share of backdoors is linked to the discovery of `Backdoor.Triada.z`, which came pre-installed on devices. As for adware, the proportion of users affected by the HiddenAd family has grown.\\n\\n## TOP 20 most frequently detected types of mobile malware\\n\\n_Note that the malware rankings below exclude riskware or potentially unwanted software, such as RiskTool or adware._\\n\\n**Verdict** | **%* Q1 2025** | **%* Q2 2025** | **Difference (p.p.)** | **Change in rank** \\n—|—|—|—|— \\nTrojan.AndroidOS.Fakemoney.v | 26.41 | 14.57 | -11.84 | 0 \\nTrojan-Banker.AndroidOS.Mamont.da | 11.21 | 12.42 | +1.20 | +2 \\nBackdoor.AndroidOS.Triada.z | 4.71 | 10.29 | +5.58 | +3 \\nTrojan.AndroidOS.Triada.fe | 3.48 | 7.16 | +3.69 | +4 \\nTrojan-Banker.AndroidOS.Mamont.ev | 0.00 | 6.97 | +6.97 | \\nTrojan.AndroidOS.Triada.gn | 2.68 | 6.54 | +3.86 | +3 \\nTrojan-Banker.AndroidOS.Mamont.db | 16.00 | 5.50 | -10.50 | -4 \\nTrojan-Banker.AndroidOS.Mamont.ek | 1.83 | 5.09 | +3.26 | +7 \\nDangerousObject.Multi.Generic. | 19.30 | 4.21 | -15.09 | -7 \\nTrojan-Banker.AndroidOS.Mamont.eb | 1.59 | 2.58 | +0.99 | +7 \\nTrojan.AndroidOS.Triada.hf | 3.81 | 2.41 | -1.40 | -4 \\nTrojan-Downloader.AndroidOS.Dwphon.a | 2.19 | 2.24 | +0.05 | 0 \\nTrojan-Banker.AndroidOS.Mamont.ef | 2.44 | 2.20 | -0.24 | -2 \\nTrojan-Banker.AndroidOS.Mamont.es | 0.05 | 2.13 | +2.08 | \\nTrojan-Banker.AndroidOS.Mamont.dn | 1.46 | 2.13 | +0.67 | +5 \\nTrojan-Downloader.AndroidOS.Agent.mm | 1.45 | 1.56 | +0.11 | +6 \\nTrojan-Banker.AndroidOS.Agent.rj | 1.86 | 1.45 | -0.42 | -3 \\nTrojan-Banker.AndroidOS.Mamont.ey | 0.00 | 1.42 | +1.42 | \\nTrojan-Banker.AndroidOS.Mamont.bc | 7.61 | 1.39 | -6.23 | -14 \\nTrojan.AndroidOS.Boogr.gsh | 1.41 | 1.36 | -0.06 | +3 \\n \\n_* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions._\\n\\nThe activity of Fakemoney scam apps noticeably decreased in Q2, but they still held the top position. Almost all the other entries on the list are variants of the popular banking Trojan Mamont, pre-installed Trojans like Triada and Dwphon, and modified messaging apps with the Triada Trojan built in (`Triada.fe`, `Triada.gn`, `Triada.ga`, and `Triada.gs`).\\n\\n## Region-specific malware\\n\\nThis section describes malware types that mostly affected specific countries.\\n\\n**Verdict** | **Country*** | **%**** \\n—|—|— \\nTrojan-Banker.AndroidOS.Coper.c | T\u00fcrkiye | 98.65 \\nTrojan-Banker.AndroidOS.Coper.a | T\u00fcrkiye | 97.78 \\nTrojan-Dropper.AndroidOS.Rewardsteal.h | India | 95.62 \\nTrojan-Banker.AndroidOS.Rewardsteal.lv | India | 95.48 \\nTrojan-Dropper.AndroidOS.Agent.sm | T\u00fcrkiye | 94.52 \\nTrojan.AndroidOS.Fakeapp.hy | Uzbekistan | 86.51 \\nTrojan.AndroidOS.Piom.bkzj | Uzbekistan | 85.83 \\nTrojan-Dropper.AndroidOS.Pylcasa.c | Brazil | 83.06 \\n \\n_* The country where the malware was most active._ \\n_** Unique users who encountered this Trojan variant in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same variant._\\n\\nIn addition to the typical banking Trojans for this category \u2013 Coper, which targets users in T\u00fcrkiye, and Rewatrdsteal, active in India \u2013 the list also includes the fake job search apps `Fakeapp.hy` and `Piom.bkzj`, which specifically target Uzbekistan. Both families collect the user’s personal data. Meanwhile, new droppers named \\”Pylcasa\\” operated in Brazil. They infiltrate Google Play by masquerading as simple apps, such as calculators, but once launched, they open a URL provided by malicious actors \u2013 similar to Trojans of the Fakemoney family. These URLs may lead to illegal casino websites or phishing pages.\\n\\n## Mobile banking Trojans\\n\\nThe number of banking Trojans detected in Q2 2025 was slightly lower than in Q1 but still significantly exceeded the figures for 2024. Kaspersky solutions detected a total of 42,220 installation packages of this type.\\n\\n_Number of installation packages for mobile banking Trojans detected by Kaspersky, Q2 2024 \u2014 Q2 2025 (download)_\\n\\nThe bulk of mobile banking Trojan installation packages still consists of various modifications of Mamont, which account for 57.7%. In terms of the share of affected users, Mamont also outpaced all its competitors, occupying nearly all the top spots on the list of the most widespread banking Trojans.\\n\\n### TOP 10 mobile bankers\\n\\n**Verdict** | **%* Q1 2025** | **%* Q2 2025** | **Difference (p.p.)** | **Change in rank** \\n—|—|—|—|— \\nTrojan-Banker.AndroidOS.Mamont.da | 26.68 | 30.28 | +3.59 | +1 \\nTrojan-Banker.AndroidOS.Mamont.ev | 0.00 | 17.00 | +17.00 | \\nTrojan-Banker.AndroidOS.Mamont.db | 38.07 | 13.41 | -24.66 | -2 \\nTrojan-Banker.AndroidOS.Mamont.ek | 4.37 | 12.42 | +8.05 | +2 \\nTrojan-Banker.AndroidOS.Mamont.eb | 3.80 | 6.29 | +2.50 | +2 \\nTrojan-Banker.AndroidOS.Mamont.ef | 5.80 | 5.36 | -0.45 | -2 \\nTrojan-Banker.AndroidOS.Mamont.es | 0.12 | 5.20 | +5.07 | +23 \\nTrojan-Banker.AndroidOS.Mamont.dn | 3.48 | 5.20 | +1.72 | +1 \\nTrojan-Banker.AndroidOS.Agent.rj | 4.43 | 3.53 | -0.90 | -4 \\nTrojan-Banker.AndroidOS.Mamont.ey | 0.00 | 3.47 | +3.47 | 9 \\n \\n## Conclusion\\n\\nIn Q2 2025, the number of attacks involving malware, adware, and unwanted software decreased compared to Q1. At the same time, Trojans and banking Trojans remained the most common threats, particularly the highly active Mamont family. Additionally, the quarter was marked by the discovery of the second spyware Trojan of 2025 to infiltrate the App Store, along with a fake VPN client stealing OTP codes and a DDoS bot concealed within porn-viewing apps.”,”published”:”2025-09-05T09:00:26″,”modified”:”2025-09-05T09:00:26″,”type”:”securelist”,”title”:”IT threat evolution in Q2 2025. Mobile statistics”,”source”:””,”references”:””,”id”:”SECURELIST:5C72D07627CF28F897F3A45D22946D7F”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/securelist.com\/malware-report-q2-2025-mobile-statistics\/117349\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-09-05T10:05:12″,”description”:”\\n\\n**IT threat evolution in Q2 2025. Mobile statistics** \\nIT threat evolution in Q2 2025. Non-mobile statistics\\n\\nThe mobile section of our quarterly cyberthreat report includes statistics…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,136,7,11,5],"class_list":["post-15991","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-securelist","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n