{“lastseen”:”2025-11-19T10:05:10″,”description”:”\\n\\n**IT threat evolution in Q3 2025. Mobile statistics** \\nIT threat evolution in Q3 2025. Non-mobile statistics\\n\\n## The quarter at a glance\\n\\nIn the third quarter of 2025, we updated the methodology for calculating statistical indicators based on the Kaspersky Security Network. These changes affected all sections of the report except for the statistics on installation packages, which remained unchanged.\\n\\nTo illustrate the differences between the reporting periods, we have also recalculated data for the previous quarters. Consequently, these figures may significantly differ from the previously published ones. However, subsequent reports will employ this new methodology, enabling precise comparisons with the data presented in this post.\\n\\nThe Kaspersky Security Network (KSN) is a global network for analyzing anonymized threat information, voluntarily shared by users of Kaspersky solutions. The statistics in this report are based on KSN data unless explicitly stated otherwise.\\n\\n## The quarter in numbers\\n\\nAccording to Kaspersky Security Network, in Q3 2025:\\n\\n * 47 million attacks utilizing malware, adware, or unwanted mobile software were prevented.\\n\\n\\n * Trojans were the most widespread threat among mobile malware, encountered by 15.78% of all attacked users of Kaspersky solutions.\\n * More than 197,000 malicious installation packages were discovered, including: \\n * 52,723 associated with mobile banking Trojans.\\n * 1564 packages identified as mobile ransomware Trojans.\\n\\n\\n\\n## Quarterly highlights\\n\\nThe number of malware, adware, or unwanted software attacks on mobile devices, calculated according to the updated rules, totaled 3.47 million in the third quarter. This is slightly less than the 3.51 million attacks recorded in the previous reporting period.\\n\\n_Attacks on users of Kaspersky mobile solutions, Q2 2024 \u2014 Q3 2025 (download)_\\n\\nAt the start of the quarter, a user complained to us about ads appearing in every browser on their smartphone. We conducted an investigation, discovering a new version of the BADBOX backdoor, preloaded on the device. This backdoor is a multi-level loader embedded in a malicious native library, librescache.so, which was loaded by the system framework. As a result, a copy of the Trojan infiltrated every process running on the device.\\n\\nAnother interesting finding was Trojan-Downloader.AndroidOS.Agent.no, which was embedded in mods for messaging and other apps. It downloaded Trojan-Clicker.AndroidOS.Agent.bl onto the device. The clicker received a URL from its server where an ad was being displayed, opened it in an invisible WebView window, and used machine learning algorithms to find and click the close button. In this way, fraudsters exploited the user’s device to artificially inflate ad views.\\n\\n## Mobile threat statistics\\n\\nIn the third quarter, Kaspersky security solutions detected 197,738 samples of malicious and unwanted software for Android, which is 55,000 more than in the previous reporting period.\\n\\n_Detected malicious and potentially unwanted installation packages, Q3 2024 \u2014 Q3 2025 (download)_\\n\\nThe detected installation packages were distributed by type as follows:\\n\\n_Detected mobile apps by type, Q2* \u2014 Q3 2025 (download)_\\n\\n_* Changes in the statistical calculation methodology do not affect this metric. However, data for the previous quarter may differ slightly from previously published figures due to a retrospective review of certain verdicts._\\n\\nThe share of banking Trojans decreased somewhat, but this was due less to a reduction in their numbers and more to an increase in other malicious and unwanted packages. Nevertheless, banking Trojans, still dominated by Mamont packages, continue to hold the top spot. The rise in Trojan droppers is also linked to them: these droppers are primarily designed to deliver banking Trojans.\\n\\n_Share* of users attacked by the given type of malicious or potentially unwanted app out of all targeted users of Kaspersky mobile products, Q2 \u2014 Q3 2025 (download)_\\n\\n_* The total may exceed 100% if the same users experienced multiple attack types._\\n\\nAdware leads the pack in terms of the number of users attacked, with a significant margin. The most widespread types of adware are HiddenAd (56.3%) and MobiDash (27.4%). RiskTool-type unwanted apps occupy the second spot. Their growth is primarily due to the proliferation of the Revpn module, which monetizes user internet access by turning their device into a VPN exit point. The most popular Trojans predictably remain Triada (55.8%) and Fakemoney (24.6%). The percentage of users who encountered these did not undergo significant changes.\\n\\n## TOP 20 most frequently detected types of mobile malware\\n\\n_Note that the malware rankings below exclude riskware and potentially unwanted software, such as RiskTool or adware._\\n\\n**Verdict** | **%* Q2 2025** | **%* Q3 2025** | **Difference in p.p.** | **Change in ranking** \\n—|—|—|—|— \\nTrojan.AndroidOS.Triada.ii | 0.00 | 13.78 | +13.78 | \\nTrojan.AndroidOS.Triada.fe | 12.54 | 10.32 | \u20132.22 | \u20131 \\nTrojan.AndroidOS.Triada.gn | 9.49 | 8.56 | \u20130.93 | \u20131 \\nTrojan.AndroidOS.Fakemoney.v | 8.88 | 6.30 | \u20132.59 | \u20131 \\nBackdoor.AndroidOS.Triada.z | 3.75 | 4.53 | +0.77 | +1 \\nDangerousObject.Multi.Generic. | 4.39 | 4.52 | +0.13 | \u20131 \\nTrojan-Banker.AndroidOS.Coper.c | 3.20 | 2.86 | \u20130.35 | +1 \\nTrojan.AndroidOS.Triada.if | 0.00 | 2.82 | +2.82 | \\nTrojan-Dropper.Linux.Agent.gen | 3.07 | 2.64 | \u20130.43 | +1 \\nTrojan-Dropper.AndroidOS.Hqwar.cq | 0.37 | 2.52 | +2.15 | +60 \\nTrojan.AndroidOS.Triada.hf | 2.26 | 2.41 | +0.14 | +2 \\nTrojan.AndroidOS.Triada.ig | 0.00 | 2.19 | +2.19 | \\nBackdoor.AndroidOS.Triada.ab | 0.00 | 2.00 | +2.00 | \\nTrojan-Banker.AndroidOS.Mamont.da | 5.22 | 1.82 | \u20133.40 | \u201310 \\nTrojan-Banker.AndroidOS.Mamont.hi | 0.00 | 1.80 | +1.80 | \\nTrojan.AndroidOS.Triada.ga | 3.01 | 1.71 | \u20131.29 | \u20135 \\nTrojan.AndroidOS.Boogr.gsh | 1.60 | 1.68 | +0.08 | 0 \\nTrojan-Downloader.AndroidOS.Agent.nq | 0.00 | 1.63 | +1.63 | \\nTrojan.AndroidOS.Triada.hy | 3.29 | 1.62 | \u20131.67 | \u201312 \\nTrojan-Clicker.AndroidOS.Agent.bh | 1.32 | 1.56 | +0.24 | 0 \\n \\n_* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions._\\n\\nThe top positions in the list of the most widespread malware are once again occupied by modified messaging apps Triada.ii, Triada.fe, Triada.gn, and others. The pre-installed backdoor Triada.z ranked fifth, immediately following Fakemoney \u2013 fake apps that collect users’ personal data under the guise of providing payments or financial services. The dropper that landed in ninth place, Agent.gen, is an obfuscated ELF file linked to the banking Trojan Coper.c, which sits immediately after DangerousObject.Multi.Generic.\\n\\n## Region-specific malware\\n\\nIn this section, we describe malware that primarily targets users in specific countries.\\n\\n**Verdict** | **Country*** | **%**** \\n—|—|— \\nTrojan-Dropper.AndroidOS.Hqwar.bj | Turkey | 97.22 \\nTrojan-Banker.AndroidOS.Coper.c | Turkey | 96.35 \\nTrojan-Dropper.AndroidOS.Agent.sm | Turkey | 95.10 \\nTrojan-Banker.AndroidOS.Coper.a | Turkey | 95.06 \\nTrojan-Dropper.AndroidOS.Agent.uq | India | 92.20 \\nTrojan-Banker.AndroidOS.Rewardsteal.qh | India | 91.56 \\nTrojan-Banker.AndroidOS.Agent.wb | India | 85.89 \\nTrojan-Dropper.AndroidOS.Rewardsteal.ab | India | 84.14 \\nTrojan-Dropper.AndroidOS.Banker.bd | India | 82.84 \\nBackdoor.AndroidOS.Teledoor.a | Iran | 81.40 \\nTrojan-Dropper.AndroidOS.Hqwar.gy | Turkey | 80.37 \\nTrojan-Dropper.AndroidOS.Banker.ac | India | 78.55 \\nTrojan-Ransom.AndroidOS.Rkor.ii | Germany | 76.90 \\nTrojan-Dropper.AndroidOS.Banker.bg | India | 75.12 \\nTrojan-Banker.AndroidOS.UdangaSteal.b | Indonesia | 75.00 \\nTrojan-Dropper.AndroidOS.Banker.bc | India | 74.73 \\nBackdoor.AndroidOS.Teledoor.c | Iran | 70.33 \\n \\n_* The country where the malware was most active._ \\n_** Unique users who encountered this Trojan modification in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same modification._\\n\\nBanking Trojans, primarily Coper, continue to operate actively in Turkey. Indian users also attract threat actors distributing this type of software. Specifically, the banker Rewardsteal is active in the country. Teledoor backdoors, embedded in a fake Telegram client, have been deployed in Iran. \\nNotable is the surge in Rkor ransomware Trojan attacks in Germany. The activity was significantly lower in previous quarters. It appears the fraudsters have found a new channel for delivering malicious apps to users.\\n\\n## Mobile banking Trojans\\n\\nIn the third quarter of 2025, 52,723 installation packages for mobile banking Trojans were detected, 10,000 more than in the second quarter.\\n\\n_Installation packages for mobile banking Trojans detected by Kaspersky, Q3 2024 \u2014 Q3 2025 (download)_\\n\\nThe share of the Mamont Trojan among all bankers slightly increased again, reaching 61.85%. However, in terms of the share of attacked users, Coper moved into first place, with the same modification being used in most of its attacks. Variants of Mamont ranked second and lower, as different samples were used in different attacks. Nevertheless, the total number of users attacked by the Mamont family is greater than that of users attacked by Coper.\\n\\nTOP 10 mobile bankers\\n\\n**Verdict** | **%* Q2 2025** | **%* Q3 2025** | **Difference in p.p.** | **Change in ranking** \\n—|—|—|—|— \\nTrojan-Banker.AndroidOS.Coper.c | 13.42 | 13.48 | +0.07 | +1 \\nTrojan-Banker.AndroidOS.Mamont.da | 21.86 | 8.57 | \u201313.28 | \u20131 \\nTrojan-Banker.AndroidOS.Mamont.hi | 0.00 | 8.48 | +8.48 | \\nTrojan-Banker.AndroidOS.Mamont.gy | 0.00 | 6.90 | +6.90 | \\nTrojan-Banker.AndroidOS.Mamont.hl | 0.00 | 4.97 | +4.97 | \\nTrojan-Banker.AndroidOS.Agent.ws | 0.00 | 4.02 | +4.02 | \\nTrojan-Banker.AndroidOS.Mamont.gg | 0.40 | 3.41 | +3.01 | +35 \\nTrojan-Banker.AndroidOS.Mamont.cb | 3.03 | 3.31 | +0.29 | +5 \\nTrojan-Banker.AndroidOS.Creduz.z | 0.17 | 3.30 | +3.13 | +58 \\nTrojan-Banker.AndroidOS.Mamont.fz | 0.07 | 3.02 | +2.95 | +86 \\n \\n_* Unique users who encountered this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats._\\n\\n## Mobile ransomware Trojans\\n\\nDue to the increased activity of mobile ransomware Trojans in Germany, which we mentioned in the Region-specific malware section, we have decided to also present statistics on this type of threat. In the third quarter, the number of ransomware Trojan installation packages more than doubled, reaching 1564.\\n\\n**Verdict** | **%* Q2 2025** | **%* Q3 2025** | **Difference in p.p.** | **Change in ranking** \\n—|—|—|—|— \\nTrojan-Ransom.AndroidOS.Rkor.ii | 7.23 | 24.42 | +17.19 | +10 \\nTrojan-Ransom.AndroidOS.Rkor.pac | 0.27 | 16.72 | +16.45 | +68 \\nTrojan-Ransom.AndroidOS.Congur.aa | 30.89 | 16.46 | \u201314.44 | \u20131 \\nTrojan-Ransom.AndroidOS.Svpeng.ac | 30.98 | 16.39 | \u201314.59 | \u20133 \\nTrojan-Ransom.AndroidOS.Rkor.it | 0.00 | 10.09 | +10.09 | \\nTrojan-Ransom.AndroidOS.Congur.cw | 15.71 | 9.69 | \u20136.03 | \u20133 \\nTrojan-Ransom.AndroidOS.Congur.ap | 15.36 | 9.16 | \u20136.20 | \u20133 \\nTrojan-Ransom.AndroidOS.Small.cj | 14.91 | 8.49 | \u20136.42 | \u20133 \\nTrojan-Ransom.AndroidOS.Svpeng.snt | 13.04 | 8.10 | \u20134.94 | \u20132 \\nTrojan-Ransom.AndroidOS.Svpeng.ah | 13.13 | 7.63 | \u20135.49 | \u20134 \\n \\n_* Unique users who encountered the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans._”,”published”:”2025-11-19T10:00:34″,”modified”:”2025-11-19T10:00:34″,”type”:”securelist”,”title”:”IT threat evolution in Q3 2025. Mobile statistics”,”source”:””,”references”:””,”id”:”SECURELIST:E0B95A3D1FC0292D340764C5937CFC3E”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/securelist.com\/malware-report-q3-2025-mobile-statistics\/118013\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-19T10:05:10″,”description”:”\\n\\n**IT threat evolution in Q3 2025. Mobile statistics** \\nIT threat evolution in Q3 2025. Non-mobile statistics\\n\\n## The quarter at a glance\\n\\nIn the third quarter of…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,136,7,11,5],"class_list":["post-26802","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-securelist","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n