Mobile threats continued to dominate the cyber landscape in the second quarter of 2025, as Kaspersky researchers uncovered nearly 143,000 malicious installation packages for Android, alongside new spyware variants that managed to infiltrate the iOS ecosystem.
While the overall number of mobile malware, adware, and unwanted software attacks decreased to 10.71 million compared to the previous quarter, Trojans and banking malware remained the most severe risks facing smartphone users.
According to telemetry from the Kaspersky Security Network, Trojans represented nearly one-third (31.69%) of all mobile threats detected in Q2. Out of the total 142,762 malicious installation files, 42,220 were banking Trojans, with the Mamont family accounting for the largest share of this category.
These malicious programs are engineered to steal credentials, intercept SMS codes, and enable account hijacking. Notably, several variants of Mamont surged in activity, especially Mamont.ev, which accounted for 17% of infections despite being absent in Q1.
Spyware activity presented a mixed picture. While earlier waves of APKs were associated with Trojan-Spy.AndroidOS.Agent.akg subsided, Kaspersky documented a new threat dubbed SparkKitty.
Linked to the previously known SparkCat family, SparkKitty affected both Android and iOS platforms by harvesting images, often recovery codes for cryptocurrency wallets from victims’ galleries.
The cross-platform presence raised concerns over increasingly sophisticated tactics employed by cybercriminals targeting digital assets.
One of the more alarming discoveries was the Backdoor.Triada.z, which was detected pre-installed on specific Android devices, highlights continued supply-chain risks in the handset manufacturing ecosystem.
In parallel, researchers identified Trojan-DDoS.AndroidOS.Agent.a, which embedded a malicious SDK for launching configurable distributed denial-of-service (DDoS) attacks.
What makes this strain unusual is its distribution through adult-content applications, effectively creating a botnet of compromised devices.
Another emerging trend was the use of fraudulent VPN services to conceal spyware functionality. Trojan-Spy.AndroidOS.OtpSteal masqueraded as a privacy tool but instead intercepted one-time passcodes from messaging and social networking apps via Android’s Notification Listener service, forwarding them directly to attackers over Telegram.
Certain malware families displayed sharp geographic concentration. In Türkiye, the notorious Coper banking Trojan variants targeted more than 97% of victimized users, while in India, the Rewardsteal family claimed a similarly dominant share.
Uzbekistan was inundated with fake job-hunting apps (Fakeapp.hy and Piom.bkzj), which harvested personal data. At the same time, a new dropper family called Pylcasa spread across Brazil by disguising itself as utility apps on Google Play.
While the overall number of mobile malware incidents declined in Q2 2025, the quality and diversity of threats escalated, with pre-installed backdoors, stealthy cross-platform spyware, and banking Trojans continuing to evolve.
The threat landscape underscores the need for vigilance in app installation, supply chain integrity, and layered mobile security.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
