Surge in Mobile Malware and Banking Trojan Threats in 2025
Threat intelligence reports from multiple security vendors highlight a significant escalation in mobile malware activity and the evolution of attack strategies targeting mobile devices in 2025. Kaspersky's Q3 2025 statistics reveal that over 47 million attacks involving malware, adware, or unwanted mobile software were prevented, with trojans being the most prevalent threat. The Zscaler Threatlabz report, corroborated by Zimperium's research, documents a 67% year-over-year increase in Android malware and a 50% rise in trojan deployments, with 18% of sampled mobile devices found to be infected. These reports emphasize the growing adoption of a mobile-first attack strategy by threat actors, exploiting the expanded enterprise attack surface as remote and hybrid workforces rely more heavily on mobile devices.
A notable trend is the persistence and evolution of mobile banking malware. Zimperium's analysis details the emergence of the Android/BankBot-YNRK trojan, which masquerades as legitimate apps, abuses accessibility services, and automates fraudulent transactions, reinforcing the risk to mobile banking users. The convergence of phishing techniques—such as smishing, vishing, and quishing—under the term "Mishing" further illustrates the sophistication of mobile-targeted social engineering. Collectively, these findings underscore the urgent need for organizations to strengthen mobile security controls and user awareness as mobile devices become a primary vector for credential theft, financial fraud, and enterprise compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Kaspersky publishes Q3 2025 mobile threat statistics
Securelist published Kaspersky's Q3 2025 mobile threat evolution report, providing updated mobile malware and threat telemetry for the quarter. The report represents a new disclosure of aggregate mobile threat trends and activity levels.
Zimperium reports threat actors are increasingly using mobile-first tactics
Zimperium published analysis citing a Zscaler report as validation that threat actors are adopting a mobile-first attack strategy. This marked a broader industry framing of mobile devices as a primary initial access and targeting vector.
BankBot-YNRK Android banking trojan is documented by Zimperium
Zimperium published research describing a new Android banking trojan tracked as BankBot-YNRK, highlighting it as a reinforcement of ongoing mobile banking malware threats. The report indicates the malware was active by the time of publication and adds technical visibility to the campaign.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Zscaler Report Validates Threat Actors’ Mobile First Attack Strategy
zimperium.com
Open sourceNew Android/BankBot-YNRK Trojan Reinforces Mobile Banking Threats
zimperium.com
Open sourceAndroid threat report for Q3 2025 | Securelist
securelist.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mobile Banking Malware and Broader Mobile Threat Trends in 2025
Reporting on mobile threats in 2025 highlighted sustained, high-volume malicious activity against Android devices, with **adware** dominating detections and a large number of **mobile banking Trojans** observed in the wild. Kaspersky’s telemetry-based review cited **14,059,465** blocked attacks involving malware/adware/unwanted software during 2025, **62%** of detections attributed to adware, and **815,000+** malicious installation packages identified, including **255,000** mobile banking Trojan packages; it also noted discovery of notable threats such as the **Keenadu** preinstalled backdoor, reportedly injected at the manufacturing stage by modifying `libandroid_runtime.so` to load into the address space of apps. Separate analysis of the Android **Massiv** malware described an active **mobile banking fraud** campaign delivered via a trojanized **IPTV app**, emphasizing the risk from apps sourced outside official stores. Massiv was reported to request extensive permissions and use **overlay** techniques to capture credentials and manipulate banking sessions, including monitoring user interactions and enabling fraudulent transactions with limited user visibility—reinforcing that mobile banking threats remain a material subset of the broader mobile malware ecosystem described in 2025 trend reporting.
Mar 21, 2026
Surge in Mobile Malware Activity and Targeted Threats in Q4 2025
A significant increase in mobile malware activity was observed in Q4 2025, with Doctor Web reporting that adware trojans such as Android.MobiDash and Android.HiddenAds remained the most prevalent threats, though their detection rates declined. Conversely, banking trojans, particularly from the Android.Banker family, saw a 65.52% rise in activity, targeting users by intercepting SMS one-time codes and mimicking legitimate banking apps. The review also highlighted the widespread use of unwanted software like CloudInject, which adds dangerous permissions and obfuscated code to apps, as well as riskware programs modified with NP Manager. Additionally, Doctor Web identified new threats such as the Android.Backdoor.Baohuo.1.origin, distributed via modified Telegram X apps to steal credentials, and the unique Trojan.ChimeraWire, which manipulates website popularity metrics. Globally, India experienced a 38% year-over-year increase in mobile malware attacks, accounting for 26% of all mobile malware traffic worldwide, according to Zscaler. Hundreds of malicious apps, many disguised as productivity tools, infiltrated trusted platforms like the Google Play Store, with over 42 million downloads. Attackers focused on high-value industries, with retail, hospitality, and manufacturing sectors being primary targets. The escalation in Android malware transactions and the strategic targeting of consumer-facing and operations-heavy environments underscore the evolving tactics of threat actors and the growing risks to mobile device users and organizations worldwide.
Mar 21, 2026
Emerging Mobile Threats and Security Gaps in Banking and Endpoint Protection
A newly identified Android banking trojan is exploiting weaknesses in traditional antivirus defenses by using SMS-based distribution and overlay tactics to steal credentials, highlighting the limitations of signature-based detection and the need for behavior-based mobile security. This threat, along with a documented cyber-espionage campaign where attackers used stolen credentials to hijack cloud-based device management tools and remotely wipe Android devices, demonstrates how mobile endpoints are increasingly being weaponized for both financial theft and sabotage. The sophistication of these attacks underscores the necessity for organizations to treat mobile devices as critical assets, implementing continuous monitoring, strict OS patching, and robust incident response protocols. In response to the growing threat landscape, Google has expanded its Android in-call scam protection feature to major U.S. financial apps such as Cash App and JPMorgan Chase. This feature warns users when they may be targeted by social engineering scams during calls, aiming to disrupt attackers' manipulation tactics and prevent unauthorized access to banking information. As mobile devices become central to both personal and enterprise operations, the convergence of advanced malware, endpoint exploitation, and enhanced security features reflects the urgent need for comprehensive mobile security strategies.
Mar 21, 2026