Surge in Mobile Malware Activity and Targeted Threats in Q4 2025
A significant increase in mobile malware activity was observed in Q4 2025, with Doctor Web reporting that adware trojans such as Android.MobiDash and Android.HiddenAds remained the most prevalent threats, though their detection rates declined. Conversely, banking trojans, particularly from the Android.Banker family, saw a 65.52% rise in activity, targeting users by intercepting SMS one-time codes and mimicking legitimate banking apps. The review also highlighted the widespread use of unwanted software like CloudInject, which adds dangerous permissions and obfuscated code to apps, as well as riskware programs modified with NP Manager. Additionally, Doctor Web identified new threats such as the Android.Backdoor.Baohuo.1.origin, distributed via modified Telegram X apps to steal credentials, and the unique Trojan.ChimeraWire, which manipulates website popularity metrics.
Globally, India experienced a 38% year-over-year increase in mobile malware attacks, accounting for 26% of all mobile malware traffic worldwide, according to Zscaler. Hundreds of malicious apps, many disguised as productivity tools, infiltrated trusted platforms like the Google Play Store, with over 42 million downloads. Attackers focused on high-value industries, with retail, hospitality, and manufacturing sectors being primary targets. The escalation in Android malware transactions and the strategic targeting of consumer-facing and operations-heavy environments underscore the evolving tactics of threat actors and the growing risks to mobile device users and organizations worldwide.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Dr.Web publishes Q4 2025 mobile threat review
On January 12, 2026, Dr.Web released a separate Q4 2025 review focused on mobile threats, stating that ad-displaying trojans remained the most prevalent Android threats while detections of some major adware families declined on protected devices.
Dr.Web publishes Q4 2025 virus activity review
On January 12, 2026, Dr.Web published its Q4 2025 virus activity review summarizing desktop, email, Android, fraud, and phishing trends observed during the quarter. The report also noted increased user requests for decryption help related to encoder trojans.
Zscaler reports India became top mobile malware target in 2025
Zscaler ThreatLabz's 2025 Mobile, IoT, and OT Threat Report said India saw a 38% year-over-year increase in mobile malware threats and accounted for 26% of global mobile malware traffic. The report also noted a 67% year-over-year increase in Android malware transactions and highlighted spyware and banking malware as major risks.
Dr.Web records higher overall threat volume in Q4 2025
Dr.Web's Q4 2025 virus activity review reported a 16.05% quarter-over-quarter increase in total detected threats, while unique threats decreased by 1.13%. The company said unwanted adware, malicious scripts, and downloader or ad-displaying trojans were the most prevalent threats during the quarter.
Trojan.ChimeraWire campaign documented in Q4 2025
In its Q4 2025 review, Dr.Web described Trojan.ChimeraWire as a click-fraud style trojan that uses DLL search order hijacking and anti-debugging techniques. The malware was listed among the quarter's notable threats.
Cavalry Werewolf targets a Russian state institution
Dr.Web highlighted a targeted intrusion in Q4 2025 by the Cavalry Werewolf group against a Russian state institution. The report presents this as one of the notable threat incidents observed during the quarter.
Malicious apps discovered on Google Play in Q4 2025
During Q4 2025, Dr.Web found more than 20 Android.Joker subscription trojans and Android.FakeApp fraud apps on Google Play, with at least 263,000 total downloads. The broader Zscaler 2025 report also said 239 malicious apps were found on Google Play with more than 42 million downloads.
Malicious Telegram X mods spread Baohuo Android backdoor
In Q4 2025, Dr.Web identified Android.Backdoor.Baohuo.1.origin embedded in unofficial Telegram X modifications distributed through malicious websites and third-party app catalogs. The backdoor enabled credential theft and covert account control, and Dr.Web said it infected about 58,000 devices.
Q4 2025 mobile banking trojan activity rises sharply
During Q4 2025, Dr.Web reported a strong increase in Android banking trojan activity, driven largely by Android.Banker malware capable of intercepting SMS one-time codes and displaying phishing overlays that mimic banking apps.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Doctor Web’s Q4 2025 review of virus activity on mobile devices
news.drweb.com
Open sourceDoctor Web’s Q4 2025 virus activity review
news.drweb.com
Open sourceIndia Continues to Be the Top Target for Mobile Attacks with 38% Increase in Threats
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Surge in Mobile Malware and Banking Trojan Threats in 2025
Threat intelligence reports from multiple security vendors highlight a significant escalation in mobile malware activity and the evolution of attack strategies targeting mobile devices in 2025. Kaspersky's Q3 2025 statistics reveal that over 47 million attacks involving malware, adware, or unwanted mobile software were prevented, with trojans being the most prevalent threat. The Zscaler Threatlabz report, corroborated by Zimperium's research, documents a 67% year-over-year increase in Android malware and a 50% rise in trojan deployments, with 18% of sampled mobile devices found to be infected. These reports emphasize the growing adoption of a mobile-first attack strategy by threat actors, exploiting the expanded enterprise attack surface as remote and hybrid workforces rely more heavily on mobile devices. A notable trend is the persistence and evolution of mobile banking malware. Zimperium's analysis details the emergence of the Android/BankBot-YNRK trojan, which masquerades as legitimate apps, abuses accessibility services, and automates fraudulent transactions, reinforcing the risk to mobile banking users. The convergence of phishing techniques—such as smishing, vishing, and quishing—under the term "Mishing" further illustrates the sophistication of mobile-targeted social engineering. Collectively, these findings underscore the urgent need for organizations to strengthen mobile security controls and user awareness as mobile devices become a primary vector for credential theft, financial fraud, and enterprise compromise.
Mar 21, 2026
Mobile Banking Malware and Broader Mobile Threat Trends in 2025
Reporting on mobile threats in 2025 highlighted sustained, high-volume malicious activity against Android devices, with **adware** dominating detections and a large number of **mobile banking Trojans** observed in the wild. Kaspersky’s telemetry-based review cited **14,059,465** blocked attacks involving malware/adware/unwanted software during 2025, **62%** of detections attributed to adware, and **815,000+** malicious installation packages identified, including **255,000** mobile banking Trojan packages; it also noted discovery of notable threats such as the **Keenadu** preinstalled backdoor, reportedly injected at the manufacturing stage by modifying `libandroid_runtime.so` to load into the address space of apps. Separate analysis of the Android **Massiv** malware described an active **mobile banking fraud** campaign delivered via a trojanized **IPTV app**, emphasizing the risk from apps sourced outside official stores. Massiv was reported to request extensive permissions and use **overlay** techniques to capture credentials and manipulate banking sessions, including monitoring user interactions and enabling fraudulent transactions with limited user visibility—reinforcing that mobile banking threats remain a material subset of the broader mobile malware ecosystem described in 2025 trend reporting.
Mar 21, 2026
Surge in Android Malware and Pre-Installed Threats Targeting Mobile Users
Multiple security researchers have reported a significant escalation in Android-targeted threats, including the discovery of new malware families, pre-installed trojans, and spyware on both counterfeit and budget smartphones. The Triada trojan continues to be found pre-installed on counterfeit Android devices, granting attackers full device control and enabling credential theft, botnet enrollment, and unauthorized access to sensitive apps. In parallel, certain budget Samsung phones have reportedly shipped with an unremovable system app, AppCloud, described as spyware that collects sensitive user data and cannot be removed without voiding the warranty. These findings highlight the persistent risks associated with purchasing devices from untrusted sources and the growing sophistication of supply chain threats. The overall threat landscape for Android users has intensified in 2025, with a marked increase in malware, adware, and potentially unwanted program (PUP) detections. Attackers are shifting from nuisance apps to more covert tools capable of harvesting data, intercepting messages, and facilitating account takeovers. The rise in SMS-based attacks and the integration of advanced capabilities, such as one-time passcode theft, underscore the need for heightened vigilance and robust mobile security practices. Security experts emphasize the importance of verifying device integrity, using only official firmware, and implementing strict security policies to mitigate these evolving threats.
Mar 21, 2026