According to Kaspersky data, there were 29% more attacks on Android smartphone users in the first half of 2025 compared to the first half of 2024, and 48% more compared to the second half of 2024.
In 2025 Kaspersky detected prominent mobile threats such as SparkCat, SparkKitty and Triada, but there were other active threats as well, including apps with adult content that could launch DDoS attacks and a VPN app that intercepted login codes sent through text messages. More detailed information is available in Kaspersky’s report IT threat evolution in Q2 2025: Mobile statistics.
Number of attacks on mobile users, globally, H1 2024 – H1 2025
In the second quarter of 2025, attackers embedded functionality for dynamically configured DDoS attacks into applications for viewing adult content. This trojan enables sending specific data from the infected device to the attackers at specified time intervals.
Kaspersky also recently detected a fake VPN client that hijacks different user accounts: instead of providing the declared functionality, it intercepts one-time password codes from various messengers and social networks by monitoring notifications and sends them to the attackers via a Telegram bot.
The most popular malicious apps
Malicious apps that mobile users most frequently encountered were Fakemoney scam applications, banking trojans and preinstalled malware.
Fakemoney scam apps on smartphones are fraudulent applications that deceive users into believing they can earn real money or rewards through tasks, games or investments, but then steal personal information, money or deliver no actual payouts.
Pre-installed trojans like Triada and Dwphon were also frequently detected. These are examples of malicious software embedded in the firmware of Android devices during manufacturing, enabling data theft, unauthorized actions and persistence even after factory resets.
Mobile banking trojans
The number of mobile banking trojans detected in the first half of 2025 is almost four times more than in the first half of 2024 and over two times more than in the second half of 2024.
Number of mobile banking trojan installs detected by
Kaspersky, globally, H1 2024 – H1 2025
Regional specifics
- In Turkiye, Kaspersky detected Coper trojan activity. Coper is designed to steal sensitive financial and personal information, often disguised as legitimate apps like banking or utility software.
- In India, a trojan dropper was detected designed to deliver financial or data-stealing malware, often disguised as legitimate reward or loyalty apps.
- Fake job search apps Fakeapp.hy and Piom.bkzj targeted Uzbekistan, collecting users' personal data.
- In Brazil, new trojan droppers called Pylcasa were active. They infiltrate Google Play, masquerading as simple apps like calculators, but upon launch, they open URLs provided by attackers. Such URLs may lead users to illegal casino sites or phishing pages.
“The first half of 2025 saw a surge in Android malware attacks compared to 2024. There are different attack vectors, and sideloading apps from outside app stores is one of them. Google’s recent initiative to verify developers even for sideloaded apps is an attempt to counter malware spread via APK files outside official app stores. However, this step is not a silver bullet. Malware continues to infiltrate even the Google Play Store, where developer verification has long been in effect. Malware infiltrates Apple’s AppStore as well. Attackers will likely find ways to bypass verification, underscoring the need for users to combine robust security solutions, cautious app sourcing and regular OS updates to stay ahead of evolving threats,” comments Anton Kivva, Malware Analyst Team Lead at Kaspersky.
To be protected from mobile threats, Kaspersky recommends:
- Download apps only from official app stores for smartphones, such as Apple App Store and Google Play, but remember that even downloading apps from official stores is not always risk-free.
- To stay safe, always check app reviews, use only links from official websites, and install reliable security software, like Kaspersky Premium, that can detect and block malicious activity if an app turns out to be fraudulent.
- Check the permissions of apps that you use and think carefully before permitting an app, especially when it comes to high-risk permissions such as Accessibility Services.
- Update your operating system and important apps as updates become available. Many safety issues can be solved by installing updated versions of software.
About Kaspersky Threat Research team
The Threat Research team is a leading authority in protecting against cyberthreats. By actively engaging in both threat analysis and technology creation, our TR experts ensure that Kaspersky’s cybersecurity solutions are deeply informed and exceptionally potent, providing critical threat intelligence and robust security to our clients and the broader community.
