Login
IT threat evolution in Q3 2025. Mobile statistics
IT threat evolution in Q3 2025. Mobile statistics
IT threat evolution in Q3 2025. Non-mobile statistics
The quarter at a glance
In the third quarter of 2025, we updated the methodology for calculating statistical indicators based on the Kaspersky Security Network. These changes affected all sections of the report except for the statistics on installation packages, which remained unchanged.
To illustrate the differences between the reporting periods, we have also recalculated data for the previous quarters. Consequently, these figures may significantly differ from the previously published ones. However, subsequent reports will employ this new methodology, enabling precise comparisons with the data presented in this post.
The Kaspersky Security Network (KSN) is a global network for analyzing anonymized threat information, voluntarily shared by users of Kaspersky solutions. The statistics in this report are based on KSN data unless explicitly stated otherwise.
The quarter in numbers
According to Kaspersky Security Network, in Q3Β 2025:
- 47 million attacks utilizing malware, adware, or unwanted mobile software were prevented.
- Trojans were the most widespread threat among mobile malware, encountered by 15.78% of all attacked users of Kaspersky solutions.
- More than 197,000 malicious installation packages were discovered, including:
- 52,723 associated with mobile banking Trojans.
- 1564 packages identified as mobile ransomware Trojans.
Quarterly highlights
The number of malware, adware, or unwanted software attacks on mobile devices, calculated according to the updated rules, totaled 3.47 million in the third quarter. This is slightly less than the 3.51 million attacks recorded in the previous reporting period.
Attacks on users of Kaspersky mobile solutions, Q2 2024Β β Q3 2025 (download)
At the start of the quarter, a user complained to us about ads appearing in every browser on their smartphone. We conducted an investigation, discovering a new version of the BADBOX backdoor, preloaded on the device. This backdoor is a multi-level loader embedded in a malicious native library, librescache.so, which was loaded by the system framework. As a result, a copy of the Trojan infiltrated every process running on the device.
Another interesting finding was Trojan-Downloader.AndroidOS.Agent.no, which was embedded in mods for messaging and other apps. It downloaded Trojan-Clicker.AndroidOS.Agent.bl onto the device. The clicker received a URL from its server where an ad was being displayed, opened it in an invisible WebView window, and used machine learning algorithms to find and click the close button. In this way, fraudsters exploited the userβs device to artificially inflate ad views.
Mobile threat statistics
In the third quarter, Kaspersky security solutions detected 197,738 samples of malicious and unwanted software for Android, which is 55,000 more than in the previous reporting period.
Detected malicious and potentially unwanted installation packages, Q3 2024Β β Q3 2025 (download)
The detected installation packages were distributed by type as follows:
Detected mobile apps by type, Q2*Β β Q3 2025 (download)
* Changes in the statistical calculation methodology do not affect this metric. However, data for the previous quarter may differ slightly from previously published figures due to a retrospective review of certain verdicts.
The share of banking Trojans decreased somewhat, but this was due less to a reduction in their numbers and more to an increase in other malicious and unwanted packages. Nevertheless, banking Trojans, still dominated by Mamont packages, continue to hold the top spot. The rise in Trojan droppers is also linked to them: these droppers are primarily designed to deliver banking Trojans.
Share* of users attacked by the given type of malicious or potentially unwanted app out of all targeted users of Kaspersky mobile products, Q2Β β Q3 2025 (download)
*Β The total may exceed 100% if the same users experienced multiple attack types.
Adware leads the pack in terms of the number of users attacked, with a significant margin. The most widespread types of adware are HiddenAd (56.3%) and MobiDash (27.4%). RiskTool-type unwanted apps occupy the second spot. Their growth is primarily due to the proliferation of the Revpn module, which monetizes user internet access by turning their device into a VPN exit point. The most popular Trojans predictably remain Triada (55.8%) and Fakemoney (24.6%). The percentage of users who encountered these did not undergo significant changes.
TOP 20 most frequently detected types of mobile malware
Note that the malware rankings below exclude riskware and potentially unwanted software, such as RiskTool or adware.
| Verdict | %* Q2 2025 | %* Q3 2025 | Difference in p.p. | Change in ranking |
| Trojan.AndroidOS.Triada.ii | 0.00 | 13.78 | +13.78 | |
| Trojan.AndroidOS.Triada.fe | 12.54 | 10.32 | β2.22 | β1 |
| Trojan.AndroidOS.Triada.gn | 9.49 | 8.56 | β0.93 | β1 |
| Trojan.AndroidOS.Fakemoney.v | 8.88 | 6.30 | β2.59 | β1 |
| Backdoor.AndroidOS.Triada.z | 3.75 | 4.53 | +0.77 | +1 |
| DangerousObject.Multi.Generic. | 4.39 | 4.52 | +0.13 | β1 |
| Trojan-Banker.AndroidOS.Coper.c | 3.20 | 2.86 | β0.35 | +1 |
| Trojan.AndroidOS.Triada.if | 0.00 | 2.82 | +2.82 | |
| Trojan-Dropper.Linux.Agent.gen | 3.07 | 2.64 | β0.43 | +1 |
| Trojan-Dropper.AndroidOS.Hqwar.cq | 0.37 | 2.52 | +2.15 | +60 |
| Trojan.AndroidOS.Triada.hf | 2.26 | 2.41 | +0.14 | +2 |
| Trojan.AndroidOS.Triada.ig | 0.00 | 2.19 | +2.19 | |
| Backdoor.AndroidOS.Triada.ab | 0.00 | 2.00 | +2.00 | |
| Trojan-Banker.AndroidOS.Mamont.da | 5.22 | 1.82 | β3.40 | β10 |
| Trojan-Banker.AndroidOS.Mamont.hi | 0.00 | 1.80 | +1.80 | |
| Trojan.AndroidOS.Triada.ga | 3.01 | 1.71 | β1.29 | β5 |
| Trojan.AndroidOS.Boogr.gsh | 1.60 | 1.68 | +0.08 | 0 |
| Trojan-Downloader.AndroidOS.Agent.nq | 0.00 | 1.63 | +1.63 | |
| Trojan.AndroidOS.Triada.hy | 3.29 | 1.62 | β1.67 | β12 |
| Trojan-Clicker.AndroidOS.Agent.bh | 1.32 | 1.56 | +0.24 | 0 |
* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.
The top positions in the list of the most widespread malware are once again occupied by modified messaging apps Triada.ii, Triada.fe, Triada.gn, and others. The pre-installed backdoor Triada.z ranked fifth, immediately following FakemoneyΒ β fake apps that collect usersβ personal data under the guise of providing payments or financial services. The dropper that landed in ninth place, Agent.gen, is an obfuscated ELF file linked to the banking Trojan Coper.c, which sits immediately after DangerousObject.Multi.Generic.
Region-specific malware
In this section, we describe malware that primarily targets users in specific countries.
| Verdict | Country* | %** |
| Trojan-Dropper.AndroidOS.Hqwar.bj | Turkey | 97.22 |
| Trojan-Banker.AndroidOS.Coper.c | Turkey | 96.35 |
| Trojan-Dropper.AndroidOS.Agent.sm | Turkey | 95.10 |
| Trojan-Banker.AndroidOS.Coper.a | Turkey | 95.06 |
| Trojan-Dropper.AndroidOS.Agent.uq | India | 92.20 |
| Trojan-Banker.AndroidOS.Rewardsteal.qh | India | 91.56 |
| Trojan-Banker.AndroidOS.Agent.wb | India | 85.89 |
| Trojan-Dropper.AndroidOS.Rewardsteal.ab | India | 84.14 |
| Trojan-Dropper.AndroidOS.Banker.bd | India | 82.84 |
| Backdoor.AndroidOS.Teledoor.a | Iran | 81.40 |
| Trojan-Dropper.AndroidOS.Hqwar.gy | Turkey | 80.37 |
| Trojan-Dropper.AndroidOS.Banker.ac | India | 78.55 |
| Trojan-Ransom.AndroidOS.Rkor.ii | Germany | 76.90 |
| Trojan-Dropper.AndroidOS.Banker.bg | India | 75.12 |
| Trojan-Banker.AndroidOS.UdangaSteal.b | Indonesia | 75.00 |
| Trojan-Dropper.AndroidOS.Banker.bc | India | 74.73 |
| Backdoor.AndroidOS.Teledoor.c | Iran | 70.33 |
* The country where the malware was most active.
** Unique users who encountered this Trojan modification in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same modification.
Banking Trojans, primarily Coper, continue to operate actively in Turkey. Indian users also attract threat actors distributing this type of software. Specifically, the banker Rewardsteal is active in the country. Teledoor backdoors, embedded in a fake Telegram client, have been deployed in Iran.
Notable is the surge in Rkor ransomware Trojan attacks in Germany. The activity was significantly lower in previous quarters. It appears the fraudsters have found a new channel for delivering malicious apps to users.
Mobile banking Trojans
In the third quarter of 2025, 52,723 installation packages for mobile banking Trojans were detected, 10,000 more than in the second quarter.
Installation packages for mobile banking Trojans detected by Kaspersky, Q3Β 2024Β β Q3Β 2025 (download)
The share of the Mamont Trojan among all bankers slightly increased again, reaching 61.85%. However, in terms of the share of attacked users, Coper moved into first place, with the same modification being used in most of its attacks. Variants of Mamont ranked second and lower, as different samples were used in different attacks. Nevertheless, the total number of users attacked by the Mamont family is greater than that of users attacked by Coper.
TOP 10 mobile bankers
| Verdict | %* Q2 2025 | %* Q3 2025 | Difference in p.p. | Change in ranking |
| Trojan-Banker.AndroidOS.Coper.c | 13.42 | 13.48 | +0.07 | +1 |
| Trojan-Banker.AndroidOS.Mamont.da | 21.86 | 8.57 | β13.28 | β1 |
| Trojan-Banker.AndroidOS.Mamont.hi | 0.00 | 8.48 | +8.48 | |
| Trojan-Banker.AndroidOS.Mamont.gy | 0.00 | 6.90 | +6.90 | |
| Trojan-Banker.AndroidOS.Mamont.hl | 0.00 | 4.97 | +4.97 | |
| Trojan-Banker.AndroidOS.Agent.ws | 0.00 | 4.02 | +4.02 | |
| Trojan-Banker.AndroidOS.Mamont.gg | 0.40 | 3.41 | +3.01 | +35 |
| Trojan-Banker.AndroidOS.Mamont.cb | 3.03 | 3.31 | +0.29 | +5 |
| Trojan-Banker.AndroidOS.Creduz.z | 0.17 | 3.30 | +3.13 | +58 |
| Trojan-Banker.AndroidOS.Mamont.fz | 0.07 | 3.02 | +2.95 | +86 |
*Β Unique users who encountered this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.
Mobile ransomware Trojans
Due to the increased activity of mobile ransomware Trojans in Germany, which we mentioned in the Region-specific malware section, we have decided to also present statistics on this type of threat. In the third quarter, the number of ransomware Trojan installation packages more than doubled, reaching 1564.
| Verdict | %* Q2 2025 | %* Q3 2025 | Difference in p.p. | Change in ranking |
| Trojan-Ransom.AndroidOS.Rkor.ii | 7.23 | 24.42 | +17.19 | +10 |
| Trojan-Ransom.AndroidOS.Rkor.pac | 0.27 | 16.72 | +16.45 | +68 |
| Trojan-Ransom.AndroidOS.Congur.aa | 30.89 | 16.46 | β14.44 | β1 |
| Trojan-Ransom.AndroidOS.Svpeng.ac | 30.98 | 16.39 | β14.59 | β3 |
| Trojan-Ransom.AndroidOS.Rkor.it | 0.00 | 10.09 | +10.09 | |
| Trojan-Ransom.AndroidOS.Congur.cw | 15.71 | 9.69 | β6.03 | β3 |
| Trojan-Ransom.AndroidOS.Congur.ap | 15.36 | 9.16 | β6.20 | β3 |
| Trojan-Ransom.AndroidOS.Small.cj | 14.91 | 8.49 | β6.42 | β3 |
| Trojan-Ransom.AndroidOS.Svpeng.snt | 13.04 | 8.10 | β4.94 | β2 |
| Trojan-Ransom.AndroidOS.Svpeng.ah | 13.13 | 7.63 | β5.49 | β4 |
*Β Unique users who encountered the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.
