Google is expanding its real-time scam-detection and screen-sharing fraud warnings in India.

IT threat evolution in Q2 2025. Mobile statistics
IT threat evolution in Q2 2025. Non-mobile statistics

The mobile section of our quarterly cyberthreat report includes statistics on malware, adware, and potentially unwanted software for Android, as well as descriptions of the most notable threats for Android and iOS discovered during the reporting period. The statistics in this report are based on detection alerts from Kaspersky products, collected from users who consented to provide anonymized data to Kaspersky Security Network.

Quarterly figures

According to Kaspersky Security Network, in Q2 2025:

• Our solutions blocked 10.71 million malware, adware, and unwanted mobile software attacks.
• Trojans, the most common mobile threat, affected 31.69% of Kaspersky users who encountered mobile threats during the reporting period.
• Just under 143,000 malicious installation packages were detected, of which:
  • 42,220 were mobile banking Trojans;
  • 695 packages were mobile ransomware Trojans.

Quarterly highlights

Mobile attacks involving malware, adware, and unwanted software dropped to 10.71 million.

Attacks on users of Kaspersky mobile solutions, Q4 2023 — Q2 2025 (download)

The trend is mainly due to a decrease in the activity of RiskTool.AndroidOS.SpyLoan. These are applications typically associated with microlenders and containing a potentially dangerous framework for monitoring borrowers and collecting their data, such as contacts lists. Curiously, such applications have been found pre-installed on some devices.

In Q2, we found a new malicious app for Android and iOS that was stealing images from the gallery. We were able to determine that this campaign was linked to the previously discovered SparkCat, so we dubbed it SparkKitty.

Like its “big brother”, the new malware most likely targets recovery codes for crypto wallets saved as screenshots.

Trojan-DDoS.AndroidOS.Agent.a was this past quarter’s unusual discovery. Malicious actors embedded an SDK for conducting dynamically configurable DDoS attacks into apps designed for viewing adult content. The Trojan allows for sending specific data to addresses designated by the attacker at a set frequency. Building a DDoS botnet from mobile devices with adult apps installed may seem like a questionable venture in terms of attack efficiency and power – but apparently, some cybercriminals have found a use for this approach.

In Q2, we also encountered Trojan-Spy.AndroidOS.OtpSteal.a, a fake VPN client that hijacks user accounts. Instead of the advertised features, it uses the Notification Listener service to intercept OTP codes from various messaging apps and social networks, and sends them to the attackers’ Telegram chat via a bot.

Mobile threat statistics

The number of Android malware and potentially unwanted app samples decreased from Q1, reaching a total of 142,762 installation packages.

Detected malware and potentially unwanted app installation packages, Q2 2024 — Q2 2025 (download)

The distribution of detected installation packages by type in Q2 was as follows:

Detected mobile malware by type, Q1 — Q2 2025 (download)

* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.

Banking Trojans remained in first place, with their share increasing relative to Q1. The Mamont family continues to dominate this category. In contrast, spy Trojans dropped to fifth place as the surge in the number of APK files for the SMS-stealing Trojan-Spy.AndroidOS.Agent.akg subsided. The number of Agent.amw spyware files, which masquerade as casino apps, also decreased.

RiskTool-type unwanted apps and adware ranked second and third, respectively, while Trojans – with most files belonging to the Triada family – occupied the fourth place.

Share* of users attacked by the given type of malicious or potentially unwanted apps out of all targeted users of Kaspersky mobile products, Q1 — Q2 2025 (download)

* The total may exceed 100% if the same users experienced multiple attack types.

The distribution of attacked users remained close to that of the previous quarter. The increase in the share of backdoors is linked to the discovery of Backdoor.Triada.z, which came pre-installed on devices. As for adware, the proportion of users affected by the HiddenAd family has grown.

TOP 20 most frequently detected types of mobile malware

Note that the malware rankings below exclude riskware or potentially unwanted software, such as RiskTool or adware.

Verdict	%* Q1 2025	%* Q2 2025	Difference (p.p.)	Change in rank
Trojan.AndroidOS.Fakemoney.v	26.41	14.57	-11.84	0
Trojan-Banker.AndroidOS.Mamont.da	11.21	12.42	+1.20	+2
Backdoor.AndroidOS.Triada.z	4.71	10.29	+5.58	+3
Trojan.AndroidOS.Triada.fe	3.48	7.16	+3.69	+4
Trojan-Banker.AndroidOS.Mamont.ev	0.00	6.97	+6.97
Trojan.AndroidOS.Triada.gn	2.68	6.54	+3.86	+3
Trojan-Banker.AndroidOS.Mamont.db	16.00	5.50	-10.50	-4
Trojan-Banker.AndroidOS.Mamont.ek	1.83	5.09	+3.26	+7
DangerousObject.Multi.Generic.	19.30	4.21	-15.09	-7
Trojan-Banker.AndroidOS.Mamont.eb	1.59	2.58	+0.99	+7
Trojan.AndroidOS.Triada.hf	3.81	2.41	-1.40	-4
Trojan-Downloader.AndroidOS.Dwphon.a	2.19	2.24	+0.05	0
Trojan-Banker.AndroidOS.Mamont.ef	2.44	2.20	-0.24	-2
Trojan-Banker.AndroidOS.Mamont.es	0.05	2.13	+2.08
Trojan-Banker.AndroidOS.Mamont.dn	1.46	2.13	+0.67	+5
Trojan-Downloader.AndroidOS.Agent.mm	1.45	1.56	+0.11	+6
Trojan-Banker.AndroidOS.Agent.rj	1.86	1.45	-0.42	-3
Trojan-Banker.AndroidOS.Mamont.ey	0.00	1.42	+1.42
Trojan-Banker.AndroidOS.Mamont.bc	7.61	1.39	-6.23	-14
Trojan.AndroidOS.Boogr.gsh	1.41	1.36	-0.06	+3

* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The activity of Fakemoney scam apps noticeably decreased in Q2, but they still held the top position. Almost all the other entries on the list are variants of the popular banking Trojan Mamont, pre-installed Trojans like Triada and Dwphon, and modified messaging apps with the Triada Trojan built in (Triada.fe, Triada.gn, Triada.ga, and Triada.gs).

Region-specific malware

This section describes malware types that mostly affected specific countries.

Verdict	Country*	%**
Trojan-Banker.AndroidOS.Coper.c	Türkiye	98.65
Trojan-Banker.AndroidOS.Coper.a	Türkiye	97.78
Trojan-Dropper.AndroidOS.Rewardsteal.h	India	95.62
Trojan-Banker.AndroidOS.Rewardsteal.lv	India	95.48
Trojan-Dropper.AndroidOS.Agent.sm	Türkiye	94.52
Trojan.AndroidOS.Fakeapp.hy	Uzbekistan	86.51
Trojan.AndroidOS.Piom.bkzj	Uzbekistan	85.83
Trojan-Dropper.AndroidOS.Pylcasa.c	Brazil	83.06

* The country where the malware was most active.
** Unique users who encountered this Trojan variant in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same variant.

In addition to the typical banking Trojans for this category – Coper, which targets users in Türkiye, and Rewatrdsteal, active in India – the list also includes the fake job search apps Fakeapp.hy and Piom.bkzj, which specifically target Uzbekistan. Both families collect the user’s personal data. Meanwhile, new droppers named “Pylcasa” operated in Brazil. They infiltrate Google Play by masquerading as simple apps, such as calculators, but once launched, they open a URL provided by malicious actors – similar to Trojans of the Fakemoney family. These URLs may lead to illegal casino websites or phishing pages.

Mobile banking Trojans

The number of banking Trojans detected in Q2 2025 was slightly lower than in Q1 but still significantly exceeded the figures for 2024. Kaspersky solutions detected a total of 42,220 installation packages of this type.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q2 2024 — Q2 2025 (download)

The bulk of mobile banking Trojan installation packages still consists of various modifications of Mamont, which account for 57.7%. In terms of the share of affected users, Mamont also outpaced all its competitors, occupying nearly all the top spots on the list of the most widespread banking Trojans.

TOP 10 mobile bankers

Verdict	%* Q1 2025	%* Q2 2025	Difference (p.p.)	Change in rank
Trojan-Banker.AndroidOS.Mamont.da	26.68	30.28	+3.59	+1
Trojan-Banker.AndroidOS.Mamont.ev	0.00	17.00	+17.00
Trojan-Banker.AndroidOS.Mamont.db	38.07	13.41	-24.66	-2
Trojan-Banker.AndroidOS.Mamont.ek	4.37	12.42	+8.05	+2
Trojan-Banker.AndroidOS.Mamont.eb	3.80	6.29	+2.50	+2
Trojan-Banker.AndroidOS.Mamont.ef	5.80	5.36	-0.45	-2
Trojan-Banker.AndroidOS.Mamont.es	0.12	5.20	+5.07	+23
Trojan-Banker.AndroidOS.Mamont.dn	3.48	5.20	+1.72	+1
Trojan-Banker.AndroidOS.Agent.rj	4.43	3.53	-0.90	-4
Trojan-Banker.AndroidOS.Mamont.ey	0.00	3.47	+3.47	9

Conclusion

In Q2 2025, the number of attacks involving malware, adware, and unwanted software decreased compared to Q1. At the same time, Trojans and banking Trojans remained the most common threats, particularly the highly active Mamont family. Additionally, the quarter was marked by the discovery of the second spyware Trojan of 2025 to infiltrate the App Store, along with a fake VPN client stealing OTP codes and a DDoS bot concealed within porn-viewing apps.

Posted by Bethel Otuteye and Khawaja Shams (Android Security and Privacy Team), and Ron Aquino (Play Trust and Safety)

Android and Google Play comprise a vibrant ecosystem with billions of users around the globe and millions of helpful apps. Keeping this ecosystem safe for users and developers remains our top priority. However, like any flourishing ecosystem, it also attracts its share of bad actors. That’s why every year, we continue to invest in more ways to protect our community and fight bad actors, so users can trust the apps they download from Google Play and developers can build thriving businesses.

Last year, those investments included AI-powered threat detection, stronger privacy policies, supercharged developer tools, new industry-wide alliances, and more. As a result, we prevented 2.36 million policy-violating apps from being published on Google Play and banned more than 158,000 bad developer accounts that attempted to publish harmful apps.

But that was just the start. For more, take a look at our recent highlights from 2024:

Google’s advanced AI: helping make Google Play a safer place

To keep out bad actors, we have always used a combination of human security experts and the latest threat-detection technology. In 2024, we used Google’s advanced AI to improve our systems’ ability to proactively identify malware, enabling us to detect and block bad apps more effectively. It also helps us streamline review processes for developers with a proven track record of policy compliance. Today, over 92% of our human reviews for harmful apps are AI-assisted, allowing us to take quicker and more accurate action to help prevent harmful apps from becoming available on Google Play.

That’s enabled us to stop more bad apps than ever from reaching users through the Play Store, protecting users from harmful or malicious apps before they can cause any damage.

Working with developers to enhance security and privacy on Google Play

To protect user privacy, we’re working with developers to reduce unnecessary access to sensitive data. In 2024, we prevented 1.3 million apps from getting excessive or unnecessary access to sensitive user data. We also required apps to be more transparent about how they handle user information by launching new developer requirements and a new “Data deletion” option for apps that support user accounts and data collection. This helps users manage their app data and understand the app’s deletion practices, making it easier for Play users to delete data collected from third-party apps.

We also worked to ensure that apps use the strongest and most up-to-date privacy and security capabilities Android has to offer. Every new version of Android introduces new security and privacy features, and we encourage developers to embrace these advancements as soon as possible. As a result of partnering closely with developers, over 91% of app installs on the Google Play Store now use the latest protections of Android 13 or newer.

Safeguarding apps from scams and fraud is an ongoing battle for developers. The Play Integrity API allows developers to check if their apps have been tampered with or are running in potentially compromised environments, helping them to prevent abuse like fraud, bots, cheating, and data theft. Play Integrity API and Play’s automatic protection helps developers ensure that users are using the official Play version of their app with the latest security updates. Apps using Play integrity features are seeing 80% lower usage from unverified and untrusted sources on average.

We’re also constantly working to improve the safety of apps on Play at scale, such as with the Google Play SDK Index. This tool offers insights and data to help developers make more informed decisions about the safety of an SDK. Last year, in addition to adding 80 SDKs to the index, we also worked closely with SDK and app developers to address potential SDK security and privacy issues, helping to build safer and more secure apps for Google Play.

Google Play’s multi-layered protections against bad apps

To create a trusted experience for everyone on Google Play, we use our SAFE principles as a guide, incorporating multi-layered protections that are always evolving to help keep Google Play safe. These protections start with the developers themselves, who play a crucial role in building secure apps. We provide developers with best-in-class tools, best practices, and on-demand training resources for building safe, high-quality apps. Every app undergoes rigorous review and testing, with only approved apps allowed to appear in the Play Store. Before a user downloads an app from Play, users can explore its user reviews, ratings, and Data safety section on Google Play to help them make an informed decision. And once installed, Google Play Protect, Android’s built-in security protection, helps to shield their Android device by continuously scanning for malicious app behavior.

Enhancing Google Play Protect to help keep users safe on Android

While the Play Store offers best-in-class security, we know it’s not the only place users download Android apps – so it’s important that we also defend Android users from more generalized mobile threats. To do this in an open ecosystem, we’ve invested in sophisticated, real-time defenses that protect against scams, malware, and abusive apps. These intelligent security measures help to keep users, user data, and devices safe, even if apps are installed from various sources with varying levels of security.

Google Play Protect automatically scans every app on Android devices with Google Play Services, no matter the download source. This built-in protection, enabled by default, provides crucial security against malware and unwanted software. Google Play Protect scans more than 200 billion apps daily and performs real-time scanning at the code-level on novel apps to combat emerging and hidden threats, like polymorphic malware. In 2024, Google Play Protect’s real-time scanning identified more than 13 million new malicious apps from outside Google Play¹.

Google Play Protect is always evolving to combat new threats and protect users from harmful apps that can lead to scams and fraud. Here are some of the new improvements that are now available globally on Android devices with Google Play Services:

• Reminder notifications in Chrome on Android to re-enable Google Play Protect: According to our research, more than 95 percent of app installations from major malware families that exploit sensitive permissions highly correlated to financial fraud came from Internet-sideloading sources like web browsers, messaging apps, or file managers. To help users stay protected when browsing the web, Chrome will now display a reminder notification to re-enable Google Play Protect if it has been turned off.
• Additional protection against social engineering attacks: Scammers may manipulate users into disabling Play Protect during calls to download malicious Internet-sideloaded apps. To prevent this, the Play Protect app scanning toggle is now temporarily disabled during phone or video calls. This safeguard is enabled by default during traditional phone calls as well as during voice and video calls in popular third-party apps.
• Automatically revoking app permissions for potentially dangerous apps: Since Android 11, we’ve taken a proactive approach to data privacy by automatically resetting permissions for apps that users haven't used in a while. This ensures apps can only access the data they truly need, and users can always grant permissions back if necessary. To further enhance security, Play Protect now automatically revokes permissions for potentially harmful apps, limiting their access to sensitive data like storage, photos, and camera. Users can restore app permissions at any time, with a confirmation step for added security.

Google Play Protect’s enhanced fraud protection pilot analyzes and automatically blocks the installation of apps that may use sensitive permissions frequently abused for financial fraud when the user attempts to install the app from an Internet-sideloading source (web browsers, messaging apps, or file managers).

Building on the success of our initial pilot in partnership with the Cyber Security Agency of Singapore (CSA), additional enhanced fraud protection pilots are now active in nine regions – Brazil, Hong Kong, India, Kenya, Nigeria, Philippines, South Africa, Thailand, and Vietnam.

In 2024, Google Play Protect’s enhanced fraud protection pilots have shielded 10 million devices from over 36 million risky installation attempts, encompassing over 200,000 unique apps.

By piloting these new protections, we can proactively combat emerging threats and refine our solutions to thwart scammers and their increasingly sophisticated fraud attempts. We look forward to continuing to partner with governments, ecosystem partners, and other stakeholders to improve user protections.

App badging to help users find apps they can trust at a glance on Google Play

In 2024, we introduced a new badge for government developers to help users around the world identify official government apps. Government apps are often targets of impersonation due to the highly sensitive nature of the data users provide, giving bad actors the ability to steal identities and commit financial fraud. Badging verified government apps is an important step in helping connect people with safe, high-quality, useful, and relevant experiences. We partner closely with global governments and are already exploring ways to build on this work.

We also recently introduced a new badge to help Google Play users discover VPN apps that take extra steps to demonstrate their strong commitment to security. We allow developers who adhere to Play safety and security guidelines and have passed an additional independent Mobile Application Security Assessment (MASA) to display a dedicated badge in the Play Store to highlight their increased commitment to safety.

Collaborating to advance app security standards

In addition to our partnerships with governments, developers, and other stakeholders, we also worked with our industry peers to protect the entire app ecosystem for everyone. The App Defense Alliance, in partnership with fellow steering committee members Microsoft and Meta, recently launched the ADA Application Security Assessment (ASA) v1.0, a new standard to help developers build more secure mobile, web, and cloud applications. This standard provides clear guidance on protecting sensitive data, defending against cyberattacks, and ultimately, strengthening user trust. This marks a significant step forward in establishing industry-wide security best practices for application development.

All developers are encouraged to review and comply with the new mobile security standard. You’ll see this standard in action for all carrier apps pre-installed on future Pixel phone models.

Looking ahead

This year, we’ll continue to protect the Android and Google Play ecosystem, building on these tools and resources in response to user and developer feedback and the changing landscape. As always, we’ll keep empowering developers to build safer apps more easily, streamline their policy experience, and protect their businesses and users from bad actors.

---

¹ Based on Google Play Protect 2024 internal data.