Mobile devices face unseen war as banking trojans, ransomware, and adware surge in Q3 2025

This quarter, mobile devices became arenas for silent invasions, as malware evolved in complexity and reach. Across the world, attacks exploiting vulnerabilities in Android devices surged. Kaspersky Security Network (KSN), which aggregates anonymized threat data from millions of devices globally, recorded a remarkable 47 million attempts to compromise mobile devices through malware, adware, or unwanted software.

Trojans emerged as the dominant threat, impacting nearly 16% of all attacked users. Over 197,000 malicious installation packages were discovered in this period, including more than 52,000 mobile banking Trojans and 1,564 ransomware Trojans.

These numbers illustrate a growing pattern of sophistication in cybercriminal tactics, as attackers increasingly embed malware in apps, exploit pre-installed system components, and leverage artificial intelligence to manipulate user activity.

MORE INSIGHTS ON THIS TOPIC:

• Mobile Malware’s New Tricks in Q2 2025
• DDoS attacks were down in the second quarter of 2025
• Global ransomware activity rises 36% in Q3 2025, but average payments collapse

New Methodology, New Insights

Kaspersky also introduced an updated methodology for calculating mobile threat statistics this quarter. Every major metric except installation package counts was recalculated, allowing more accurate comparisons across reporting periods. Using this revised methodology, we identified slight shifts in trends. While total attacks dropped marginally from 3.51 million to 3.47 million, the nature of threats revealed deeper changes in how malware operates and spreads. New strategies emerged, demonstrating that attackers are no longer relying solely on volume; they are leveraging sophistication and stealth.

One incident early in the quarter highlighted the evolving sophistication of threats. A user reported persistent ads across every browser on their smartphone. Investigation revealed a new variant of the BADBOX backdoor, preloaded in the system’s native library librescache.so. This multi-level loader embeds copies of a Trojan into every running process, effectively turning the device into a covert malware host.

In another case, Trojan-Downloader.AndroidOS.Agent.no, hidden in app mods, installed a clicker that invisibly opened ads and interacted with them using AI algorithms. These examples demonstrate how attackers are blending automation, AI, and system-level access to maximize impact.

Malware Evolution in Threat Patterns

Kaspersky detected 197,738 Android malware samples in Q3, an increase of 55,000 from the previous quarter. The rise is largely driven by adware and Trojan droppers rather than banking Trojans alone, highlighting that attackers are expanding their tactics beyond traditional financial theft.

Adware continued to dominate in terms of reach. HiddenAd affected 56% of attacked users, while MobiDash impacted 27%. Meanwhile, RiskTool apps, particularly those using the Revan module, grew in prevalence by converting devices into VPN exit points, monetizing internet access and illustrating a shift from direct theft to infrastructure exploitation.

Trojan droppers rose in prevalence as well, delivering banking malware in ways designed to evade detection. Legacy Trojans such as Triada (55%) and Fakemoney (25%) continued to dominate, while new threats like Trojan-Downloader.AndroidOS.Hqwar.cq surged 60 ranks, signalling rapid adaptation by attackers to bypass security measures. The combination of old and new malware reflects a layered strategy: attackers exploit familiar vulnerabilities while experimenting with novel delivery methods.

Banking Trojans Remain Dominant

Within this evolving malware landscape, banking Trojans continued to hold a central role. Mobile banking Trojans reached 52,723 installation packages, 10,000 more than in Q2 2025.

While Mamont variants increased their overall share to nearly 62%, Coper modifications emerged as the most encountered among individual users. This pattern arises from attackers diversifying Mamont variants across devices, spreading risk, while concentrating Coper for maximum impact in targeted attacks.

The top 10 mobile banking threats also reveal rapid shifts. Mamont.da fell by over 13% points due to targeted removal and detection, while newer Mamont variants filled the gap. Emerging Trojans like Mamont.fz rose 86% points, signaling that attackers continually refresh malware to bypass security updates. These changes underscore the need for adaptive threat detection strategies.

Ransomware’s Growing Reach

Ransomware activity also escalated in Q3. The number of installation packages doubled to 1,564. Rkor.ii and Rkor.pac led the surge, increasing by 17% and 16% points, respectively.

Older strains, such as Congur and Svpeng, declined, suggesting attackers are retiring legacy malware in favour of strains exploiting recent vulnerabilities or leveraging new distribution channels. This shift indicates that ransomware campaigns are becoming high-impact, targeted operations rather than broad, opportunistic attacks.

Regional Differences in Malware Activity

As threats evolved, so too did their geographic focus. In Turkey, Trojans like Hqwar.bj and Coper.c impacted over 95% of attacked users, reflecting focused targeting of popular banking apps. India faced Reward steal and multiple Coper variants in over 80% of attacks, while Iran saw Teledoor backdoors distributed through fake Telegram clients, affecting over 70% of users.

Germany experienced a spike in ransomware, exploiting new delivery channels. These variations reveal that attackers tailor their campaigns based on local device usage, app popularity, and regulatory environments, highlighting an increasingly strategic and analytical approach.

Threat Complexity Demands Adaptation

Q3 2025 demonstrates that mobile threats are evolving faster than ever. Malware is becoming more sophisticated, combining automation, AI, and system-level access. Banking Trojans, adware, droppers, and ransomware illustrate a diversity of objectives, from financial theft to infrastructure exploitation. Regional patterns show attackers are precise, adapting campaigns to exploit local vulnerabilities.

But the underlying story is clear: attackers are increasingly professional, strategic, and agile. Mobile security can no longer rely on reactive measures alone. Organizations and users must anticipate threats that operate deeper within devices and adapt quickly, or risk falling behind in this escalating cyber battle.