Mobile Malware’s New Tricks in Q2 2025
Fewer attacks were logged this quarter, yet the tricks behind them reveal just how creative cybercriminals are becoming.
We’ve reached a stage where mobile cyber threats are no longer about cheap scams or annoying pop-ups. They’re evolving, taking on stranger, more invasive forms. In just three months, researchers saw banking Trojans spreading faster than before, spyware slipping into iOS apps, and even DDoS bots hiding inside adult content apps. It feels less like random attacks and more like cybercriminals experimenting with new business models.
In Q2 2025, Kaspersky reports 10.71 million mobile malware, adware, and unwanted software attacks, a noticeable dip from the previous quarter. But while the overall volume dropped, the complexity and variety of attacks rose. Trojans still led the pack, making up 31.69% of all detected threats, with banking Trojans alone accounting for 42,220 installation packages. In other words, fewer attacks didn’t mean a safer quarter, just a smarter, sneakier one.
Why the Numbers Dropped, and Why That Doesn’t Mean Safety
On the surface, the quarter looked calmer. The fall in total attacks was largely tied to the decline of SpyLoan apps, those micro-lending tools that silently siphon borrower data. But a decrease in numbers doesn’t always equal relief. The threats that stuck around proved to be sharper, more targeted, and harder to catch.
View it less as fewer raindrops falling and more as hailstones replacing a drizzle. The storm feels different, but it’s just as dangerous.
That storm set the stage for a wave of niche but nasty threats. For example, one new malware family, SparkKitty, was caught stealing gallery images, a trick designed to scoop up crypto wallet recovery codes often saved as screenshots.
Another surprise came in the form of a Trojan-DDoS hidden in adult apps. By embedding a DDoS toolkit inside, attackers could order phones to blast targeted servers with traffic. It’s a strange pivot, because phones aren’t exactly powerhouses for botnets, but it shows how creative cybercriminals are becoming in squeezing value out of every device.
And then there was the fake VPN client, Trojan-Spy.OtpSteal, which turned the trust people place in security apps against them. Instead of protecting, it intercepted one-time passwords (OTPs) from messaging apps and sent them straight to attackers. This is a reminder that attackers aren’t after everything; they’re after the things that matter most.
Despite these unusual cases, the old names still did the heavy lifting. Trojans remained the most common threat, making up nearly a third of all detections. Banking Trojans in particular tightened their grip. The Mamont family dominated, with more than 42,000 installation packages detected, over half of all banking Trojan activity.
Meanwhile, Triada, a long-running backdoor family, reappeared pre-installed on some devices. That discovery underscored one of the hardest truths in mobile security: sometimes the danger isn’t what you download, but what ships with the phone itself.
How Different Regions Felt the Heat
Zooming in on regions made the picture even clearer, in Türkiye, the Coper family of banking Trojans was everywhere, with some variants hitting more than 98% of affected users.
In India, Rewardsteal variants dominated. Rewardsteal.h targeted 95.62% of affected users, and Rewardsteal.lv reached 95.48%.
Uzbekistan faced fake job search apps like Fakeapp.hy (86.51%) and Piom.bkzj (85.83%), both harvesting personal data under the guise of employment tools.
And in Brazil, the Pylcasa family masqueraded as simple calculator apps, but once opened, they redirected users to malicious URLs, ranging from phishing sites to illegal casino portals.
Look at all these stories together and a pattern emerges. Cybercriminals aren’t interested in casting wide nets anymore. They’re sharpening their focus, tailoring attacks to regions, behaviours, and even individual apps people trust the most.
What the Quarter Really Shows
So while the total number of attacks fell this quarter, the diversity of threats grew sharper. The malware scene is shifting from blanket attacks to more specialised operations. Whether it’s chasing banking logins, crypto recovery codes, or exploiting user trust in VPNs, the game is precision now.
And that’s the unsettling part. Fewer attacks don’t necessarily mean fewer risks. Instead, the risks are getting smarter, sneakier, and closer to the everyday tools people rely on.
Ogbonda Chivumnovu
