IT threat evolution in Q1 2026. Mobile statistics

This report contains mobile threat statistics for Q1 2026, along with noteworthy discoveries and quarterly trends: new versions of SparkCat and Triada.

IT threat evolution in Q1 2026. Mobile statistics IT threat evolution in Q1 2026. Non-mobile statistics In the third quarter of 2025, we updated the methodology for calculating statistical indicators based on the Kaspersky Security Network. These changes affected all sections of the report except for the statistics on installation packages, which remained unchanged. To illustrate the differences between the reporting periods, we have also recalculated data for the previous quarters. Consequently, these figures may significantly differ from the previously published ones.

However, subsequent reports will employ this new methodology, enabling precise comparisons with the data presented in this post. The Kaspersky Security Network (KSN) is a global network for analyzing anonymized threat information, voluntarily shared by users of Kaspersky solutions. The statistics in this report are based on KSN data unless explicitly stated otherwise. The quarter in numbers According to Kaspersky Security Network, in Q1 2026: More than 2. 67 million attacks utilizing malware, adware, or unwanted mobile software were prevented. The Trojan-Banker category was the prevalent mobile malware threat with a 10.

86% share of total detections. More than 306,000 malicious installation packages were discovered, including: 162,275 packages related to mobile banking Trojans; 439 packages related to mobile ransomware Trojans. Quarterly highlights The number of malware, adware, or unwanted software attacks on mobile devices decreased to 2,676,328 in Q1, down from 3,239,244 in the previous quarter. Attacks on users of Kaspersky mobile solutions, Q3 2024 — Q1 2026 ( download ) The overall drop in attack volume stems primarily from a reduction in adware and RiskTool detections. Nonetheless, this trend does not equate to a lower risk for mobile users.

As shown later in this report, the number of unique users targeted by these threats remained relatively stable. In Q1, Synthient researchers identified a link between the notorious Kimwolf botnet and the IPIDEA proxy network. This network was later taken down in cooperation with GTIG. In early 2026, we discovered several apps on Google Play and the App Store that contained a new version of the SparkCat crypto stealer. The Trojan code, meticulously concealed, was embedded into the infected Android apps. The obfuscated malicious Rust library was decrypted using a Dalvik-like virtual machine custom-built by the attackers.

The iOS version of the malware also underwent several changes; specifically, the attackers began leveraging Apple’s proprietary Vision framework for optical character recognition (OCR). Mobile threat statistics The number of Android malware samples saw a slight increase compared to Q4 2025, reaching a total of 306,070.