Mobile malware evolution in 2025

Statistics on Android malware and the most notable mobile threats of 2025: preinstalled backdoors Keenadu and Triada, spyware Trojans, the Kimwolf IoT botnet, and Mamont banking Trojans.

Starting from the third quarter of 2025, we have updated our statistical methodology based on the Kaspersky Security Network. These changes affect all sections of the report except for the installation package statistics, which remain unchanged. To illustrate trends between reporting periods, we have recalculated the previous year’s data; consequently, these figures may differ significantly from previously published numbers. All subsequent reports will be generated using this new methodology, ensuring accurate data comparisons with the findings presented in this article.

Kaspersky Security Network (KSN) is a global network for analyzing anonymized threat intelligence, voluntarily shared by Kaspersky users. The statistics in this report are based on KSN data unless explicitly stated otherwise. The year in figures According to Kaspersky Security Network, in 2025: Over 14 million attacks involving malware, adware or unwanted mobile software were blocked. Adware remained the most prevalent mobile threat, accounting for 62% of all detections. Over 815 thousand malicious installation packages were detected, including 255 thousand mobile banking Trojans.

The year’s highlights In 2025, cybercriminals launched an average of approximately 1. 17 million attacks per month against mobile devices using malicious, advertising, or unwanted software. In total, Kaspersky solutions blocked 14,059,465 attacks throughout the year. Attacks on Kaspersky mobile users in 2025 ( download ) Beyond the malware mentioned in previous quarterly reports , 2025 saw the discovery of several other notable Trojans. Among these, in Q4 we uncovered the Keenadu preinstalled backdoor . This malware is integrated into device firmware during the manufacturing stage.

The malicious code is injected into libandroid_runtime. so – a core library for the Android Java runtime environment – allowing a copy of the backdoor to enter the address space of every app running on the device.