Could pre-installed mobile malware have been prevented?

Stronger device supply chain validation, real-time anomaly detection, and egress policy enforcement could have mitigated pre-installed threats like BADBOX.

Why are regions like Turkey, India, and Germany heavily targeted?

Localized malware variants and targeted campaigns exploit region-specific app usage and financial services, making users in those regions prime targets for mobile banking Trojans and ransomware.

Mobile Malware Soars in Q3 2025: Key Insights from Kaspersky's Global Report

Mobile cyber threats spiked in Q3 2025 as Trojans, ransomware, and banking malware targeted Android users worldwide. Find out which techniques are trending and how businesses can respond.

Published: January 10, 2026

Share this on:

Executive Summary

In Q3 2025, Kaspersky reported a significant surge in mobile malware activity, with 47 million attacks prevented globally targeting Android devices with Trojans, adware, banking malware, and ransomware. Threat actors exploited new variants—including BADBOX and sophisticated Trojans like Triada and Fakemoney—utilizing methods such as pre-installed backdoors and malicious app mods. Mobile banking Trojans (especially Mamont and Coper) and region-targeted malware attacks in Turkey, India, Iran, and Germany impacted financial data security and user privacy, highlighting expanding attacker sophistication and supply chain compromise.

This incident is critical as it illustrates the rising prevalence and complexity of mobile threats, coinciding with increased ransomware attacks and evolving delivery channels. The continued targeting of financial apps and global user bases signals an urgent need for organizations to strengthen mobile security, visibility, and compliance with privacy mandates.

Why This Matters Now

Mobile malware campaigns are evolving rapidly, with attackers leveraging preinstallation, supply chain vulnerabilities, and increasingly advanced Trojans to bypass user protections. Organizations face heightened risks as threat actors shift focus to mobile-first exploits, ransomware, and financial fraud, making proactive defense and regulatory compliance more urgent than ever.

Attack Path Analysis

Attackers initially compromised mobile devices through supply-chain attacks (such as preloaded backdoors or malicious app modifications). They escalated privileges by exploiting dropped payloads and loaders embedded within system processes. Once established, the threat actors performed lateral movement by leveraging interconnected services, abusing process injection and cross-app communication. Command and control was maintained using covert outbound connections, often encrypted or leveraging VPN-like modules. Exfiltration of sensitive data or monetization was conducted via malicious modules that manipulated internet access, clicked ads, or siphoned financial information. The impact included data theft, financial fraud, artificial ad inflation, and ransomware deployment leading to device disruption.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Mediuminferred

Lateral Movement

Mediuminferred

Command & Control

High

Exfiltration

Medium

Impact

High

Initial Compromise

Description

Attackers delivered malware via preloaded system backdoors or via sideloaded malicious apps (e.g., infected messaging app mods, repacked APKs), enabling code execution on mobile endpoints.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2025-40991
CVSS 5.1
Stored Cross Site Scripting vulnerability in Ekushey CRM v5.0 allows remote attackers to steal session details via the 'description' parameter.
Affected Products:
Creativeitem Ekushey CRM – 5.0
Exploit Status:
no public exploit
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-40991

MITRE ATT&CK® Techniques

Initial Access

T1476

Deliver Malicious App via Authorized App Store

Initial Access

T1478

Supply Chain Compromise

Privilege Escalation

T1404

Exploitation for Privilege Escalation

Credential Access

T1406

Credential Access

Collection

T1412

Data from Local System

Collection

T1411

Input Capture

Collection

T1409

Access Sensitive Data in Device Logs

Impact

T1499

Endpoint Denial of Service

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Malicious Software Prevention Mechanisms

Control ID: 6.2.2

The use of mobile Trojans, ransomware, and banking malware demonstrates inadequate malware defenses on mobile endpoints that could process cardholder data, violating requirements for anti-malware controls.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident reveals weaknesses in mobile device security policies, particularly around preventing pre-installed or sideloaded malicious apps, indicating gaps in the cybersecurity program and mobile coverage.

DORA (Digital Operational Resilience Act) – Information and Communication Technology (ICT) Risk Management

Control ID: Article 9

Mobile malware infiltration, dropper operations, and region-specific attacks point to weaknesses in ICT risk identification and control, especially for financial services handling banking Trojans.

CISA Zero Trust Maturity Model 2.0 – Device Security Monitoring and Enforcement

Control ID: Pillar: Device, Capability: Inventory and Security Posture

The propagation of malware through pre-loaded apps and unauthorized app stores highlights the lack of continuous device security posture assessment required for zero trust best practices.

NIS2 Directive – Cybersecurity Risk Management and Reporting

Control ID: Article 21

The widespread impact and cross-border targeting of mobile malware demonstrate insufficient measures for risk management and incident reporting, as required for essential service and digital infrastructure entities.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Banking/Mortgage

Mobile banking Trojans like Mamont and Coper directly target financial institutions with 52,723 malicious packages detected, requiring enhanced mobile security frameworks.

Financial Services

Widespread banking malware attacks across Turkey, India, and Germany threaten payment systems and customer data, demanding zero trust segmentation implementation.

Telecommunications

Mobile network infrastructure faces threats from BADBOX backdoors and Triada variants affecting device-level security, requiring encrypted traffic monitoring capabilities.

Information Technology/IT

IT organizations must address 47 million mobile malware attacks including ransomware and adware campaigns targeting enterprise mobility management systems.

Sources

IT threat evolution in Q3 2025. Mobile statisticshttps://securelist.com/malware-report-q3-2025-mobile-statistics/118013/
Verified

NVD - CVE-2025-40991https://nvd.nist.gov/vuln/detail/CVE-2025-40991

Verified

Mobile threat report for Q1 2025 | Securelisthttps://securelist.com/malware-report-q1-2025-mobile-statistics/116676/

Verified

Frequently Asked Questions

The surge revealed gaps in encrypted traffic controls, east-west network segmentation, and monitoring, emphasizing the need for improved alignment with ZTMM, HIPAA, NIST, and PCI DSS standards.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Cloud Network Security Framework (CNSF) controls, especially those enabling zero trust segmentation, east-west monitoring, egress filtering, and encrypted traffic enforcement, could have restricted the spread and communication of mobile malware—limiting compromise impact, containing threats, and aiding rapid detection.

Initial Compromise

Control: Zero Trust Segmentation

Mitigation: Lateral malware introduction paths are blocked or tightly controlled.

Privilege Escalation

Control: Multicloud Visibility & Control

Mitigation: Detection of privilege escalation behaviors and system policy violations.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Lateral traffic is monitored and segmented, detecting and preventing unauthorized moves.

Command & Control

Control: Egress Security & Policy Enforcement

Mitigation: Outbound malicious traffic is filtered or blocked.

Exfiltration

Control: Encrypted Traffic (HPE)

Mitigation: Sensitive data is protected and monitored in transit, restricting unauthorized exfiltration.

Impact (Mitigations)

Rapid detection and alerting on ransomware-like or anomalous behaviors minimize impact.

Impact at a Glance

Affected Business Functions

Customer Relationship Management

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Potential exposure of customer data, including contact information and communication history.

Recommended Actions

• Enforce zero trust segmentation and microsegmentation to isolate potentially compromised mobile devices and minimize the blast radius.
• Deploy egress filtering and domain-based controls to prevent malicious C2 traffic and unauthorized data exfiltration from endpoints and service environments.
• Implement east-west traffic inspection to detect and disrupt lateral movement and process injection by mobile malware within apps and workloads.
• Increase centralized visibility and adopt anomaly detection to rapidly identify privilege escalation, ad fraud modules, or ransomware behavior in cloud-connected devices.
• Ensure all sensitive outbound traffic is encrypted at line rate and monitored for unexpected transmissions to mitigate data theft and financial fraud.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Mobile Malware Soars in Q3 2025: Key Insights from Kaspersky's Global Report

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2025-40991

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Deliver Malicious App via Authorized App Store

Supply Chain Compromise

Exploitation for Privilege Escalation

Credential Access

Data from Local System

Input Capture

Access Sensitive Data in Device Logs

Endpoint Denial of Service

Potential Compliance Exposure

PCI DSS 4.0 – Malicious Software Prevention Mechanisms

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA (Digital Operational Resilience Act) – Information and Communication Technology (ICT) Risk Management

CISA Zero Trust Maturity Model 2.0 – Device Security Monitoring and Enforcement

NIS2 Directive – Cybersecurity Risk Management and Reporting

Sector Implications

Banking/Mortgage

Financial Services

Telecommunications

Information Technology/IT

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads