This type of malware is designed to steal user credentials for online banking, e-payment services and credit card systems. Cybercriminals commonly distribute Trojan bankers through messaging apps, as well as through malicious webpages.
According to a Kaspersky report “Mobile malware evolution,” the number of Trojan banker attacks on Android smartphones increased by 56% in 2025 compared to the previous year. This type of malware is designed to steal user credentials for online banking, e-payment services and credit card systems. Cybercriminals commonly distribute Trojan bankers through messaging apps, as well as through malicious webpages.
The number of new Trojan banker installation packages for Android (unique APK files) also increased sharply, reaching 255,090 packages – a 271% increase over 2024. This may indicate that these tools generate substantial profit for cybercriminals. Kaspersky experts believe threat actors will continue both to expand delivery channels and develop new Trojan variants trying to evade detection by security solutions. Among all detected Trojan bankers, the leading families were Mamont and Creduz.
“Although Trojan bankers for smartphones are the fastest-growing type of malware, we also observed another important trend: preinstalled backdoors such as Triada and Keenadu appeared more frequently compared to previous years.”
– Anton Kivva, malware analyst team lead at Kaspersky.
“Although Trojan bankers for smartphones are the fastest-growing type of malware, we also observed another important trend: preinstalled backdoors such as Triada and Keenadu appeared more frequently compared to previous years. People purchase a completely new, but infected, Android devices and may be unaware of the threat. Once integrated into the firmware fully functional preinstalled backdoors provide attackers with unlimited control over the victims’ smartphones and tablets. As a result, all information on infected devices can be compromised. It’s quite difficult to remove such malware. If the device is infected, we recommend users check for firmware updates. After the update, run a scan of the device with a security solution again to make sure newly installed firmware is not infected,” comments Anton Kivva, malware analyst team lead at Kaspersky.
Let’s see how this malware was detected in different regions and countries around the world:
- In Germany, Trojan-Proxy.AndroidOS.Agent.q activity was detected. The malware was embedded in an unofficial application, mimicking a service for viewing discounts at a local supermarket chain.
- In Türkiye, users encountered Coper Trojan banker and its Hqwar Trojan dropper. Coper is designed to steal sensitive financial and personal information.
- In India, Rewardsteal Trojans were spreading designed to steal financial data. The activity of Thamera Trojan also resumed last year after a short break.
- In Brazil, Trojan droppers called Pylcasa were active. Upon launch, such malware opens URLs provided by attackers and may lead users to illegal casino sites or phishing pages.
To stay protected from mobile threats, Kaspersky recommends the following
- Download apps only from official app stores for smartphones, such as Apple App Store and Google Play, but remember that even downloading apps from official stores is not always risk-free.
- Always check app reviews, only use links from official websites and install reliable security software, like Kaspersky Premium, that can detect and block malicious activity if an app turns out to be fraudulent.
- Check the permissions of apps that you use and think carefully before permitting an app, especially when it comes to high-risk permissions such as Accessibility Services.
- Update your operating system and important apps as updates become available. Many safety issues can be solved by installing updated versions of software.
These statistics are based on detection alerts from Kaspersky products for Android. Previously published statistics for previous years may differ from earlier publications due to a data and methodology revision. These changes affected all sections of the Kaspersky mobile reports except for the statistics on installation packages, which remained unchanged.
