Cybersecurity researchers have reported a significant increase in banking malware targeting Android devices, highlighting growing risks for smartphone users worldwide. According to cybersecurity firm Kaspersky, attacks involving Trojan banker malware aimed at Android smartphones increased by 56 percent in 2025 compared with the previous year. The findings indicate that cybercriminal groups continue to focus heavily on mobile platforms as more people rely on smartphones for financial services, digital payments, and online banking activities.
Trojan banker malware is designed specifically to steal sensitive financial information, including login credentials used for online banking accounts, payment platforms, and credit card services. Once installed on a device, the malware can capture user input, intercept authentication data, or redirect victims to fake interfaces that imitate legitimate financial applications. Kaspersky researchers explained that these malicious programs are commonly distributed through messaging platforms or through links that direct users to compromised or fake websites. Victims are often tricked into downloading and installing infected Android application packages, commonly known as APK files, which appear to be legitimate apps or updates. After installation, the malware silently operates in the background, gathering financial data and transmitting it to attackers.
The scale of the problem increased sharply during 2025 as the number of unique Android Trojan banker installation packages rose dramatically. Kaspersky reported that the total number of identified malicious APK files reached 255,090 during the year. This represents a 271 percent increase compared with the previous year, demonstrating how quickly cybercriminals are expanding their malware distribution campaigns. Security researchers believe that this surge reflects the continued profitability of banking malware operations, as criminals attempt to exploit users who conduct financial transactions through mobile devices. The growing variety of malware packages also makes it more difficult for traditional detection systems to identify and block every new variant before it reaches potential victims.
Researchers also identified several Trojan banker families that were responsible for a large portion of the detected attacks. Among the most frequently observed malware families were Mamont and Creduz, both of which are known for targeting mobile banking users and attempting to capture sensitive financial credentials. These malware families use various techniques to deceive users and bypass mobile security defenses. Their continued presence in threat monitoring data suggests that cybercriminal groups are actively updating and distributing these malicious tools to expand their reach across different regions and device types.
In addition to the rapid spread of Trojan banker malware, Kaspersky researchers observed another concerning trend involving malware embedded directly into smartphone firmware. Firmware is the core software that controls device hardware, and malware embedded at this level can provide attackers with extensive access to the system. Security analysts reported a rise in preinstalled backdoors such as Triada and Keenadu appearing on certain Android devices. According to Anton Kivva, malware analyst team lead at Kaspersky, these backdoors have been detected more frequently compared with previous years. Devices infected at the firmware level may allow attackers to gain deep access to stored information, including personal files, credentials, and other sensitive data, making detection and removal more difficult.
Kivva warned that in some cases Android smartphones may be sold with malicious software already embedded in the firmware before reaching consumers. Such infections could give attackers full control over affected smartphones or tablets and access to all stored data. To reduce potential risks, Kaspersky advises users to regularly install firmware updates provided by device manufacturers and to scan their devices with reliable security software if they suspect unusual behavior or possible infection.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
