Kaspersky Mobile Malware Evolution report of 2025 documents a 56% year-on-year increase in Trojan banker attacks targeting Android smartphones, with 255,090 unique installation packages detected—a 271% rise from 2024, underscoring the profitability driving cybercriminal innovation in credential theft for banking, e-payments and credit systems. These malware variants, primarily spread via messaging apps and malicious webpages, prioritise evasion techniques to bypass security solutions, with dominant families like Mamont and Creduz leading detections.
For financial institutions and digital payment platforms, particularly in high-mobile-penetration markets like India, this escalation signals elevated fraud risk to transaction volumes and consumer trust, as attackers expand delivery channels and refine variants to exploit UPI-like real-time systems and embedded finance growth. Enterprises reliant on mobile-first customer acquisition must now factor sustained threat actor investment into cybersecurity postures, anticipating persistent pressure on authentication layers and session hijacking defences.
Preinstalled Backdoors Amplify Supply Chain Risks in New Devices
Beyond banker Trojans, Kaspersky observed rising preinstalled backdoors like Triada and Keenadu in Android firmware, granting attackers persistent, elevated control over devices for data exfiltration, ad fraud and payload deployment without user awareness. These firmware-level threats, often delivered via OTA updates or embedded in system apps like face unlock or home screens, evade standard app-based protections and complicate remediation, as full removal demands firmware reflashing.
Strategic implications for OEMs, retailers and enterprises include supply chain due diligence: compromised firmware introduces undetectable persistence, enabling long-term compromise of corporate fleets or consumer bases, with risks amplified in emerging markets where grey-market devices proliferate. Anton Kivva, Kaspersky Malware Analyst Team Lead, recommends immediate firmware updates followed by full scans, highlighting the challenge of distinguishing legitimate from infected OTA pushes in resource-constrained environments.
India Emerges as Hotspot for Rewardsteal and Thamera Amid Regional Variants
India faced heightened exposure from Rewardsteal Trojans masquerading as financial giveaways to harvest payment data, alongside a Thamera resurgence that hijacks devices for illicit social media registrations. Regionally, Türkiye contended with Coper and Hqwar variants, Germany with Agent.q in fake discount apps, and Brazil with Pylcasa droppers funneling users to phishing casinos, illustrating adaptive tactics tailored to local behaviours and app ecosystems.
For Indian enterprises and regulators, these trends demand layered defences: restricting high-risk permissions like Accessibility Services, enforcing official app stores with behavioural monitoring, and mandating OS/app updates to counter evasion-heavy payloads. Kaspersky’s recommendations—sourcing from Google Play/Apple stores, scrutinising permissions and deploying endpoint security—offer operational baselines, but sustained investment in mobile threat intelligence is essential to protect the 900 million+ digital users underpinning India’s payment economy from evolving financial cyber risks.
