143,000 Malware Files Attacked Android and iOS Device Users in Q2 2025

Cybersecurity

During the second quarter of 2025, approximately 143,000 malicious installation packages targeting Android and iOS devices were identified. This represents a significant increase in mobile cyber threats, with attack vectors designed to compromise sensitive data and financial information, as well as establish persistent backdoors on affected devices.

The malware landscape during this period exhibited considerable diversity in attack methodologies and target demographics.

Banking Trojans accounted for 42,220 malicious packages, and mobile ransomware Trojans added 695 packages to the threat landscape.

Attack strategies frequently utilized social engineering tactics, fake application stores, and compromised legitimate applications to infiltrate user devices, demonstrating increased sophistication in bypassing contemporary security measures.

Data from Kaspersky Security Network recorded 10.71 million blocked attacks involving malware, adware, and unwanted mobile software, with Trojans being the most common threat type, comprising 31.69% of all detected activities.

Securelist researchers noted several trends, including pre-installed malware on certain device models and the evolution of threat families to include new evasion techniques.

One notable discovery was the SparkKitty malware, targeting both Android and iOS platforms with the capability to steal images, specifically targeting cryptocurrency wallet recovery codes stored as screenshots.

Advanced Persistence and Evasion Mechanisms

In Q2 2025, mobile malware demonstrated advanced levels of technical sophistication, particularly in persistence and detection evasion strategies.

The Trojan-Spy.AndroidOS.OtpSteal.a malware exemplified this by masquerading as a Virtual Private Network client and using the Notification Listener service to intercept one-time password codes from messaging applications and social networks. This allowed attackers to bypass two-factor authentication by automatically forwarding intercepted codes to Telegram channels.

Persistence mechanisms involved deep system integration, with examples like Trojan-DDoS.AndroidOS.Agent.a embedding malicious Software Development Kits in applications. This enabled the creation of distributed denial-of-service botnets from compromised devices, showcasing the adaptation of traditional attack methods for mobile platforms.

The embedded SDK allowed for dynamic configuration of attack parameters, including target addresses and transmission frequencies, providing attackers with flexible command and control capabilities.