IT threat evolution in Q1 2026. Mobile statistics
IT threat evolution in Q1 2026. Non-mobile statistics
In the third quarter of 2025, we updated the methodology for calculating statistical indicators based on the Kaspersky Security Network. These changes affected all sections of the report except for the statistics on installation packages, which remained unchanged.
To illustrate the differences between the reporting periods, we have also recalculated data for the previous quarters. Consequently, these figures may significantly differ from the previously published ones. However, subsequent reports will employ this new methodology, enabling precise comparisons with the data presented in this post.
The Kaspersky Security Network (KSN) is a global network for analyzing anonymized threat information, voluntarily shared by users of Kaspersky solutions. The statistics in this report are based on KSN data unless explicitly stated otherwise.
The quarter in numbers
According to Kaspersky Security Network, in Q1 2026:
- More than 2.67 million attacks utilizing malware, adware, or unwanted mobile software were prevented.
- The Trojan-Banker category was the prevalent mobile malware threat with a 10.86% share of total detections.
- More than 306,000 malicious installation packages were discovered, including:
- 162,275 packages related to mobile banking Trojans;
- 439 packages related to mobile ransomware Trojans.
Quarterly highlights
The number of malware, adware, or unwanted software attacks on mobile devices decreased to 2,676,328 in Q1, down from 3,239,244 in the previous quarter.
Attacks on users of Kaspersky mobile solutions, Q3 2024 — Q1 2026 (download)
The overall drop in attack volume stems primarily from a reduction in adware and RiskTool detections. Nonetheless, this trend does not equate to a lower risk for mobile users. As shown later in this report, the number of unique users targeted by these threats remained relatively stable.
In Q1, Synthient researchers identified a link between the notorious Kimwolf botnet and the IPIDEA proxy network. This network was later taken down in cooperation with GTIG.
In early 2026, we discovered several apps on Google Play and the App Store that contained a new version of the SparkCat crypto stealer.
The Trojan code, meticulously concealed, was embedded into the infected Android apps. The obfuscated malicious Rust library was decrypted using a Dalvik-like virtual machine custom-built by the attackers. The iOS version of the malware also underwent several changes; specifically, the attackers began leveraging Apple’s proprietary Vision framework for optical character recognition (OCR).
Mobile threat statistics
The number of Android malware samples saw a slight increase compared to Q4 2025, reaching a total of 306,070.
Detected malicious and potentially unwanted installation packages, Q1 2025 — Q1 2026 (download)
The detected installation packages were distributed by type as follows:
Detected mobile apps by type, Q4 2025* — Q1 2026 (download)
* Data for the previous quarter may differ slightly from previously published figures due to certain verdicts being retrospectively revised.
Threat actors once again ramped up the production of new banking Trojans; as a result, this category overtook all others in volume, accounting for more than half of all installation packages.
Share* of users attacked by the given type of malicious or potentially unwanted app out of all targeted users of Kaspersky mobile products, Q4 2025 — Q1 2026 (download)
* The total percentage may exceed 100% if the same users encountered multiple attack types.
Following the surge in banking Trojan installation packages, the number of associated attacks also rose, causing Trojan-Banker apps to climb one spot in terms of their share of targeted users. Mamont variants emerged as the most prevalent banking Trojans, accounting for 73.5% of detections, with the rest of the users encountering Faketoken, Rewardsteal, Creduz, and other families.
Yet banking Trojans were still outpaced by adware and RiskTool-type unwanted apps when measured by the total number of affected users. Despite a decrease in their share of installation packages, these two app types retained their positions as the top two threats by attack volume. The most common adware detections involved HiddenAd (44.9%) and MobiDash (38.1%), while most frequently seen RiskTool apps were Revpn (67%) and SpyLoan (20.5%).
TOP 20 most frequently detected types of mobile malware
Note that the malware rankings below exclude riskware or potentially unwanted software, such as RiskTool or adware.
| Verdict | %* Q4 2025 | %* Q1 2026 | Difference in p.p. | Change in ranking |
| Backdoor.AndroidOS.Triada.ag | 2.62 | 7.09 | +4.48 | +10 |
| DangerousObject.Multi.Generic. | 6.75 | 5.84 | -0.92 | -1 |
| DangerousObject.AndroidOS.GenericML. | 3.52 | 5.51 | +1.99 | +6 |
| Trojan-Banker.AndroidOS.Mamont.jo | 0.00 | 5.28 | +5.28 | |
| Trojan.AndroidOS.Fakemoney.v | 5.40 | 3.44 | -1.96 | -1 |
| Trojan-Downloader.AndroidOS.Keenadu.l | 0.00 | 3.35 | +3.35 | |
| Trojan-Banker.AndroidOS.Mamont.jx | 0.00 | 3.09 | +3.09 | |
| Backdoor.AndroidOS.Triada.z | 4.87 | 3.08 | -1.79 | -2 |
| Trojan.AndroidOS.Triada.fe | 5.01 | 2.98 | -2.02 | -4 |
| Backdoor.AndroidOS.Keenadu.a | 2.07 | 2.73 | +0.66 | +6 |
| Trojan-Banker.AndroidOS.Mamont.jg | 0.34 | 2.37 | +2.03 | |
| Trojan.AndroidOS.Triada.hf | 2.15 | 2.23 | +0.07 | +3 |
| Trojan.AndroidOS.Boogr.gsh | 2.35 | 2.15 | -0.20 | 0 |
| Trojan.AndroidOS.Triada.ii | 5.68 | 2.07 | -3.60 | -11 |
| Backdoor.AndroidOS.Triada.ae | 1.91 | 1.76 | -0.16 | +3 |
| Backdoor.AndroidOS.Triada.ab | 1.79 | 1.72 | -0.08 | +3 |
| Trojan.AndroidOS.Triada.gn | 2.38 | 1.58 | -0.80 | -5 |
| Trojan-Banker.AndroidOS.Mamont.gg | 1.56 | 1.50 | -0.06 | +2 |
| Trojan.AndroidOS.Triada.ga | 1.48 | 1.50 | +0.01 | +4 |
| Backdoor.AndroidOS.Triada.ad | 0.53 | 1.40 | +0.87 | +44 |
* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.
The pre-installed Triada.ag backdoor rose to the top spot; it is similar to the older Triada.z version we documented previously. Because the same variant was pre-installed across a wide range of devices, the total number of affected users is aggregated. Consequently, Triada outpaced even Mamont, as users encountered a variety of Mamont variants, causing the share of that banking Trojan to spread across multiple rows. Other pre-installed Triada variants (Triada.z, Triada.ae, Triada.ab, and Triada.ad) also made the rankings. Furthermore, we observed increasing activity from the Keenadu.a backdoor, while diverse variants of the embedded Triada Trojan remained in the rankings.
Mobile banking Trojans
Q1 2026 saw a characteristic rise in mobile banking Trojan activity, with the number of packages totaling 162,275, a 50% increase compared to the prior quarter.
Number of installation packages for mobile banking Trojans detected by Kaspersky, Q1 2025 — Q1 2026 (download)
We saw a similar growth in the previous quarter, with banking Trojan volumes rising by 50% during that period as well. Various Mamont variants accounted for the absolute majority of packages and represented nearly every entry in the rankings of most frequent banking Trojans by affected user count.
TOP 10 mobile bankers
| Verdict | %* Q4 2025 | %* Q1 2026 | Difference in p.p. | Change in ranking |
| Trojan-Banker.AndroidOS.Mamont.jo | 0.00 | 15.75 | +15.75 | |
| Trojan-Banker.AndroidOS.Mamont.jx | 0.00 | 9.22 | +9.22 | |
| Trojan-Banker.AndroidOS.Mamont.jg | 1.47 | 7.08 | +5.61 | +24 |
| Trojan-Banker.AndroidOS.Mamont.gg | 6.79 | 4.48 | -2.32 | -3 |
| Trojan-Banker.AndroidOS.Mamont.ks | 0.00 | 3.98 | +3.98 | |
| Trojan-Banker.AndroidOS.Agent.ws | 6.03 | 3.78 | -2.25 | -2 |
| Trojan-Banker.AndroidOS.Mamont.hl | 4.30 | 3.27 | -1.03 | +1 |
| Trojan-Banker.AndroidOS.Mamont.iv | 6.00 | 3.08 | -2.92 | -3 |
| Trojan-Banker.AndroidOS.Mamont.jb | 3.93 | 3.07 | -0.86 | +1 |
| Trojan-Banker.AndroidOS.Mamont.jv | 0.00 | 2.79 | +2.79 |
* Unique users who encountered this malware as a percentage of all users of Kaspersky mobile security solutions who encountered banking threats.
