Mobile malware represents one of the most pressing cybersecurity challenges facing smartphone users in 2025. As malicious software specifically designed to target mobile devices such as smartphones and tablets, mobile malware exploits vulnerabilities in mobile operating systems and applications to steal sensitive personal information, disrupt device functionality, or gain unauthorized access to critical data. The proliferation of mobile malware coincides directly with increased smartphone adoption and the widespread practice of using personal devices for work purposes, creating a dual-use environment where both personal and professional information resides on the same vulnerable endpoint. With more than six billion smartphone users worldwide and the continued expansion of mobile-centric business operations, understanding the nature, distribution, and consequences of mobile malware has become essential for both individual users and organizations implementing bring-your-own-device policies. This comprehensive analysis examines what mobile malware is, how it functions, the various types that threaten modern mobile users, the distribution mechanisms employed by cybercriminals, the detectable signs of infection, and the most effective prevention and remediation strategies available to protect against these evolving threats.
The Landscape and Evolution of Mobile Malware
Defining Mobile Malware and Its Significance
Mobile malware encompasses any malicious software deliberately created to damage, disrupt, or gain unauthorized access to mobile devices. Unlike traditional malware confined to desktop computers, mobile malware is specifically engineered to exploit the unique vulnerabilities present in Android and iOS operating systems, as well as the ways users interact with their mobile devices. Malware refers to any kind of malicious software that gets into a computer, network, or computer server, and when applied to mobile contexts, this definition extends to include the specific attack vectors and exploitation techniques unique to smartphones and tablets. The term serves as a blanket classification encompassing viruses, worms, trojans, spyware, ransomware, adware, and numerous other harmful programs all designed with the ultimate goal of generating revenue for cybercriminals through various illicit means.
The significance of mobile malware in the contemporary threat landscape cannot be overstated. Attacks targeting mobile devices have risen 50 percent since last year, demonstrating the accelerating velocity at which threat actors are targeting these ubiquitous devices. This dramatic increase reflects both the expanding installed base of mobile devices globally and the lucrative nature of mobile-based cybercrime. Unique mobile malware samples rose 13 percent in the past year, indicating not only an increase in the volume of attacks but also the diversification and innovation of malware creators who continuously develop new variants to evade security measures. The financial stakes are enormous, with cybersecurity ventures forecasting that global cybersecurity investments will surpass $10.5 trillion annually by 2025, much of this driven by the necessity to combat increasingly sophisticated and adaptive malware threats including mobile variants.
Historical Context and Evolution
Mobile malware is not a recent phenomenon but rather represents the natural evolution of cybercrime as attackers have shifted their focus toward increasingly prevalent and data-rich targets. As reported by research from the University of Cambridge, 87 percent of all Android smartphones are exposed to at least one critical vulnerability, while Zimperium Labs discovered that 95 percent of Android devices could be hacked with a simple text message. These statistics underscore the endemic nature of mobile device vulnerability and the persistence of security challenges even as device manufacturers and operating system developers implement protective measures.
The evolution of mobile malware has progressed through several distinct phases. Early mobile malware was relatively unsophisticated, often designed more as proof-of-concept demonstrations than genuinely profitable criminal enterprises. However, as mobile devices became ubiquitous repositories of financial information, authentication credentials, personal communications, and payment mechanisms, cybercriminals dramatically escalated their efforts. The shift from desktop to mobile banking made mobile banking apps the top targets of cybercriminals, as the more people use mobile apps for bank transactions, the more adversary attention is drawn and the more cyberattacks are carried out. This transition has been particularly consequential, as evidenced by the emergence of sophisticated banking trojans and the discovery that Trojans are the most prominent mobile threats — they constitute over 95% of mobile malware.
The Comprehensive Taxonomy of Mobile Malware Types
Trojans and Remote Access Tools
Trojans represent the most prevalent category of mobile malware, constituting over 95 percent of all mobile malware threats. These are disguised as legitimate applications or files but are designed to perform malicious activities. They can steal personal data, create a backdoor for attackers, or even take control of the device. Unlike viruses or worms that self-replicate, trojans rely on user action to download and install them, making social engineering a critical component of trojan distribution strategies. Once installed, trojans provide attackers with extensive unauthorized access to infected devices.
A particularly dangerous variant of trojans comes in the form of Remote Access Tools, commonly abbreviated as RATs. Remote Access Tools (RATs) offer extensive access to data from infected victim devices and are often used for intelligence collection. RATs can typically access information such as installed applications, call history, address books, web browsing history, and SMS data. RATs may also be used to send SMS messages, enable device cameras, and log GPS data. The Triada trojan provides a concrete example of RAT capabilities in practice. Triada is a rooting Trojan that was injected into the supply chain when millions of Android devices shipped with the malware pre-installed. Triada gains access to sensitive areas in the operating system and installs spam apps. The spam apps display ads, sometimes replacing legitimate ads. When a user clicks on one of the unauthorized ads, the revenue from that click goes to Triada‘s developers.
Banking Trojans and Financial Malware
Banking trojans represent a particularly sophisticated and damaging category of mobile malware, specifically engineered to steal financial information and perpetrate fraud. Banking-based mobile malware is on the rise, as hackers look to compromise users who prefer conducting all of their business — including money transfers and bill payments — from their mobile devices. The financial impact of banking trojans is staggering, with the number of observed mobile banking Trojans doubling last year, and more recent data showing that Kaspersky reported a 196% surge in Trojan banker attacks on smartphones in 2024 compared to the previous year. In Q2 2025 specifically, Kaspersky solutions detected a total of 42,220 installation packages of banking trojan variants.
The Xenomorph Trojan exemplifies the capabilities and reach of modern banking trojans. The Xenomorph Trojan is an actively maintained mobile banking malware that targets Android users via fake apps in the Google Play Store as well as spoofed websites. Once deployed, an attacker can take over the device owner’s bank accounts and even go so far as to automatically transfer bank or crypto funds from the compromised device to their own. Thousands of Android customers in the US have been targeted in recent months. Similarly, the Anatsa Trojan demonstrates the sophistication of contemporary threats. Anatsa Trojan, which as of March 2023 had already infected more than 30,000 devices. In its most recent campaign, attackers are focusing on deploying the malware via malicious apps available via the Google Play Store primarily in the US, UK, and Europe. Once a device is infected, Anatsa can steal login credentials, credit card information, and other financial data via overlay attacks and keylogging that can then be used to perpetrate fraud. This particular malware also facilitates Device-Takeover Fraud (DTO), where the attackers can impersonate the device owner and perform financial transactions directly from the device on the victim’s behalf, making detection by banking anti-fraud systems extremely difficult.
More recent campaigns targeting Southeast Asia demonstrate the continuing evolution of banking trojans. The Fluhorse malware campaign exemplifies this threat evolution. The Fluhorse malware campaign, discovered in May 2023, leverages email phishing to trick victims in Asia into downloading a fake banking app. It then captures the victim’s credentials and credit card information, and can even snatch 2FA codes sent via text to verify access if needed. Additionally, the Zanubis trojan discovered by Kaspersky’s Global Research and Analysis Team demonstrates increasingly sophisticated social engineering techniques. Kaspersky Global Research and Analysis Team (GReAT) discovered a new version of the Zanubis mobile banking trojan targeting users in Peru. When Zanubis originally emerged in 2022, it mimicked PDF readers or Peru government organizations’ apps, and now in 2025 it disguises itself as two new apps – one of a local company in the energy sector and the other – of a local bank.
Viruses and Worms
While less common on mobile platforms than trojans, viruses and worms still pose significant threats to mobile device security. A virus is a simple computer code that invades and damages a device or steals information from it. Unlike trojans, a virus cannot execute or reproduce unless the app it has infected is running. This dependence on a host application makes viruses different from trojans, which require users to download them, and worms, which do not use applications to execute. Worms operate through a different mechanism, as a worm is a piece of malware that spreads from one device to another by reproducing itself. Worms are particularly dangerous because they can operate autonomously and don’t need a host file or a hijack code to spread.
Mobile worms spread through exploitation of operating system vulnerabilities and network connections rather than requiring user interaction to activate. Because worms can self-replicate and spread across networks without requiring a host file or user action, they represent a particularly dangerous threat in networked environments where multiple connected devices can be compromised in rapid succession. The structural differences between viruses, worms, and trojans are significant from a defense perspective, as they require different detection and prevention strategies.
Ransomware and Data Encryption Threats
Ransomware has emerged as one of the most costly and disruptive categories of malware across all platforms, with mobile ransomware representing an increasingly prevalent threat. Ransomware is software that uses encryption to disable a target’s access to its data until a ransom is paid. The victim organization is rendered partially or totally unable to operate until it pays, but there is no guarantee that payment will result in the necessary decryption key or that the decryption key provided will function properly. Mobile ransomware represents a particular threat because mobile devices often contain irreplaceable personal data, communications, and photographs that users may be willing to pay to recover.
Mobile Ransomware: First made popular on PCs, ransomware “locks out” important user data such as documents, photos and videos by encrypting this information and then demanding a ransom be paid to the malware makers. If the ransom isn’t paid on time — usually in Bitcoin — all files are deleted or simply locked up —forever inaccessible to the user. According to International Data Group (IDG), 74 percent of companies reported a security breach in 2015, with ransomware being one of the most prevalent threats; malware creators leveraged both improved smartphone performance and the anonymous Tor network to infect devices and encrypt stored data.
Spyware and Surveillance Software
Spyware represents a particularly invasive category of malware that operates silently to monitor user activity and extract sensitive information. This type of malware silently gathers sensitive information from the device, such as passwords, banking details, session cookies, and browsing habits, without the user’s consent. The sophistication of modern mobile spyware has reached extraordinary levels, with capabilities extending far beyond simple data capture. Mobile Spyware: Loaded as a program onto your device, spyware monitors your activity, records your location and lifts critical information, such as usernames and passwords for email accounts or e-commerce sites. In many cases, spyware is packaged with other seemingly benign software and quietly collects data in the background. You may not even notice the presence of spyware until device performance degrades or you run an anti-malware scanner on your tablet or phone.
The most sophisticated spyware implementations provide attackers with comprehensive surveillance capabilities. LANDFALL, a commercial-grade Android spyware discovered targeting Samsung Galaxy devices, exemplifies this sophistication. LANDFALL is Android spyware specifically designed against Samsung Galaxy devices, used in targeted intrusion activities within the Middle East. LANDFALL enabled comprehensive surveillance, including microphone recording, location tracking and collection of photos, contacts and call logs. Similarly, Pegasus spyware demonstrates extraordinary surveillance capabilities. Pegasus is spyware developed by the Israeli cyber-arms company NSO Group that is designed to be covertly and remotely installed on mobile phones running iOS and Android. The capabilities of advanced spyware like Pegasus are truly comprehensive, as Pegasus is generally capable of reading text messages, call snooping, collecting passwords, location tracking, accessing the target device’s microphone and camera, and harvesting information from apps.
Adware and Click Fraud Malware
Adware represents a category of malware focused on monetization through intrusive advertising and fraudulent click schemes. Adware displays intrusive advertisements on the device, often redirecting users to unwanted websites or prompting them to install other malicious applications. While sometimes dismissed as less harmful than other malware types, adware can significantly degrade user experience and consume substantial system resources. Mobile Adware: Adware has come a long way from being nothing more than annoying pop-ups and data collection. For many adware makers, revenue depends on the number of clicks and downloads they receive, and according to ZDNet, some have now created “malvertising” code that can infect and root your device, forcing it to download specific adware types and allowing attackers to steal personal information.
A specific example of click fraud malware can be found in the ChoiceClick malware family. This malware is capable of automatically clicking on ads. This can lead to a disrupted user experience and increased network usage. The monetization mechanisms underlying adware have become increasingly sophisticated, with attackers developing techniques to automate click generation in ways that maximize their revenue while remaining difficult for users to detect.
Cryptojacking and Cryptocurrency Mining Malware
Cryptojacking represents a relatively newer category of mobile malware focused on exploiting device computational resources to mine cryptocurrency without user consent. Cryptojacking is the unauthorized use of a computer or device’s processing power to mine cryptocurrencies, often without the owner’s consent or knowledge. Cryptojacking is considered a form of cybercrime. The motivation driving cryptojacking is straightforward: cryptocurrency mining can be extremely lucrative, but the computational costs are substantial, leading criminals to steal computing resources to reduce their operational expenses. With the most popular cryptocurrency Bitcoin reaching a peak of $66,000 in 2021, crypto mining can be extremely lucrative. However, the mining process typically consumes large amounts of computational power and electricity, drastically increasing the costs of mining. As such, cryptojackers essentially steal computing and energy resources for mining to reduce their costs and increase their “profits” earned from cryptocurrency mining.
Mobile devices targeted by cryptojacking experience significant performance degradation and resource depletion. Battery drain and overheating: Continuous mining can rapidly deplete a device’s battery and cause overheating, potentially damaging the hardware. The WAPDropper malware provides a concrete example of monetization through device resource abuse. This toll fraud application downloads and executes code from a remote server, leading to malicious behavior and potentially causing unexpected charges on the victim’s mobile phone bill.
Distribution and Infection Mechanisms
Malicious Application Downloads and Compromised App Stores
The most common distribution vector for mobile malware remains the installation of malicious applications, often disguised as legitimate software. As mentioned above, one common method used for spreading mobile malware is through malicious applications or downloads. Malware-infected apps can be disguised as legitimate software, making it challenging for users to distinguish between genuine and malicious ones. In some cases, infected applications may ask the user to grant the app certain permissions, which then allow the attacker to perform malicious actions like stealing banking credentials. The official app stores represent the first line of defense against such threats, but they are not impenetrable. Malware-infected apps can be disguised as legitimate software, making it challenging for users to distinguish between genuine and malicious ones.
The challenge of distinguishing legitimate from malicious applications persists despite security measures implemented by official app stores. Recent discoveries demonstrate that even apps approved by major app stores can contain malware. SparkKitty, a cryptocurrency-stealing trojan, exemplifies this threat. Kaspersky researchers have discovered a new Trojan spy called SparkKitty which targets smartphones on iOS and Android. It sends images from an infected phone and information about the device to the attackers. This malware was embedded in apps related to crypto and gambling, as well as in a trojanized TikTok app, and was distributed on App Store and Google Play, as well as on scam websites. More specifically, On App Store, the Trojan pretended to be an app related to cryptocurrencies — 币coin. On phishing pages mimicking the official iPhone App Store, the malware was distributed under the guise of TikTok and gambling applications.
Protect Your Digital Life with Activate Security
Get 14 powerful security tools in one comprehensive suite. VPN, antivirus, password manager, dark web monitoring, and more.
Get Protected NowSideloading represents another significant distribution mechanism that dramatically increases malware risk. Sideloading refers to installing an application onto a device from a source outside of the manufacturer’s official app stores, and research indicates that users who engage in sideloading are 80% more likely to have malware running on their devices compared to those who do not. In fact, sideloading is a great contributor to malware risk; in 38.5% of cases where malware was detected, the source can be traced back to a sideloaded application. Furthermore, in their 2018 Year in Review, Google reported that Android devices that install apps from sources other than Google Play were 8 times more likely to have a Potentially Harmful App (PHA).
Phishing and Social Engineering Attacks
Phishing attacks represent a critical infection vector that exploits human psychology rather than technical vulnerabilities. Phishing attacks are also prevalent in the mobile ecosystem, and it’s been reported that 82% of phishing sites now target mobile users. Cybercriminals may use social engineering techniques like sending fraudulent messages or emails to deceive users into revealing sensitive information, clicking on a malicious link, or downloading a malicious app. The mobile-specific variant of phishing, known as smishing, has become particularly prevalent. Smishing, or SMS phishing, is a type of malicious attack delivered via text messages aiming to deceive recipients into revealing personal information, such as passwords or credit card numbers.
The effectiveness of phishing on mobile devices substantially exceeds effectiveness on desktop platforms. While phishing has traditionally focused on acquiring credentials through email, phishing via sms messages (smshishing) and messaging apps have become much more prevalent. In fact, 57% of organizations have specifically experienced a mobile phishing attack. This shouldn’t be too surprising when you consider the fact that people are 18 times more likely to click a suspicious link on a mobile device then they are on desktop. Recent data from 2024 demonstrates that the human risk element remains significant. Lookout found iPhones got twice as many phishing attempts as Androids, since phishing works on any phone.
Supply Chain and Pre-Installation Attacks
A particularly insidious distribution mechanism involves compromising the supply chain to deliver pre-installed malware on new devices. The Badbox and PeachPit trojans represent examples of this threat. Recently, there have also been campaigns to spread mobile malware via the supply chain. As seen with the Badbox and PeachPit Trojans, some knock-off Android devices are being sold to mobile users with malware pre-installed on the device, capitalizing on consumers looking for a good deal on a new phone. Similarly, Triada demonstrates the danger of supply chain compromise. Triada is a rooting Trojan that was injected into the supply chain when millions of Android devices shipped with the malware pre-installed.
SMS Trojans and Toll Fraud
SMS trojans exploit text messaging to generate fraudulent charges and send unauthorized messages. Cybercriminals are infecting mobile devices by preying on what users love most about their phones: text messages. SMS trojans wreak financial havoc by sending SMS messages to premium-rate numbers across the world, racking up users’ phone bills. In 2015, some Android users were infected with a banking trojan that could intercept text messages that included financial information and then send a copy of the text message through email, giving cybercriminals all the information they needed to infiltrate financial accounts. These Trojans use the SMS (text) messaging services of a mobile device to send and intercept messages. The user is usually unaware of the behavior. The financial impact can be substantial, as SMS toll fraud typically involves the use of short codes or premium-rate phone numbers that are associated with high charges for each text message received.
Zero-Click and Advanced Exploit Chains
The most sophisticated mobile malware distribution mechanisms involve zero-click exploits that require no user interaction. LANDFALL demonstrates this capability. LANDFALL was embedded in malicious image files (DNG file format) that appear to have been sent via WhatsApp. This method closely resembles an exploit chain involving Apple and WhatsApp that drew attention in August 2025. The technical sophistication of zero-click exploits represents a significant escalation in mobile malware distribution. The exploit chain possibly involved zero-click delivery using maliciously crafted images, similar to recent exploit chains seen on iOS and Samsung Galaxy.
Detectable Signs and Symptoms of Mobile Malware Infection
Device Performance Indicators
Malware infection typically manifests through observable degradation in device performance and functionality. Malware can inflict internal damage that is challenging to detect. In many cases, it will take up significant resources on your Android phone, degrading its performance and creating other similar problems. You can suspect that your Android phone has been infected if: Your device has slowed down significantly without an apparent reason. This performance degradation occurs because malware processes consume substantial computational resources in the background while attempting to hide from user detection.
A possible indication of spyware operating on a phone is constant slowing down or lagging. The slow performance of a phone could result from resource-intensive spyware constantly running in the background. Battery drain represents another critical performance indicator of malware infection. Your battery drains at a quicker rate than normal. Applications are taking a long time to load. The phone is using much more data than it should be. Users experiencing unexplained battery depletion should investigate the possibility of background malware processes consuming power. Your battery drains quickly: An unusually quick battery drain may also cause concern. Your phone will be trying to meet the energy requirements of the virus, so this problem is likely to persist for as long as the virus is on the device.
Device overheating represents another concerning symptom. Your device feels physically hot: When you accidentally download apps that contain malware, your device has to work harder to continue functioning. Since your phone isn’t built to support malware, there is good chance it will overheat. More extreme cases can result in permanent hardware damage. Overheating: An overheating phone can indicate that a malicious app is running in the background, especially if the overheating occurs when the phone is on standby. Some apps will have legitimate reasons for taking up energy on your phone, but any that use more than they should may be the culprit and should be deleted.
Communication and Data Anomalies
Unauthorized communication originating from infected devices represents a critical indicator of malware presence. Random messages are sent to your contacts: If your contacts receive unsolicited scam emails or messages on social media from your account, especially those containing suspicious links, a virus may have accessed your contact list. It’s best to let all the recipients know that your phone has been hacked so that they don’t download any malware themselves or forward those links to anybody else. Similarly, Your contacts have received emails or social media messages from you, but you didn’t send the emails or messages.
Data usage anomalies indicate malware may be exfiltrating information from the device. The phone is using much more data than it should be. Pop-up ads are in abundance. The phone uses excess data: A sudden rise in your data usage or phone bill can be suspicious. A virus might be running background processes or using your internet connection to transfer data out of your device for malicious purposes. Unusually high data usage: A hacker’s primary goal is to harvest user data and either sell it or leverage it in another nefarious way. To gather this information, a hacker can remotely access a mobile device and transfer files to their server, which requires data usage on the compromised user’s end. Therefore, if employee cellular data usage seems unusually high, this could indicate that something suspicious is going on with the phone in question.
Application and System Anomalies
The presence of unexpected applications and unusual system behavior can indicate malware infection. You notice applications on your phone that you don’t recall downloading. Malware frequently installs additional malicious applications to expand its capabilities or monetize the compromised device. Unfamiliar apps in the device app list: Some viruses and spyware are hidden amongst legitimate apps. It is good practice to regularly go through installed apps and check for any unknown apps.
System-level anomalies provide additional indicators of compromise. Spontaneous reboots can indicate that someone has remote, administrator-level access to a mobile device. To rule out the presence of malware, update the phone and delete any malfunctioning apps. If neither of these solutions solves the random reboots, there may be spyware present on the device. Random reboots: System crashes and unexpected restarts can indicate malware is attempting to maintain persistence or that conflicts exist between legitimate and malicious code. Taking a long time to shut down: Spyware tends to run constantly in the background of a mobile device, transmitting data to third parties, and a phone may shut down more slowly than usual while closing down hidden applications.
Suspicious Communications and Audio Artifacts
Unusual audio phenomena during calls can indicate malware targeting phone communications. Weird sounds during phone calls: Phone tapping is perhaps one of the most well-known indicators that a phone is being monitored. Malware can be used to eavesdrop on phone calls, and it frequently makes beeping and flashing sounds while doing so. These sounds should not be dismissed, as they could be a warning sign of spyware. Signs of activity in standby mode: If noises and flashing lights occur and are not due to notifications of calls, texts, emails or any other familiar activity, the owner of the suspicious device should check to see if there are any legitimate apps that are malfunctioning or restart the phone.
Platform-Specific Vulnerabilities: Android versus iOS
Android’s Open Architecture and Enhanced Vulnerability
Android’s open-source architecture provides users with significant customization flexibility but simultaneously creates a substantially larger attack surface. Android, due to its open nature, is particularly susceptible to malware attacks, especially when users download apps from unofficial sources. In a recent research study, mobile malware was found on 1 out of 20 Android devices in 2022. This vulnerability stems from multiple factors inherent to Android’s design philosophy. Android’s openness many manufacturers, third party app installs makes it a bigger malware target. Most mobile malware is written for Android.
The fragmentation of the Android ecosystem across multiple manufacturers and device variants creates significant challenges for security patch distribution. The diversity of devices and manufacturers can lead to delayed security updates, leaving devices exposed to known vulnerabilities. Consequently, 87 percent of all Android smartphones are exposed to at least one critical vulnerability, while Zimperium Labs discovered earlier this year that 95 percent of Android devices could be hacked with a simple text message. The ability of users to install applications from unofficial sources dramatically increases malware risk. Android devices that install apps from sources other than Google Play were 8 times more likely to have a Potentially Harmful App (PHA).
Recent data indicates that Android devices remain disproportionately targeted. Android devices are now reported to be 50 times more vulnerable to malware infections than iOS devices. The open source nature of Android, slower security patch adoption, and the availability of unverified third party app stores have made mobile devices a preferred target for cybercriminals. Specific malware families predominantly target Android. Over 98% of mobile banking attacks target Android devices, which also comes as no surprise. Android is the most popular mobile platform in the world (over 80% of the global smartphone market). Also, Android is the only popular mobile platform that allows users to side-load software.
iOS Security Model and Remaining Vulnerabilities
Apple’s iOS platform implements a fundamentally different security model emphasizing a closed ecosystem with strict app review processes. Apple’s iOS has a more closed ecosystem, with stricter app review processes, reducing the risk of malware-infected apps. Nonetheless, SpyCloud observes near-consistent infections of iOS devices, commonly including the exfiltration of financial information such as credit card numbers and bank account information. Apple’s iOS mobile operating system is tightly controlled by Apple itself, which also tightly controls the apps available in the Apple App Store. This control allows Apple devices to offer good security “out of the box,” at the price of some user restrictions.
The architectural advantages of iOS’s unified hardware and software platform provide security benefits. The uniformity of Apple devices allows for quicker and more consistent distribution of security patches. However, iOS devices remain vulnerable to targeted attacks. While traditional cryptojacking phishing has traditionally focused on acquiring credentials through email, phishing via sms messages (smshishing) and messaging apps have become much more prevalent. Sophisticated spyware like Pegasus demonstrates that iOS vulnerabilities, while fewer, are no less serious than Android vulnerabilities. As of September 2023, Pegasus operators were able to remotely install the spyware on iOS versions through 16.6 using a zero-click exploit.
Recent discoveries indicate that even iOS’s rigorous app review process can be bypassed. Kaspersky researchers have discovered SparkKitty which targets smartphones on iOS and Android. More problematically, sophisticated spyware can be deployed through legitimate attack chains. In August 2025, Apple issued OS security updates for its various products to address CVE-2025-43300, a zero-day vulnerability affecting DNG image parsing that attackers reportedly exploited in the wild.
Jailbreaking and Rooting as Vulnerability Multipliers
Modifying devices through jailbreaking or rooting substantially increases malware vulnerability by removing built-in security protections. Rooting or jailbreaking a device simply means that you have bypassed the internal protections and have unrestricted control of the operating system. Such modifications remove critical security protections. If you installed a modified (rooted) version of Android on your device, you lose some of the security protection provided by Google. The risks escalate substantially for jailbroken and rooted devices. Mobile malware is a particular problem for jailbroken phones, which tend to lack the default protections that were part of those devices’ original operating systems.
Recent Mobile Malware Threats and Contemporary Examples
The Mamont Banking Trojan Family
The Mamont trojan family represents the most prolific mobile banking threat currently in circulation. The bulk of mobile banking Trojan installation packages still consists of various modifications of Mamont, which account for 57.7%. In terms of the share of affected users, Mamont also outpaced all its competitors, occupying nearly all the top spots on the list of the most widespread banking Trojans. Kaspersky’s Q2 2025 telemetry indicates the persistent threat posed by Mamont variants. Trojan-Banker.AndroidOS.Mamont.da accounts for 30.28 percent of mobile banking trojan infections, followed by Trojan-Banker.AndroidOS.Mamont.ev at 17.00 percent and Trojan-Banker.AndroidOS.Mamont.db at 13.41 percent.
The LANDFALL Spyware Campaign
LANDFALL represents a sophisticated, state-of-the-art surveillance tool targeting Samsung Galaxy devices. Unit 42 researchers have uncovered a previously unknown Android spyware family, which we have named LANDFALL. To deliver the spyware, attackers exploited a zero-day vulnerability (CVE-2025-21042) in Samsung’s Android image processing library. The technical sophistication of LANDFALL and its operational history demonstrate the advanced capabilities of contemporary mobile spyware. This vulnerability was actively exploited in the wild before Samsung patched it in April 2025, following reports of in-the-wild attacks. Geographic targeting data indicates LANDFALL’s regional focus. Potential targets of the activity, tracked as CL-UNK-1054, are located in Iraq, Iran, Turkey, and Morocco based on VirusTotal submission data.
The Triada Rooting Trojan
Triada exemplifies how supply chain compromise can distribute malware at scale to millions of devices. Triada secretly controls the device and exfiltrates sensitive user data to a third party. This can include a variety of data including text messages, call logs, and contacts**. The malware’s pre-installation on devices represents a particularly dangerous distribution model. Triada is a rooting Trojan that was injected into the supply chain when millions of Android devices shipped with the malware pre-installed.
Additional Notable Malware Families
Additional malware families present significant threats to mobile users. **MoneytiseSDK is another Android Trojan that is embedded into applications and turns a victim’s phone into a proxy. This attack then allows the malware developers to make money by routing unvetted network traffic through the device’s network connection. WAPDropper: This application can download and execute code from a remote server. This can lead to malicious behaviour and result in unexpected charges on the device’s bill. KoSpy represents a novel threat attributed to North Korean threat actors. Lookout Threat Lab researchers have discovered a novel Android surveillance tool, dubbed KoSpy, which appears to target Korean and English-speaking users. The spyware, attributed with medium confidence to the North Korean APT group ScarCruft (also known as APT37), is a relatively new family with early samples going back to March 2022.
Removal and Remediation Strategies
Immediate Containment Actions
Users suspecting malware infection should implement containment measures immediately. The most direct approach involves clearing browser cache and data to remove potentially malicious scripts and cookies. To clear your cache on an Android device, open ‘Settings’, search for ‘Apps’, find ‘Chrome’, locate ‘Storage’, and select ‘Clear Cache’ in the Storage menu. Similar processes apply to iOS devices. To clear your cache on an iOS device, go to your iPhone’s ‘Settings’ app, select ‘Safari’ from the list, tap ‘Clear History and Website Data’, and confirm that you want to clear history, cookies, and other browsing data.
Identification and Removal of Malicious Applications
Identifying and uninstalling suspicious applications represents the next critical step. Many times, the source of malware is an app that the user downloaded. Try removing recently installed apps one-by-one to before the symptoms started appearing. For Android devices specifically, Google Play Protect provides automated protection mechanisms. When activated, Google Play Protect will run a safety check on apps from the Google Play Store before you download them, as well as checking your device for potentially harmful apps you download from other sources.
Users should systematically review installed applications and remove any that are unrecognized or suspicious. Uninstall any apps that are unnecessary, untrusted, or from sources outside the Google Play Store. On your Android phone or tablet, open the Settings app. Tap Apps & notifications then See all apps. Tap the apps you want to uninstall then Uninstall. Follow the on-screen instructions.
Operating System and Security Updates
Ensuring devices run the latest available security patches is critical. Update the device software and applications as soon as possible. For Android devices, this involves checking both system updates and Google Play system updates. To check for available updates: Open your device’s Settings app. Tap System then Software updates. For Google Play system updates, tap Google Play system update. Most system updates and security patches happen automatically. To check if an update is available: Open your device’s Settings app. Tap Security & privacy then System & updates. For security updates, tap Security update. For Google Play system updates, tap Google Play system update.
Factory Reset as Last Resort
If infection persists despite targeted remediation efforts, a factory reset represents the most comprehensive solution. Simply restarting your phone won’t remove malware from your device but restoring your device to its factory setting will. However, before you factory reset your phone and wipe all your data, let’s try three simple steps first. Prior to factory reset, users should back up critical data. Since performing a factory reset will erase all data from your phone (including contacts, photos, and files), you’ll want to back up your most important content.
The factory reset process varies by platform but achieves the same outcome of removing all potentially compromised data and software. To help remove harmful software from your device, you may want to reset your Android device to factory settings. To learn more about how to remove harmful software from your device, contact your device manufacturer.
Prevention and Protection Strategies
Application Installation Best Practices
Users should download applications exclusively from official app stores. Only install applications from the Google Play Store and other sources you can trust. Only download apps directly from the Play Store (Android) or App Store (iOS) as applications vetted through these platforms are more secure. This simple practice substantially reduces malware risk, as official app stores implement security screening procedures. Stick to trusted sources.Download apps—especially VPNs and streaming services—only from Google Play, Apple’s App Store, or the official provider. Never install something just because a link in a forum or message promises a shortcut.
When considering app permissions, users should think critically about whether requested permissions are appropriate for the app’s stated function. Check an app’s permissions.If an app asks for control over your device, your settings, Accessibility Services, or wants to install other apps, stop and ask yourself why. Does it really need those permissions to do what you expect it to do?. Check the permissions of apps that you use and think carefully before permitting an app, especially when it comes to high-risk permissions such as Accessibility Services.
Utilization of Security Software
Installing comprehensive mobile security software adds critical protection layers. Install a minimal number of applications and only ones from official application stores. Reputable antivirus and anti-malware solutions provide real-time protection against known and unknown threats. A good mobile antivirus will protect your smartphone from viruses and hacking attempts. Kaspersky for Android provides 24/7 protection and includes a ‘Where is my device’ feature as well as spy app detection. Use layered, up-to-date protection.Install real-time anti-malware protection on your Android that scans for new downloads and suspicious activity. Keep both your security software and your device system updated—patches fix vulnerabilities that attackers can exploit.
Network Security Measures
Users should never rely on unsecured public networks for sensitive activities. Make sure that you don’t use an unsecure Wi-Fi connection. A virtual private network is the best protection when you’re accessing public network connections. Virtual private networks provide encryption that protects data from interception. Don’t hop onto public Wi-Fi networks without protection. A virtual private network (VPN) masks your connection from hackers, allowing you to browse privately on unsecure public networks at airports, cafes, hotels, and the like. With a VPN connection, your sensitive data, documents, and activities are protected from snooping. Use a virtual private network: Don’t hop onto public Wi-Fi networks without protection. A virtual private network (VPN) masks your connection from hackers, allowing you to browse privately on unsecure public networks at airports, cafes, hotels, and the like.
Device Authentication and Access Control
Strong authentication mechanisms substantially reduce the impact of device loss or theft. Locking your phone with facial ID, a fingerprint, a pattern, or a PIN is your most basic form of protection, particularly in the event of loss or theft. (Your options will vary depending on the device, operating system, and manufacturer). Take it a step further for even more protection. Secure the accounts on your phone with strong passwords and use two-factor authentication on the apps that offer it. Use strong lock-screen pins/passwords: A 6-digit PIN is sufficient if the device wipes itself after 10 incorrect password attempts. Set the device to lock automatically after 5 minutes.
Advanced Device Configuration
Users should disable wireless technologies when not in active use. Turn off Bluetooth and near field communication (NFC) when not in use. Leaving these technologies active creates potential attack vectors. **When you keep Wi-Fi and Bluetooth active, hackers can see what networks you have connected to before, spoof them and deceive your phone into connecting to Wi-Fi and Bluetooth devices that hackers carry around. Once connected to your phone, hackers can attack your device with malware, steal data, or spy on you – without you necessarily noticing. Turn off Bluetooth when not in use**: Leaving Bluetooth turned on leaves your device at risk of possible attacks. When not in use, turn it off to reduce vulnerabilities.
Similarly, location services should be disabled when not required. Disable location services when not needed. DO NOT bring the device with you to sensitive locations. Users should carefully review and restrict app permissions to only those necessary for functionality. Revoke unnecessary app permissions:Many apps request access to your contacts, location, camera, and microphone even when they don’t need it. This is a common method for data harvesting. Periodically go to your phone’s privacy settings and review which apps have access to what. If a photo-editing app doesn’t need your location, revoke that permission.
User Awareness and Behavioral Practices
User education represents one of the most effective long-term defense strategies. Educate employees at every level. Organizations should train employees about phishing, smishing, and social engineering attacks. Recognizing the patterns, like urgent requests or offers too good to be true, can be an effective defense against SMS-based deception. Users should be skeptical of unsolicited communications. Be skeptical of unsolicited messages, especially those that press for immediate action. Verify the authenticity of any message by contacting the purported sender through official channels, not by phone numbers or links provided in the message itself.
Organizational Implications and BYOD Security
Enterprise Mobile Threats
Organizations implementing bring-your-own-device policies face amplified security risks. The personal devices that employees use for work create unguarded endpoints in the corporate environment. While employees using their own devices can lower costs and improve efficiency and effectiveness, it also creates security concerns for the company network and the data stored on it. The consequences of device compromise can be severe. One breach through a personal device can potentially lead to widespread infection and a catastrophic large-scale data loss.
Enterprise Mobile Device Management
Organizations should implement mobile device management solutions to monitor and enforce security policies. Use a secure device management tool.Mobile device management tools help enforce security regulations and offer centralized management over all devices when managing many at once, particularly in a corporate environment. Mobile device management programs that provide remote device monitoring and control enable enterprises to implement security measures like encryption, frequent software upgrades, and safe app use.
Threat Intelligence and Incident Response
Organizations should establish incident response procedures for mobile device compromises. Strengthen Security Layers: Deploy security infrastructure that addresses known mobile attack vectors. Incident Response Planning: Develop and test procedures for rapid response to suspected mobile device compromises. Employee Training: Provide comprehensive security awareness training addressing mobile-specific threats. Monitor and Adapt Continuously: Continuously track emerging threats and adjust defenses accordingly**.
Unveiling Phone Malware: A Recap
Mobile malware represents an existential threat to both individual users and organizations, with attacks rising 50 percent in the last year and unique malware samples increasing 13 percent annually. The sophisticated threat landscape encompasses trojans constituting over 95 percent of mobile malware, banking trojans with capabilities enabling financial fraud and device takeover, advanced spyware supporting comprehensive device surveillance, ransomware capabilities enabling data extortion, and cryptojacking malware silently consuming device resources for criminal profit. Distribution mechanisms have become increasingly sophisticated, ranging from malicious applications on official app stores to supply chain injection, zero-click exploits, and SMS-based phishing attacks that exploit the mobile-first behavior of modern users.
Android devices face particularly acute vulnerabilities due to platform fragmentation, delayed security updates, and user ability to sideload applications, resulting in 8 to 50 times higher malware infection rates than iOS devices. iOS, while implementing a more restrictive security model, remains vulnerable to sophisticated targeted attacks including zero-click exploits and spyware like Pegasus. Recent malware campaigns including Mamont banking trojans, LANDFALL spyware, SparkKitty cryptocurrency stealers, and KoSpy surveillance tools demonstrate the continuing evolution of mobile threats.
Protection requires a multi-faceted approach combining technical controls, user education, and organizational policies. Users must restrict application installation to official app stores, maintain current security patches, utilize comprehensive antivirus software, employ strong authentication mechanisms, use virtual private networks on public networks, regularly review application permissions, and remain skeptical of unsolicited communications. Organizations must implement mobile device management, enforce security policies on personal devices, provide continuous employee training, establish incident response procedures, and maintain threat intelligence monitoring. As mobile devices continue to become more central to both personal and professional activities, comprehensive mobile malware protection has transitioned from optional security luxury to essential organizational and individual necessity. The stakes are substantial, with mobile malware capable of compromising personal financial accounts, enabling identity theft, disrupting business operations, and facilitating broader supply chain attacks affecting entire organizational ecosystems. Vigilance, continuing education, and proactive security implementation remain the most effective defenses against the evolving mobile malware threat landscape.
