Back

Surge in Android Banking Trojans Threatens Mobile Financial Security

Severity: High (Score: 69.5)

Sources: Biz.Chosun, Technadu

Published: 2026-05-21 · Updated: 2026-05-21

Keywords: banking, android, surge, trojans, threat, attacks, mobile

Severity indicators: trojan, banking

Summary

In Q1 2026, Kaspersky reported over 2.67 million mobile attacks, with a significant rise in banking Trojans. The number of unique users targeted remained stable despite a drop in total attacks. Banking Trojan packages increased by 50% quarter over quarter, with Mamont variants dominating detections. In 2025, banking Trojan attacks surged by 56%, with 255,090 new APKs identified, marking a 271% increase. Attackers are utilizing messenger apps and malicious web pages to distribute malware. Preinstalled backdoors like Triada and Qinadue are becoming more common, posing serious risks to mobile payment security. Users are advised to enhance security awareness and regularly update their devices. Key Points: • Kaspersky detected over 2.67 million mobile attacks in Q1 2026, with banking Trojans rising 50%. • In 2025, Android banking Trojan attacks surged by 56%, with 255,090 new APKs identified. • Preinstalled backdoors like Triada are increasingly common, threatening mobile financial security.

Detailed Analysis

**Impact** Over 2.67 million mobile attacks were prevented in Q1 2026, with banking Trojans accounting for 10.86% of total malicious detections. Android banking Trojan installation packages increased 50% quarter-over-quarter in early 2026 and surged 56% during 2025, targeting users globally. Preinstalled backdoors like Triada.ag and Qinadue affected a significant number of devices, enabling persistent control over smartphones and tablets. Financial data, including online banking credentials and payment information, is at risk, impacting mobile users relying on banking and electronic payment services. **Technical Details** Banking Trojans primarily spread through messenger apps, malicious web pages, and preinstalled firmware backdoors such as Triada.ag and Qinadue. The Mamont Trojan variant accounted for 73.5% of banking Trojan detections, with other families including Faketoken, Rewardsteal, and Creduz also active. Additional malware includes the SparkCat crypto stealer found on official app stores and Perseus malware targeting smartphone notes. No specific CVEs or infrastructure details were provided. **Recommended Response** Users should apply firmware updates promptly and rescan devices with professional security solutions after updates to detect preinstalled backdoors. Organizations must deploy detections for Mamont, Triada.ag, and other prevalent banking Trojan families, and block known malicious APKs and domains associated with these threats. Security awareness training on safe downloading habits and cautious use of messenger apps and web links is essential. Monitoring for unusual device behavior and unauthorized access attempts is advised.

Source articles (2)

  • Kaspersky reports 56% surge in Android banking Trojans in 2025 — Biz.Chosun · 2026-05-21
    Banking Trojan attacks targeting Android smartphones surged last year. As malware aimed at online banking and card information spread quickly, analysts said mobile financial security threats are growi…
  • Q1 2026 Android Threat Landscape: Banking Trojans, Triada.ag Backdoor Surge — Technadu · 2026-05-18
    While aggregate mobile attacks fell from almost 3,240,000 in the quarter to a little over 2,676,000 in Q1, threat intelligence indicates that the number of unique users targeted by these campaigns rem…

Timeline

  • 2025-01-01 — Banking Trojan attacks surged in 2025: Kaspersky reported a 56% increase in banking Trojan attacks targeting Android smartphones throughout 2025.
  • 2025-01-01 — New APKs identified: Kaspersky found 255,090 new Android banking Trojan installation packages in 2025, a 271% increase from the previous year.
  • 2026-05-18 — Q1 2026 mobile attacks reported: Kaspersky reported over 2.67 million mobile attacks in Q1 2026, with banking Trojans making up 10.86% of total detections.
  • 2026-05-18 — Rise of Mamont variants: Mamont variants accounted for 73.5% of all banking Trojan detections in Q1 2026, highlighting a shift in threat architecture.
  • 2026-05-21 — Kaspersky issues security advice: Kaspersky emphasized the need for users to enhance security awareness and regularly update devices to mitigate risks from banking Trojans.

Related entities

  • Malware (Attack Type)
  • Ransomware (Attack Type)
  • Trojan (Attack Type)
  • triada.ag (Domain)
  • Financial (Industry)
  • Cerberus (Malware)
  • Creduz (Malware)
  • DarkSword (Malware)
  • Faketoken (Malware)
  • Mamont (Malware)
  • Perseus (Malware)
  • Qinadue (Malware)
  • Rewardsteal (Malware)
  • SparkCat (Malware)
  • SparkKitty (Malware)
  • Triada (Malware)
  • Phoenix (Company)
  • Android (Platform)
  • Apple App Store (Platform)
  • Google Play (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed