Q1 2026 Android Threat Landscape: Banking Trojans, Triada.ag Backdoor Surge
Published
Key Takeaways
- Attack volume drops: Total mobile attacks decreased, but unique user targeting remained stable.
- Banking Trojans surge: Malicious installation packages increased by half quarter-over-quarter.
- Emerging mobile threats: SparkCat infiltrated official app stores, while Triada.ag topped malware detections.
While aggregate mobile attacks fell from almost 3,240,000 in the previous quarter to a little over 2,676,000 in Q1, threat intelligence indicates that the number of unique users targeted by these campaigns remained relatively stable.
During the first quarter of 2026, the Kaspersky Security Network prevented more than 2.67 million mobile attacks. Security analysts discovered more than 306,000 malicious installation packages during the reporting period.
Malicious Installation Packages and Banking Trojans
This Kaspersky raw telemetry included 162,275 mobile banking Trojan packages and 439 mobile ransomware Trojan packages. Driven by this aggressive deployment, the Trojan-Banker category held a 10.86% share of total malicious detections.
Furthermore, mobile banking Trojan packages increased 50% quarter over quarter, demonstrating a sustained operational focus on financial data exfiltration by threat actors.
Within this specific category, Mamont variants emerged as the dominant threat architecture, accounting for 73.5% of all banking Trojan detections, with the “rest of the users encountering Faketoken, Rewardsteal, Creduz, and other families.”
Pre-Installed Malware and App Store Infiltrations
Analyzing specific malware families, the pre-installed Triada.ag backdoor rose to the top spot among the most frequently detected mobile malware in Q1 2026. Additionally, security researchers identified several applications containing the SparkCat crypto stealer (also known as SparkKitty) that were successfully listed on both Google Play and the Apple App Store.
Malicious operators continued to deploy high volumes of adware and unwanted software frameworks. Adware detections and most frequently seen RiskTool apps include:
- HiddenAd (44.9%)
- MobiDash (38.1%)
- Revpn (67%)
- SpyLoan (20.5%).
Reports in March indicated that the Perseus malware, based on Phoenix and Cerberus predecessors, targeted victims’ personal smartphone notes, while the Darksword exploit kit that deploys iOS spyware on iPhones was adopted by multiple threat actors.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular