"More than 2.67 million attacks utilizing malware, adware, or unwanted mobile software were prevented," according to the Kaspersky Security Network (KSN).
Kaspersky Security Network: Q1 2026 at a glance
KSN recorded 2,676,328 blocked mobile attacks in Q1 2026, down from 3,239,244 in the previous quarter. That decline primarily reflected fewer adware and RiskTool detections, but Kaspersky notes the number of unique users targeted remained “relatively stable.” The report also documents more than 306,000 malicious installation packages discovered in the quarter, including 162,275 packages linked to mobile banking Trojans and 439 linked to mobile ransomware Trojans. The set of Android malware samples monitored edged up slightly to 306,070.
Banking Trojans: a two-quarter sprint and Mamont’s dominance
Mobile banking Trojans accelerated sharply in Q1. Kaspersky says banking-Trojan installation packages totaled 162,275 — a 50% increase versus the prior quarter, matching a 50% rise seen in the previous quarter. Banking Trojans overtook other categories by package volume and represented more than half of all installation packages in the dataset. Within that surge, Mamont family variants accounted for the lion’s share of activity: Mamont variants represented 73.5% of banking-Trojan detections. In Kaspersky’s top-10 banking-Trojan breakdown, Trojan-Banker.AndroidOS.Mamont.jo alone was encountered by 15.75% of users who faced banking threats; other Mamont variants (e.g., .jx, .jg) also rose sharply.
Pre-installed backdoors and Triada’s top position
Despite the Mamont surge, the single most frequently encountered malware verdict in Q1 was Backdoor.AndroidOS.Triada.ag, seen by 7.09% of attacked Kaspersky mobile users — a rise from 2.62% in Q4 2025. Kaspersky attributes Triada.ag’s lead in part to variants being pre-installed across a wide range of devices; multiple Triada variants (Triada.z, Triada.ae, Triada.ab, Triada.ad) appear elsewhere in the rankings. The report also documents increased activity from Backdoor.AndroidOS.Keenadu.a, and a continuing presence of diverse embedded Triada variants across the top detections.
Techniques and takedowns: Kimwolf, IPIDEA, SparkCat and novel obfuscation
KSN highlights specific operational developments in early 2026. Researchers at Synthient identified a link between the Kimwolf botnet and the IPIDEA proxy network; that proxy network was later taken down in cooperation with GTIG. Separately, Kaspersky found multiple apps on Google Play and the App Store that contained a new version of the SparkCat crypto stealer. The attackers embedded obfuscated Trojan code into infected Android apps using an obfuscated Rust library that the attackers decrypted with a custom Dalvik-like virtual machine. On iOS, Kaspersky observed the malware’s authors begin to leverage Apple’s Vision framework for optical character recognition (OCR).
What this means for technologists, regulators, and mobile users
- Technologists and security teams: expect continued pressure from banking-Trojan package production (two consecutive 50% quarter-to-quarter increases) and the spread of Mamont variants. Pay particular attention to artifacts Kaspersky highlights — pre-installed Triada variants, growing Keenadu activity, obfuscated Rust libraries unpacked by custom Dalvik-like VMs, and iOS samples using Apple’s Vision framework for OCR.
- Policymakers and takedown teams: the IPIDEA takedown coordinated with GTIG underscores the operational value of disrupting supporting proxy infrastructure; Kaspersky’s linkage of Kimwolf to IPIDEA illustrates how botnets and proxy networks can be interconnected targets for enforcement activity.
- Mobile users and enterprises procuring devices: total attack counts fell but the number of unique users targeted held steady, and adware plus RiskTool apps remain the top attack-volume drivers. The presence of pre-installed backdoors in device populations — a key factor in Triada.ag’s prominence — is a concrete procurement and inventory concern for organizations presenting risk beyond downloaded apps.
Two trends stand out from Kaspersky’s Q1 2026 telemetry: broad declines in recorded attack volume driven by adware and RiskTool reductions, and simultaneous, sharp growth in banking-Trojan package production led by Mamont variants — plus an outsized presence of pre-installed Triada backdoors that aggregate large user counts. After two consecutive quarters of 50% growth in banking-Trojan packages, the central question the data poses is concrete: will the supply-side surge in banking-Trojan installation packages continue to outpace reductions in other threat categories?




