According to the report ‘IT threat evolution in Q2 2025. Mobile statistics’, carried out by the multinational Kaspersky, in the first half of 2025 there was a 29% increase in cyber attacks on Android smartphones compared to the same period in 2024, and 48% more compared to the second half of 2024. Behind this increase not only As the volume of attacks grows, the variety of techniques used by cybercriminals also evolves. Cyberattacks on Android smartphones in 2025 include SparkCat, SparkKitty and Triada, along with new variants camouflaged in adult content apps used to launch DDoS attacks or in a fake VPN application that intercepted access codes by SMS.
In the second quarter of 2025, cybercriminals refined their techniques, adding the ability to dynamically configure DDoS attacks from infected devices. This Trojan allows specific data to be sent from the compromised device to attackers at specified time intervals. Likewise, Kaspersky detected a fraudulent VPN app that hijacked accounts by intercepting one-time passwords sent by SMS, redirecting them to cybercriminals using a Telegram bot.
Most popular malicious apps in cyberattacks on Android smartphones
During the semester, the most common cyberattacks on Android smartphones were grouped into three broad categories: Fakemoney-type scams, banking Trojans and malware pre-installed on Android devices.
Fakemoney fraudulent apps seek to lure users with the promise of earning real money or rewards through tasks, games, or supposed investments. In reality, they steal personal data or money, or offer no benefits at all.
At another level, pre-installed Trojans such as Triada and Dwphon represent a persistent threat in cyberattacks on Android smartphones: they are embedded in the firmware of some Android devices during manufacturing, allowing them to execute unauthorized actions, steal information, and resist even after restoring the phone to factory settings.
Finally, mobile banking Trojans have experienced explosive growth: their number almost quadrupled compared to the first half of 2024 and was more than double compared to the second half of that same year. Impersonating legitimate banking or financial services applications, its main objective is to steal credentials and sensitive data from victims.
Europe and Spain as origins of cyber attacks
Although Europe is not among the regions with the most users affected by mobile malware, it does play a key role as a base of operations for cybercriminals. During the first half of 2025, the continent hosted a significant part of the infrastructure that makes cyberattacks on Android smartphones possible: the Netherlands concentrated no less than 33.9% of global malware command and control (C2) servers in the first half of 2025, which places it as the epicenter of criminal infrastructure in Europe. Spain also appears in the TOP 10, with 1.6% of the total.
Europe hosted a significant part of the infrastructure that makes cyberattacks on Android smartphones possible
“The first half of 2025 saw a large increase in cyberattacks on Android smartphones compared to 2024. There are different attack vectors, and the installation of apps from unofficial stores is one of them. Google’s recent initiative to verify developers even on applications installed through external APK files seeks to curb the spread of malware. However, this measure is not final. Malware continues even infiltrating Google Play, where developer verification has been in effect for years. It also comes to the Apple App Store. “Cybercriminals are likely to find ways to bypass verification, underscoring the need for users to combine strong security solutions, caution when installing applications, and regular operating system updates to stay ahead of evolving threats,” says Anton Kivva, head of the malware analyst team at Kaspersky.
