Android Malware Statistics 2026: Threat Landscape, iOS Comparison, and Detection Trends

Android malware attacks surged 29% in the first half of 2025, with over 14 million attacks blocked and 255,090 banking trojan packages detected across the full year. The platform now faces 34 active banking malware families targeting 1,243 financial institutions in 90 countries, 90 exploited zero-day vulnerabilities, and NFC relay attacks that combine contactless payment theft with automated bank transfers. Android accounts for the overwhelming majority of mobile malware volume, though iOS faces twice the phishing exposure rate. This article breaks down every major data point from the 2025-2026 threat landscape — growth rates, regional hotspots, detection gaps, and what it means for organizations building Android applications. For a comprehensive guide to mobile app security testing practices, see our Mobile App Security Testing in 2026 guide.

What You'll Learn

• The latest Android malware statistics from Kaspersky, Zimperium, Google, and Lookout covering 2025 and early 2026

• How Android malware threats compare to iOS across phishing, malware, and zero-day vectors

• Which banking trojans, spyware families, and NFC relay attacks pose the greatest risk in 2026

• What detection and prevention methods organizations should implement to protect Android app ecosystems

How Fast Is Android Malware Growing in 2025-2026?

The Android malware growth rate in 2025 accelerated significantly compared to prior years. According to Kaspersky's H1 2025 report, Android smartphone attacks increased 29% in the first half of 2025 versus H1 2024, and 48% compared to H2 2024. Banking trojan detections grew nearly four times compared to H1 2024 and more than two times compared to H2 2024, making financial malware the fastest-growing Android threat category.

Kaspersky's full-year 2025 mobile threat report documented 14,059,465 total Android malware and adware attacks blocked throughout the year, with 815,735 new malicious installation packages detected. While the total number of new malicious packages decreased by nearly one-third from 2024, this decline is attributed to deterrence effects rather than reduced attacker sophistication. The threat actors shifted toward higher-quality, more targeted payloads rather than mass-volume distribution.

Key Finding: "Banking Trojan packages surged to 255,090 in 2025, while Q3 2025 alone saw 47 million Android attacks blocked" -- Kaspersky Securelist, 2026 and Kaspersky Q3 2025

The quarterly trajectory reveals an accelerating trend. In Q1 2025, Kaspersky blocked 12,184,351 Android attacks and detected 180,405 malicious installation packages. By Q3 2025, the attack volume had exploded to 47 million blocked attacks with 197,738 malicious packages detected. This quarterly escalation suggests the annual 2026 figures will substantially exceed 2025 totals. Separately, a gHacks analysis found that Android malware increased approximately 67% year-over-year in the June 2024 to May 2025 period, corroborating the Kaspersky trend data.

Adware accounted for 62% of all Android malware detections in 2025 according to Kaspersky's full-year report, making it the most prevalent malware category by volume. Meanwhile, Malwarebytes reported that Android adware detections grew 90% in H2 2025 versus H1 2025, with non-adware malware detections also rising approximately 20% in the same period. The MobiDash adware family alone grew monthly detection volume by more than 100% between early and late 2025.

What Do the Latest Research Reports and Industry Data Reveal?

Multiple independent security research organizations published Android threat intelligence reports throughout 2025 and early 2026, creating a comprehensive picture of the mobile threat landscape. The convergence of findings across these reports strengthens confidence in the data.

Kaspersky Securelist published the most extensive full-year Android threat analysis in March 2026, covering all of 2025. The report identified Triada family variants (Triada.fe, Triada.gn, Triada.ii) as the dominant malware families in the overall rankings. In Q3 2025 specifically, Triada.ii led detection rates at 13.78% of affected users according to Kaspersky's Q3 report.

Zimperium's 2026 Banking Heist Report, published March 19, 2026, tracked 34 active Android banking malware families throughout 2025 targeting 1,243 financial institutions across 90 countries. The report found a 67% year-over-year increase in Android malware-driven financial transactions and a 50% increase year-over-year in use of Trojans in attacks.

The Lookout Q3 2025 Mobile Threat Landscape Report, published March 2026, found that nearly 13% of enterprise mobile devices encountered phishing or malicious content each quarter. Over 71,000 malicious apps were detected on enterprise devices in Q3 2025 alone. Lookout concluded that "mobile phishing and identity-centric attacks are no longer seasonal, opportunistic, or peripheral, and have become a predictable and reliable entry point for attackers."

Google's own security blog, published February 2026, reported that 1.75 million policy-violating apps were prevented from publication on Google Play in 2025, with 80,000 bad developer accounts banned. Google also revealed that 255,000 apps were prevented from obtaining excessive access to sensitive user data, and 160 million spam ratings and reviews were blocked.

What Are the Most Common Android Malware Types in 2026?

Android malware in 2025-2026 spans multiple categories, each with distinct infection mechanisms and objectives. Understanding these malware types is essential for organizations developing mobile application testing strategies.

Banking Trojans represent the fastest-growing category. Kaspersky detected 255,090 banking trojan installation packages in 2025 according to the Securelist full-year report. The Mamont banking trojan family dominated, accounting for 49.8% of all banking trojan installation packages in the full year and 61.85% in Q3 2025 according to the Q3 report. The Creduz family accounted for 22.5% of banking trojan packages. New banker trojan families emerging in 2025 include Vultur, DroidBot, Errorfather, and BlankBot per Zimperium. TsarBot, CopyBara, and Hook collectively target over 60% of analyzed global banking and fintech applications.

Trojan Droppers are the delivery mechanism for banking and data-stealing malware. In Q1 2025, Trojans represented 39.56% of all detected Android threats, with banking trojans at 27.31% and spy trojans at 24.49% according to Kaspersky Q1 data. The Mamont.db variant surged from 0.41% market share in Q4 2024 to 38.07% in Q1 2025, illustrating how quickly new trojan variants can dominate the landscape.

Adware and PUPs remain the highest-volume category, with Kaspersky attributing 62% of all Android detections to adware. Malwarebytes reported that PUP detections increased roughly two-thirds in H2 2025 versus H1 2025, indicating the adware ecosystem continues expanding.

Ransomware trojans continue to target Android devices. Kaspersky detected 1,520 mobile ransomware trojan samples in Q1 2025 and 1,564 in Q3 2025. The Rkor ransomware family surged particularly in Germany, with Rkor.ii growing from 7.23% to 24.42% quarter-over-quarter in Q3 2025, affecting 76.90% of attacked German users according to the Q3 report. Zimperium found that nearly 50% of analyzed banking malware families now possess ransomware or financial extortion capabilities.

Organizations in the BFSI sector face particularly acute exposure to banking trojans and overlay attacks. Vervali's experience with financial services platforms, including Motilal Oswal's award-winning investment platform, provides deep domain knowledge of the security requirements for banking and fintech applications operating in high-threat environments.

Watch Out: Banking trojans like Mamont, Hook, and Anatsa no longer just steal credentials. They now combine overlay attacks, keylogging, device takeover fraud, and NFC relay capabilities in a single payload. Testing your banking app only against credential theft scenarios leaves critical attack vectors unexamined.

How Do Android and iOS Malware Threats Compare?

The Android versus iOS malware comparison reveals a nuanced threat landscape where each platform faces distinct attack profiles rather than a simple "one is safer" narrative.

Android dominates in malware volume due to its open architecture and sideloading capabilities. According to Google's 2026 security blog, Google Play Protect identified 27 million malicious sideloaded apps in 2025, up from 13 million in 2024. Sideloaded sources contain 50 times more malware than Google Play per gHacks reporting on Google's data. Android's permission model, while improved in recent versions, still allows malware to exploit accessibility services for overlay attacks and device takeover.

iOS devices face a different threat profile centered on phishing. According to Lookout's annual threat landscape report, 26% of iOS devices were targeted with phishing attacks versus 12% of Android devices in 2024. The Lookout Q3 2025 report confirmed this pattern, recording an iOS phishing encounter rate of 16.07%. Lookout observed that threat actors deliberately target iOS users with phishing pages and Android users with malware in the same campaigns, reflecting the structural differences between platforms.

The comparison demonstrates that comprehensive security testing and VAPT services must account for platform-specific threat profiles rather than applying identical test strategies across Android and iOS.

How Are Banking Trojans and SMS Malware Targeting Financial Services?

Banking trojans represent the most financially damaging category of Android malware in 2025-2026. According to Zimperium's 2026 Banking Heist Report, malware-driven fraudulent financial transactions increased 67% year-over-year in 2025. The report tracked 34 active banking malware families targeting 1,243 financial institutions across 90 countries. In the United States alone, 162 banking applications were under active targeting, up from 109 in 2023.

The Anatsa banking trojan demonstrated how effectively malware bypasses Google Play review processes. According to The Hacker News, a fake "Document Viewer - File Reader" app carrying Anatsa accumulated 90,000 downloads on Google Play before removal. The app was first published May 7, 2025, and reached the number 4 position in the "Top Free - Tools" category on June 29, 2025, before activating its malicious payload approximately six weeks after publication. The campaign targeted North American banking users using credential theft via overlay attacks and keylogging, combined with Device-Takeover Fraud for executing fraudulent transactions.

The ToxicPanda banking trojan expanded from Southeast Asian targets to European financial institutions in 2025. According to Bitsight TRACE, ToxicPanda peaked at 4,500 infected devices across Europe, with approximately 3,000 compromised devices in Portugal and approximately 1,000 in Spain. Portugal and Spain represented over 85% of all global ToxicPanda infections. Samsung, Xiaomi, and Oppo devices accounted for the majority of infections, reflecting the prevalence of these manufacturers in targeted markets.

Regional targeting is a defining characteristic of 2025 Android banking malware. According to Kaspersky reports, Turkey experienced concentrated Coper banking trojan activity affecting 96.35% of attacked users in Q3 2025. India faced unique threats from Rewardsteal trojans posing as reward and loyalty apps, with 88-94% prevalence among attacked Indian users. Brazil was targeted by the Pylcasa trojan, which infiltrated Google Play disguised as calculator apps with 88.25% prevalence among attacked Brazilian users.

Pro Tip: If your organization develops banking or fintech applications for Android, test specifically against overlay attack scenarios, accessibility service abuse, and keylogging capabilities. These are the primary techniques used by Mamont, Hook, Anatsa, and ToxicPanda. Frida instrumentation can simulate these attacks during security testing to identify app-layer weaknesses before attackers exploit them.

For organizations in the financial services sector, understanding these specific attack vectors is critical. Review our guide to security compliance requirements for mobile apps covering HIPAA, PCI-DSS, and SOC 2 frameworks that govern mobile banking app security.

What Role Do Spyware and Zero-Day Exploits Play in the Android Threat Landscape?

Commercial surveillance vendors overtook traditional nation-state actors in zero-day exploitation for the first time in 2025. According to The Record's coverage of Google's Threat Intelligence Group findings, 90 zero-day vulnerabilities were exploited in 2025, up from 78 in 2024. Of the 42 zero-days directly attributed by GTIG, 18 were used by commercial surveillance vendors such as Intellexa. Mobile devices were the primary target, with 15 mobile device zero-days in 2025, up from 9 in 2024.

The March 2026 Android security bulletin underscored the vulnerability exposure facing Android devices. According to CyberScoop, Google patched 129 Android vulnerabilities in a single month, the highest count since April 2018. Among them, CVE-2026-21385 is an actively exploited zero-day in Qualcomm's display component, a memory-corruption flaw affecting 234 Qualcomm chipsets. The vulnerability was reported by Google to Qualcomm on December 18, 2025, but Qualcomm did not notify customers until February 2, 2026, creating a roughly 10-week exposure window.

The vulnerability patch cycle creates a structural security gap for Android devices. Google releases monthly security bulletins, but device manufacturers must then create device-specific builds. This process introduces delays that leave devices exposed to known vulnerabilities. The March 2026 patch alone included 63 framework and system vulnerabilities plus 66 kernel and chipset-level vulnerabilities from Arm, Imagination Technologies, Unisoc, and Qualcomm.

Spy trojans accounted for 24.49% of all Android threat categories in Q1 2025 according to Kaspersky's Q1 report. This makes spyware the third-largest category behind trojans and banking trojans. The convergence of commercial spyware vendors and traditional malware families means that surveillance-grade capabilities are increasingly available to lower-tier threat actors through Malware-as-a-Service platforms.

Organizations deploying Android devices for enterprise use should consider Vervali's penetration testing services to assess exposure to zero-day exploitation and spyware vectors, particularly in regulated industries where data exfiltration carries compliance consequences.

How Do Third-Party App Stores and Sideloading Drive Android Infections?

Third-party app stores and sideloading remain the dominant infection vectors for Android malware. According to Google's 2026 security blog, Google Play Protect identified 27 million new malicious sideloaded apps through real-time scanning in 2025, more than doubling the 13 million identified in 2024. The system blocked 266 million risky installation attempts and neutralized 872,000 unique high-risk applications.

Even Google Play itself is not immune. Between June 2024 and May 2025, 239 malicious apps were identified on the Google Play Store with over 42 million combined downloads. Sideloaded sources contain 50 times more malware than Google Play per Google's own data cited in the same analysis. These figures highlight that while Google Play review processes catch the majority of malicious submissions (1.75 million apps blocked in 2025), sophisticated threat actors continue finding ways through.

Supply chain compromise represents an emerging category of Android infection. According to The Hacker News reporting on Kaspersky research, the Triada malware was found preloaded on counterfeit versions of popular smartphone brands sold online at discounted prices. Between March 13 and April 25, 2025, over 4,500 devices worldwide were confirmed infected. The malware authors stole approximately $270,000 in cryptocurrencies between June 2024 and March 2025. Kaspersky researcher Dmitry Kalinin noted: "Probably, at one of the stages, the supply chain is compromised, so stores may not even suspect that they are selling smartphones with Triada."

Key Finding: "Google Play Protect identified 27 million malicious sideloaded apps in 2025, up from 13 million in 2024, and blocked 266 million risky installation attempts" -- Google Security Blog, 2026

The Keenadu backdoor, identified in Kaspersky's full-year 2025 report, represents a particularly dangerous variant: malware injected directly into device firmware during the manufacturing process. This supply chain attack vector bypasses all app-level security controls, including Google Play Protect, and persists even after factory reset. Organizations with BYOD policies face heightened risk from devices purchased through unofficial channels.

How Effective Is Google Play Protect at Detecting Android Malware?

Google Play Protect is the default security layer for the Android ecosystem, and Google has significantly scaled its capabilities. According to Google's 2026 security blog, Play Protect scans 350 billion apps daily, up from 200 billion in 2024. The system's enhanced fraud protection now covers 2.8 billion Android devices across 185 markets. Google integrated generative AI models into app review processes in 2025 to detect complex malicious patterns.

Despite these improvements, Google Play Protect has documented detection gaps. The system prevented 1.75 million policy-violating apps from publication in 2025, down from 2.36 million in 2024. While this reduction could indicate fewer submission attempts, the simultaneous discovery of 239 malicious apps with 42 million downloads on the store demonstrates that significant threats continue evading detection.

The detection time lag is particularly concerning for banking trojans. The Anatsa campaign documented by The Hacker News showed that a malicious app reached 90,000 downloads and climbed to number 4 in the Tools category before its malicious payload was activated approximately six weeks after publication. This delayed activation strategy is specifically designed to bypass Play Protect's initial review and behavioral analysis windows.

Anton Kivva, Malware Analyst Team Lead at Kaspersky, assessed the situation directly: "Attackers will likely find ways to bypass verification, underscoring the need for users to combine robust security solutions, cautious app sourcing and regular OS updates." This quote, confirmed in both the Kaspersky press release and the Securelist full-year report, encapsulates the industry consensus: Play Protect is a necessary but insufficient layer of mobile security.

How Are NFC Relay Attacks and Emerging Vectors Reshaping Android Threats?

NFC relay attacks emerged as one of the most technically sophisticated Android attack vectors in 2025. ESET Research first documented the NGate malware, which introduced a novel NFC relay technique not previously seen in Android malware. Built on the NFCGate tool from the Technical University of Darmstadt, NGate can relay EMV APDUs and PIN codes to an attacker-controlled device, enabling ATM cash withdrawals from the victim's account. ESET research reported a dramatic increase in NFC relay attack activity in H1 2025 compared to H2 2024.

The RatOn malware, documented by The Hacker News and ThreatFabric, represents the evolution of NFC relay attacks into a comprehensive banking fraud toolkit. First detected July 5, 2025, RatOn combines NFC relay attacks with full Automated Transfer System capabilities. The malware can automatically initiate bank transfers by navigating UI elements with stolen PINs. RatOn also deploys ransomware-style overlay screens demanding $200 in cryptocurrency. ThreatFabric noted it was built from scratch with no code similarities to other known Android banking malware, marking it as a next-generation threat.

NFC-enabled payment applications represent a growing attack surface for financial services organizations. Vervali's wireless security testing capabilities include NFC and Bluetooth-based attack surface assessment, enabling identification of relay attack vulnerabilities in HCE payment flows before deployment.

Malwarebytes characterized the shift in their 2025 Android threat analysis: "2025 is when one-off scams were replaced on the score charts by coordinated, well-structured, attack frameworks." This evolution from opportunistic to industrial-scale Android threats affects every organization with a mobile footprint.

What Does Android Malware Prevalence Look Like in Developing Markets?

India has become a primary global target for Android malware, driven by rapid smartphone adoption and expanding digital payment infrastructure. According to Kaspersky's H1 2025 report, India faces concentrated attacks from trojan droppers targeting financial and data-stealing malware disguised as reward and loyalty apps. The Kaspersky Q1 2025 mobile statistics documented Rewardsteal and UdangaSteal banking families as dominant threats in the Indian market, with UdangaSteal originally spreading from Indonesia before targeting Indian users.

The Kaspersky Q3 2025 report confirmed the sustained India targeting, with Trojan-Dropper.AndroidOS.Agent.uq affecting 92.20% of attacked users in the country. The full-year 2025 report showed this trojan dropper reaching 94.71% prevalence among attacked Indian users, indicating that a single malware family dominates the India threat landscape.

Regional threat specialization extends beyond India. Turkey experienced concentrated Coper banking trojan activity affecting 96.35% of attacked users in Q3 2025. Germany faced notable ransomware pressure from Rkor variants, with Rkor.ii affecting 76.90% of attacked German users. Brazil was targeted by the Pylcasa trojan dropper, with campaigns infiltrating Google Play disguised as calculator apps. Uzbekistan saw fake job search apps collecting personal data through Fakeapp.hy and Piom.bkzj variants.

The developing market malware landscape presents unique challenges for enterprises deploying Android applications in these regions. The combination of device fragmentation, delayed security patch adoption, and reliance on third-party app stores creates compounding risk factors that demand region-specific security testing strategies.

How Should Organizations Detect and Prevent Android Malware?

Effective Android malware detection requires a layered approach combining static analysis, dynamic analysis, and runtime behavior monitoring. The tooling ecosystem for Android security assessment has matured significantly, with frameworks that address the full spectrum of malware detection from pre-deployment scanning to production monitoring.

Static Analysis involves examining APK binaries without executing them. Tools like MobSF (Mobile Security Framework), currently at version 4.4.6 as of March 2026, provide automated static analysis of APK files including detection of hardcoded credentials, insecure data storage, weak cryptography, dangerous permissions, exported components, and SSL/TLS misconfigurations. MobSF, with over 20,700 GitHub stars and featured at Black Hat Arsenal, supports REST API and CLI integration for DevSecOps and CI/CD pipeline integration.

Dynamic Analysis monitors application behavior at runtime. This approach is critical for detecting malware that uses delayed payload activation, polymorphic code, or environment-aware execution. Dynamic analysis tools monitor network traffic, system calls, file system modifications, and inter-process communication during app execution. MobSF also supports dynamic analysis for runtime behavior monitoring and network traffic analysis.

Runtime Instrumentation using tools like Frida enables deep inspection of Android application behavior. Frida can bypass SSL pinning, test root detection implementations, and instrument application memory to detect overlay attacks, keylogging, and accessibility service abuse. This is particularly valuable for testing banking and fintech applications against the trojan techniques documented throughout this article.

Vervali's mobile security testing practice combines static and dynamic code analysis with testing against the OWASP Mobile Top 10, CWE/SANS, and NIST guidelines. The approach covers insecure data storage, broken authentication, weak encryption, insecure APIs, reverse engineering threats, and malicious code injections across native, hybrid, and cross-platform applications built with Swift, Kotlin, React Native, and Flutter.

Vervali's hybrid-skilled engineers bridge the gap between QA automation and security instrumentation. The team combines Appium for cross-platform mobile automation, MobSF for static and dynamic APK analysis, and Frida for runtime instrumentation, delivering security testing capabilities that require both QA automation and security expertise simultaneously. This hybrid talent approach has contributed to Vervali's track record of 85% defect reduction and 3.5x faster go-to-market across 100+ device and OS combinations tested. For deeper coverage on how malware exploits insecure APIs, see our guide to API security testing.

How Do Enterprise MDM Policies and Android Compliance Address Lateral Movement?

Enterprise Android security extends beyond individual app testing to encompass device management, compliance frameworks, and lateral movement prevention. The Lookout Q3 2025 report documented over 1.2 million enterprise-focused phishing and malicious web attacks in a single quarter, with nearly 13% of enterprise mobile devices encountering phishing or malicious content each quarter.

The lateral movement risk from infected Android devices to enterprise networks is a growing concern for security teams. Android devices connected to corporate Wi-Fi, VPNs, and cloud services create potential pivot points for attackers. Banking trojans like Hook and RatOn include remote access capabilities that can be repurposed for enterprise espionage. The convergence of personal device malware and enterprise network access in BYOD environments creates attack paths that traditional perimeter security cannot address.

MDM solutions provide policy enforcement for managed devices, including sideloading restrictions, app allowlisting, and patch level enforcement. However, MDM alone cannot detect advanced mobile threats operating at the application layer. The Kaspersky H1 2025 data documented DDoS-capable apps disguised as VPN clients intercepting one-time passwords via Telegram, a threat that operates within the boundaries of standard app permissions and evades MDM behavioral rules.

Organizations should layer MDM with Mobile Threat Defense solutions and regular penetration testing that includes lateral movement scenarios from infected mobile endpoints. Vervali's VAPT services can assess enterprise MDM configurations for sideloading policy enforcement gaps, identify unmanaged device risks, and test lateral movement paths from compromised Android devices to corporate network segments. Vervali's security testing practice has demonstrated results including 70% reduced audit preparation time, 90% reduction in cloud data exposure risks, and 80% improved API breach detection rates.

TL;DR:

• Android malware attacks surged 29% in H1 2025, with 14 million attacks blocked for the full year

• Banking trojans grew to 255,090 packages, targeting 1,243 financial institutions across 90 countries

• Google Play Protect scans 350 billion apps daily but 239 malicious apps with 42 million downloads still bypassed it

• NFC relay attacks and supply chain firmware compromises represent emerging high-impact vectors

• 90 zero-days were exploited in 2025, with commercial spyware vendors surpassing nation-state actors in attribution

• India, Turkey, Brazil, and Germany face region-specific Android malware families at 76-96% prevalence rates

• Layered defense combining static analysis, dynamic testing, runtime instrumentation, and MDM is the recommended approach

Ready to Strengthen Your Android App Security?

Vervali's mobile security testing team combines battle-tested frameworks with hybrid-skilled engineers who deliver QA automation and security instrumentation in a single engagement. With experience across BFSI, healthcare, and e-commerce verticals, Vervali's Appium + MobSF + Frida testing stack identifies the exact malware attack vectors documented in this article -- overlay attacks, keylogging, NFC relay vulnerabilities, and insecure API exposure. Explore our mobile application testing services or schedule a security testing consultation to discuss your Android app security challenges.

Sources

1. Kaspersky Securelist (2026). "The Mobile Threat Landscape in 2025." https://securelist.com/mobile-threat-report-2025/119076/

2. Kaspersky Securelist (2025). "IT Threat Evolution in Q1 2025: Mobile Statistics." https://securelist.com/malware-report-q1-2025-mobile-statistics/116676/

3. Kaspersky Securelist (2025). "IT Threat Evolution in Q3 2025: Mobile Statistics." https://securelist.com/malware-report-q3-2025-mobile-statistics/118013/

4. Google Security Blog (2026). "Keeping Google Play and Android App Ecosystems Safe in 2025." https://security.googleblog.com/2026/02/keeping-google-play-android-app-ecosystem-safe-2025.html

5. Zimperium (2026). "New Zimperium Report Finds Banking Malware Expands Global Reach, Targeting 1,200+ Financial Apps." https://zimperium.com/resources/new-zimperium-report-finds-banking-malware-expands-global-reach-targeting-1200-financial-apps

6. Zimperium / PR Newswire (2026). "Banking Malware Expands Global Reach." https://www.prnewswire.com/news-releases/new-zimperium-report-finds-banking-malware-expands-global-reach-targeting-1-200-financial-apps-302718279.html

7. Kaspersky (2025). "Attacks on Smartphones Increased in the First Half of 2025." https://www.kaspersky.com/about/press-releases/kaspersky-report-attacks-on-smartphones-increased-in-the-first-half-of-2025

8. Lookout (2026). "Q3 2025 Mobile Threat Landscape Report." https://www.lookout.com/threat-intelligence/report/2025-q3-mobile-threat-landscape-report

9. Lookout / Business Wire (2025). "iOS Devices Are Exposed to Twice as Many Phishing Attacks Compared to Android." https://www.businesswire.com/news/home/20250409443739/en/Lookouts-Annual-Threat-Landscape-Report-Reveals-iOS-Devices-Are-Exposed-to-Twice-as-Many-Phishing-Attacks-Compared-to-Android

10. The Hacker News (2025). "Anatsa Android Banking Trojan Hits 90,000 Users with Fake PDF App on Google Play." https://thehackernews.com/2025/07/anatsa-android-banking-trojan-hits.html

11. Bitsight TRACE (2025). "ToxicPanda: The Android Banking Trojan Targeting Europe." https://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study

12. The Hacker News / ThreatFabric (2025). "RatOn Android Malware Detected With NFC Relay and ATS Banking Fraud Capabilities." https://thehackernews.com/2025/09/raton-android-malware-detected-with-nfc.html

13. ESET Research (2024). "NGate Android Malware Relays NFC Traffic to Steal Cash." https://www.welivesecurity.com/en/eset-research/ngate-android-malware-relays-nfc-traffic-to-steal-cash/

14. The Record / Google GTIG (2026). "Google Says 90 Zero-Days Exploited in 2025." https://therecord.media/google-says-90-zero-days-exploited-apt-spyware-vendors

15. CyberScoop (2026). "Google Addresses Actively Exploited Qualcomm Zero-Day in 129 Android Vulnerabilities." https://cyberscoop.com/android-security-update-march-2026/

16. The Hacker News / Kaspersky (2025). "Triada Malware Preloaded on Counterfeit Android Phones Infects 2,600+ Devices." https://thehackernews.com/2025/04/triada-malware-preloaded-on-counterfeit.html

17. gHacks Tech News (2025). "Google Play Store Hosted 239 Malicious Apps Downloaded 42 Million Times." https://www.ghacks.net/2025/11/07/google-play-store-hosted-239-malicious-apps-that-were-downloaded-40-million-times/

18. Malwarebytes (2025). "New Android Malware Lets Criminals Control Your Phone and Drain Your Bank Account." https://www.malwarebytes.com/blog/news/2025/12/new-android-malware-lets-criminals-control-your-phone-and-drain-your-bank-account

19. MobSF Project (2026). "Mobile Security Framework - GitHub Repository." https://github.com/MobSF/Mobile-Security-Framework-MobSF