Sign in Subscribe

The Most Common Android Malware in Russia is Named the Mamont Banker

The Most Common Android Malware in Russia is Named the Mamont Banker

Kaspersky Lab has identified the Mamont banking Trojan as the most common malware targeting Russian Android users in 2025. From January to August, Mamont ranked as the top mobile threat, according to data presented at the Kaspersky CyberSecurity Weekend 2025 conference in Minsk.

Explosive Growth

Researchers reported that the number of users attacked by Mamont has grown 36-fold compared to the same period in 2024. Nearly one million people have already been targeted this year.

Mamont primarily requests access to SMS messages and push notifications on infected devices, enabling attackers to steal funds through SMS banking. Some variants are also capable of intercepting one-time codes used for messenger account takeovers.

“The number of users attacked by this Trojan in 2025, according to our data, is already approaching one million. There are many ways Mamont is distributed. Among the most popular methods are mass messages in messengers disguised as photos or videos. Importantly, the file names contain ‘.apk,’ which means the user is being sent an installation package—not an actual image or video. We have also seen cases where the malware posed as a remote work application, an order-tracking tool, or even educational content,” said Dmitry Kalinin, cybersecurity expert at Kaspersky Lab.

Other Threats on the Rise

Alongside Mamont, Kaspersky highlighted Triada, a powerful backdoor with wide-ranging capabilities that grant attackers near-total control of infected devices.

Some variants of Triada have been discovered pre-installed in the firmware of counterfeit Android devices designed to mimic popular smartphone models.

“Besides Mamont, we see significant activity from other malicious programs. Among them is Triada. The number of users attacked by this malware in Russia in 2025 has increased fivefold compared to 2024, reaching hundreds of thousands. This spike is partly due to a new Triada version that can steal messenger and social media accounts, spoof numbers during calls, control SMS, monitor browser activity, and stealthily send or delete messages in messengers to cover its tracks,” said Dmitry Galov, Head of Kaspersky GReAT in Russia.

Outlook

With Mamont and Triada both showing massive growth in activity, researchers warn that Android users in Russia face an expanding mobile threat landscape, where even new devices may come preloaded with malicious software.

Read next