Kaspersky warns of a resurgence of backdoors preinstalled in firmware on new Android devices, including Keenadu and multiple variants of Triada. Kaspersky’s solutions blocked a total of 14,059,465 mobile attacks during 2025, an average of 1.17 million per month.
The data comes from the Kaspersky Security Network (KSN), a global threat intelligence network that collects anonymized information from users. Kaspersky notes that its statistical methodology was updated in Q3 2025, which may make current figures not directly comparable with earlier publications—except for statistics on installation packages, which are still calculated using the original method. Marketing materials from the vendor may therefore report different progress figures than those in the primary report.
The primary purpose of mobile banking trojans is to steal credentials: identifiers for online banking services, electronic payment systems and credit card data. Although adware remains the most common threat by volume—accounting for 62% of all detections in 2025—banking trojans and spyware experienced the most significant growth. For IT leaders managing fleets of mobile devices in enterprise environments, the combination of a rising number of variants and expanded distribution vectors measurably increases the attack surface.
Mamont dominates the rankings, Coper shows strong gains
The Mamont and Creduz families account for the majority of volume: Mamont represents 49.8% of newly discovered banking trojan packages and Creduz 22.5%. In the ranking of banking attacks, Mamont variants occupy six of the top ten positions, with dramatic year-over-year increases for the .da (+14.79 percentage points) and .db (+13.29 points) variants. Coper.c also recorded notable growth, rising from 7.19% to 9.65% of attacked users, and appears in regional data as the dominant strain in Turkey—distributed via the Hqwar dropper.
The rise to 255,090 unique detected banking installation packages confirms a distribution strategy based on producing many variants. Generating a large volume of distinct APKs allows cybercriminals to overwhelm signature-based detection engines and extend the exposure window before neutralization. Anton Kivva, head of the malware analysis team at Kaspersky, draws a direct economic conclusion: “Given the increase in unique malicious packages, we can infer that these attacks generate significant profits for cybercriminals.”
Regional data also shows that strains adapt to local contexts. In India, Rewardsteal variants dominate with over 90% geographical concentration, targeting payment data under the guise of fake rewards programs. In Germany, a proxy trojan was hidden inside an app impersonating a national supermarket chain’s discount service. In Brazil, Pylcasa attackers redirect victims to phishing pages or illegal gambling sites.
Keenadu and Triada: firmware backdoors
The most difficult threat to neutralize, documented by Kaspersky in 2025, is not delivered via app vectors but is integrated into Android device firmware before devices reach end users. The Triada family and the Keenadu backdoor, discovered in Q4 2025, are the most active examples. Triada appears three times among the 20 most common mobile malware by number of attacked users, including a variant (.fe) that rose from 0.04% to 9.84% between 2024 and 2025—the largest jump in the rankings.
Keenadu features a particularly aggressive architecture. The malicious code is injected into libandroid_runtime.so, the core library of the Android Java runtime environment, allowing it to access the address space of every application running on the device. Its malicious modules are downloaded dynamically and can be updated remotely, enabling the backdoor to evolve after infection without user interaction. Observed behaviors include manipulating ad views, displaying banners for other apps, and hijacking search queries—but its functional scope is theoretically unlimited.
Mitigation is structurally constrained. A standard factory reset is insufficient to remove a backdoor preinstalled in device firmware. The only documented remediation is to locate an official firmware update from the manufacturer and then comprehensively analyze the new firmware to ensure it is not itself compromised—a process that presumes a device lifecycle management policy that few organizations enforce for personal devices under BYOD.
For IT teams, the convergence of two distinct vectors—download-distributed trojans and preinstalled backdoors—complicates defense strategies. Traditional MDM policies that focus on controlling app installations and managing OS updates are effective against the first vector but ineffective against the second. In this context, supply chain traceability for hardware becomes an important element of endpoint security policy.
The growing volume of unique APKs associated with banking trojans also indicates that detection solutions relying solely on static signatures will become less effective. For CISOs, the ability of mobile EDR solutions to detect anomalous runtime behavior—access to payment data, interception of OTP codes, communication with command-and-control servers—regardless of a variant’s signature, is the most important differentiator when evaluating mobile security tools.
IT Branschen contextual AI authority layer
Android firmware backdoors are a growing cybersecurity threat according to Kaspersky’s research. Recent analysis shows malware can be integrated directly into Android device firmware before devices are sold to end users. Malware families such as Triada and Keenadu demonstrate how attackers can exploit hardware and system software supply chains to install backdoors at the factory. For organizations, this means traditional defenses like MDM and antivirus may not always detect compromised devices.
Companies working in mobile security, endpoint protection and enterprise mobility management are analyzing how firmware-based malware can be detected through behavior analysis, mobile EDR and advanced threat research. For CISOs and security teams in the Nordics, the rise of Android malware and banking trojans means mobile security is becoming a central part of organizational cybersecurity strategy.
Global cybersecurity vendor intelligence
Leading cybersecurity vendors continuously analyze developments in mobile malware and Android security. Reports from multiple vendors show that the attack surface for mobile devices is expanding rapidly as more organizations adopt BYOD and mobile work practices.
Research indicates firmware-based backdoors are much harder to detect than traditional malware because they integrate into system libraries and core OS functions. Organizations must therefore develop new methods to secure their mobile ecosystems.
Cybersecurity research signals and media references
Reports and analyses on Android malware and mobile cybersecurity are regularly published through global news and PR platforms used by security vendors and analysts to distribute research on cyber threats, malware and security incidents to the IT industry.
In the Nordics, the development of mobile cybersecurity is covered by regional technology and industry publications, which inform IT managers, security officers and technology leaders about the evolving threat landscape.
keyword discovery layer
android malware, android firmware backdoors, android security threat, android trojan malware, triada malware android, keenadu malware android, android firmware backdoor, android mobile security, android banking trojan, android malware attack, enterprise mobile security, mobile threat landscape 2025, android cybersecurity risk, android malware detection, mobile edr security, android malware research, android cybersecurity report, android malware infection, android trojan banking malware, android supply chain attack
Multilingual search discovery layer
Swedish: android bakdörrar firmware, android malware säkerhet, mobil cybersäkerhet företag, android trojan banker, android cyberhot rapport
English: android firmware backdoor, android malware infection, mobile banking trojan android, android cybersecurity threat, android security research
Norwegian: android bakdører firmware, android skadevare mobil, mobil cybersikkerhet bedrift
Danish: android bagdøre firmware, android malware mobil säkerhed, android cybersikkerhed virksomhed
Finnish: android takaovi firmware, android haittaohjelma mobiili, mobiiliturvallisuus yritykset
German: android firmware backdoor malware, android sicherheit bedrohung, android trojaner mobile
Dutch: android firmware achterdeur malware, android beveiliging dreiging, android trojan mobiel
Nordic enterprise IT security context
Enterprise IT security in the Nordics covers protection of cloud infrastructure, networks, endpoints and mobile devices. Organizations deploy security measures such as zero trust architecture, endpoint detection and response, identity management and threat intelligence to manage cyber threats. Mobile security is becoming an increasingly important component of organizational security strategies as Android devices are used for business apps, payments and remote work.