Introduction
The first quarter of 2026 witnessed significant shifts in the mobile threat landscape, as revealed by Kaspersky Security Network (KSN) data. This report provides an in-depth analysis of the latest mobile malware statistics, notable attack vectors, and emerging threats. Please note that Kaspersky updated its methodology for calculating statistical indicators in Q3 2025, which may cause differences when comparing figures with earlier reports. The data presented here has been recalculated for consistency, and all future reports will follow the same approach for accurate comparisons.
Key Numbers at a Glance
According to KSN telemetry, during Q1 2026:
- Over 2.67 million attacks involving malware, adware, or unwanted mobile software were prevented.
- The most prevalent mobile malware category was Trojan-Banker, accounting for 10.86% of all detections.
- More than 306,000 malicious installation packages were identified, including 162,275 mobile banking Trojans and 439 mobile ransomware Trojans.
Quarterly Trends
The total number of attacks on mobile devices decreased to 2,676,328 in Q1 2026, down from 3,239,244 in the previous quarter. This decline is primarily attributed to a reduction in adware and RiskTool detections. However, this does not imply a lower risk for mobile users; the number of unique users targeted by these threats remained relatively stable throughout the period.
Notable Threats: Kimwolf Botnet and SparkCat Crypto Stealer
Kimwolf Botnet Linked to IPIDEA Proxy Network
In Q1, researchers at Synthient uncovered a connection between the notorious Kimwolf botnet and the IPIDEA proxy network. This discovery led to a coordinated takedown of the IPIDEA infrastructure in cooperation with the Global Threat Intelligence Group (GTIG).
SparkCat Crypto Stealer Evolves
Early in 2026, Kaspersky experts identified several apps on Google Play and the App Store that contained a new variant of the SparkCat crypto stealer. The Android version featured a deeply concealed Trojan code embedded inside a malicious Rust library that was decrypted using a custom Dalvik-like virtual machine created by the attackers. For iOS, the malware incorporated Apple's proprietary Vision framework for optical character recognition (OCR), allowing it to extract sensitive data from images.
Mobile Malware Landscape
Sample Count and Distribution
The number of detected Android malware samples saw a slight increase in Q1 2026 compared to Q4 2025, totaling 306,070 malicious installation packages.
Breakdown by Type
These packages were categorized as follows:
- Banking Trojans: 162,275 packages
- Ransomware Trojans: 439 packages
- Other Malicious Apps: Remaining packages (including adware, RiskTool, and other malware)
This distribution highlights the continued dominance of financial threats, with banking Trojans representing over half of all mobile malware packages.
Conclusion
While the overall attack volume dipped in Q1 2026, the mobile threat landscape remains dynamic and dangerous. The emergence of sophisticated malware like SparkCat and the takedown of the IPIDEA proxy network demonstrate the ongoing cat-and-mouse game between cybercriminals and security vendors. Users are advised to remain vigilant, keep devices updated, and rely on reputable security solutions to mitigate risks.