Mobile Malware Surge: Trojan‑Banker Leads Q1 2026 Threat Landscape, 2.67 M Attacks Blocked
What Happened — Kaspersky’s Q1 2026 mobile threat report shows >2.67 million malware, adware or unwanted‑software attacks on mobile devices were blocked, with Trojan‑Banker families accounting for 10.86 % of detections. Over 306 k malicious installation packages were identified, including 162 k banking‑trojan packages and 439 k ransomware‑trojan packages.
Why It Matters for TPRM —
- Mobile‑first workforces increase exposure to banking trojans that can harvest credentials and financial data.
- The persistence of botnet‑linked proxy networks (e.g., Kimwolf ↔ IPIDEA) highlights supply‑chain risk for third‑party mobile apps.
- New variants (SparkCat crypto‑stealer, Vision‑framework OCR abuse) demonstrate rapid weaponisation of legitimate SDKs, raising the bar for detection.
Who Is Affected — Financial services (mobile banking users), SaaS providers with mobile clients, telecom operators, and any enterprise that permits BYOD or issues corporate mobile devices.
Recommended Actions —
- Review mobile device management (MDM) policies and enforce strict app‑allow lists.
- Validate that third‑party mobile apps undergo independent malware scanning before deployment.
- Ensure endpoint security solutions on mobile devices are updated to detect emerging trojan families.
Technical Notes —
- Attack vector: malicious Android/iOS apps distributed via official stores, leveraging obfuscated Rust libraries and custom Dalvik‑like VMs.
- Notable CVE‑free techniques: use of Apple Vision framework for OCR‑based credential harvesting.
- Botnet activity: Kimwolf botnet leveraged IPIDEA proxy network, now takedown confirmed.
Source: SecureList – IT threat evolution in Q1 2026. Mobile statistics