Kaspersky Q1 2026 Report: 2.67 Million Mobile Attacks Blocked, SparkCat Stealer Hits App Stores
Kaspersky's Q1 2026 mobile threat report reveals over 2.67 million attacks blocked, a surge in banking Trojans, and the discovery of the SparkCat crypto stealer on both Google Play and the App Store.
Kaspersky's Q1 2026 mobile threat report, released today, reveals that its security solutions blocked over 2.67 million mobile malware, adware, and unwanted software attacks during the quarter. While this represents a decline from the 3.24 million attacks blocked in Q4 2025, the report warns that the threat landscape remains dangerous, with a surge in sophisticated banking Trojans and the discovery of a new crypto stealer on official app stores.
The quarter saw the discovery of more than 306,000 malicious installation packages, including 162,275 mobile banking Trojans and 439 ransomware packages. The Trojan-Banker category became the most prevalent mobile malware threat, accounting for 10.86% of all detections. Mamont variants dominated the banking Trojan landscape, responsible for 73.5% of such detections, followed by Faketoken, Rewardsteal, and Creduz. The rise in banking Trojan installation packages led to a corresponding increase in attacks, pushing Trojan-Banker apps up the rankings in terms of share of targeted users.
In a significant development, Kaspersky researchers discovered several apps on both Google Play and the Apple App Store containing a new version of the SparkCat crypto stealer. The malware is meticulously concealed within infected Android apps, with the obfuscated malicious Rust library decrypted using a custom Dalvik-like virtual machine to decrypt its malicious Rust library. On iOS, the attackers have adapted the malware to leverage Apple's proprietary Vision framework for optical character recognition (OCR), allowing it to steal cryptocurrency wallet recovery phrases and other sensitive text from screenshots and images.
The report also highlights a link between the notorious Kimwolf botnet and the IPIDEA proxy network, identified by Synthient researchers. This proxy network was subsequently taken down in cooperation with GTIG, disrupting the botnet's command-and-control infrastructure. The takedown represents a significant blow to the botnet's operations, which had been used for various malicious activities.
Despite the overall decline in attack volume, the number of unique users targeted by mobile threats remained relatively stable. Adware and RiskTool-type unwanted apps continued to be the top two threats by attack volume, with HiddenAd (44.9%) and MobiDash (38.1%) being the most common adware families, while Revpn (67%) and SpyLoan (20.5%) led the RiskTool category. The pre-installed Triada.ag backdoor rose to the top spot in the malware rankings, affecting a wide range of devices.
Kaspersky urges mobile users to remain vigilant, only download apps from official stores, carefully review app permissions, and keep their devices and security software updated. The discovery of SparkCat on official app stores underscores the evolving sophistication of mobile threats and the need for continuous monitoring and defense.