Skip to content
.ca
sign in
5 minhigh

IT threat evolution in Q1 2026. Mobile statistics

In Q1 2026, mobile banking Trojans saw a significant surge, with Mamont variants driving a 50% increase in malicious installation packages. Additionally, a sophisticated new variant of the SparkCat crypto stealer was identified in official app stores, employing custom virtual machines and OCR techniques to compromise both Android and iOS users.

Conf:highAnalyzed:2026-05-18Google

Authors: Anton Kivva

ActorsKimwolf botnetSparkCatMamontTriadaFaketokenRewardstealCreduzHiddenAdMobiDashRevpnSpyLoanKeenadu
Mobile MalwareSparkCatBanking TrojanMamontTriada

Source:Kaspersky

Detection / HunterGoogle

What Happened

In the first quarter of 2026, researchers observed a massive spike in mobile banking malware, particularly a family known as Mamont. Attackers also managed to sneak a new cryptocurrency-stealing app called SparkCat into official app stores like Google Play and the Apple App Store, masquerading as legitimate enterprise communication tools like 'SafeX'. This matters because everyday users downloading seemingly safe apps could have their financial data or cryptocurrency stolen. Users should remain cautious about the apps they install, even from official stores, and ensure they have mobile security software active.

Key Takeaways

  • Mobile banking Trojans surged in Q1 2026, with Mamont variants driving a 50% increase in malicious installation packages.
  • A new version of the SparkCat crypto stealer was discovered in official app stores (Google Play and App Store), utilizing a custom Dalvik-like VM on Android and Apple's Vision framework for OCR on iOS.
  • The pre-installed Triada.ag backdoor emerged as the most frequently detected mobile malware, affecting a wide range of devices.
  • The Kimwolf botnet was linked to the IPIDEA proxy network, leading to a coordinated takedown.

Affected Systems

  • Android
  • iOS

Attack Chain

Threat actors distribute mobile malware through various channels, including pre-installed backdoors like Triada and malicious apps uploaded to official stores like Google Play and the App Store. The SparkCat crypto stealer was embedded within seemingly legitimate apps, such as an enterprise communication app named 'SafeX'. Once installed, SparkCat uses a custom Dalvik-like virtual machine to decrypt its obfuscated Rust library on Android. On iOS, the malware leverages Apple's Vision framework for optical character recognition (OCR) to extract and steal sensitive data from the device. Concurrently, banking Trojans like Mamont are distributed via malicious installation packages to harvest financial credentials.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: Low — Traditional EDR solutions typically do not cover mobile operating systems (Android/iOS); visibility requires specialized Mobile Threat Defense (MTD) or Mobile Device Management (MDM) solutions. Network Visibility: Medium — Network traffic from mobile devices can be monitored if the devices are connected to corporate Wi-Fi or routed through a corporate VPN, potentially revealing C2 communications. Detection Difficulty: Hard — The malware is heavily obfuscated, utilizes custom virtual machines for execution, and is distributed via trusted official app stores, making static and behavioral detection challenging.

Required Log Sources

  • Mobile Device Management (MDM) application inventory logs
  • Mobile Threat Defense (MTD) alerts
  • Network traffic logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
If you have visibility into mobile application inventories via MDM, consider hunting for the presence of the 'SafeX' app by developer 'CarterBo', which may be associated with the SparkCat crypto stealer.MDM application inventory logsInstallationLow
Consider hunting for unusual network connections originating from mobile devices to known proxy networks or suspicious infrastructure, which may indicate botnet activity like Kimwolf.Network traffic logsCommand and ControlMedium

Control Gaps

  • Lack of Mobile Threat Defense (MTD) coverage on BYOD devices
  • Implicit trust in applications downloaded from official app stores (Google Play, App Store)

Key Behavioral Indicators

  • Presence of custom Dalvik-like VMs in Android app packages
  • Unexpected use of Apple's Vision framework for OCR by non-utility iOS apps
  • Apps requesting unusual permissions related to screen reading or accessibility

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • If your MDM supports it, consider blocking or removing the 'SafeX' app by developer 'CarterBo' from managed mobile devices.

Infrastructure Hardening

  • Evaluate whether corporate network policies restrict access to known malicious proxy networks and botnet C2 infrastructure.
  • Consider enforcing strict app allowlisting on corporate-owned mobile devices to prevent the installation of unapproved software.

User Protection

  • If applicable, deploy Mobile Threat Defense (MTD) solutions to both corporate and BYOD devices to detect malicious apps and banking Trojans.
  • Consider restricting the installation of unapproved applications, even from official stores, on devices with access to sensitive corporate data.

Security Awareness

  • Consider educating users about the risks of downloading unverified apps from official app stores, highlighting that malware can sometimes bypass store reviews.
  • Evaluate whether to include training on identifying suspicious app permissions and the dangers of mobile banking Trojans in your security awareness program.

MITRE ATT&CK Mapping

  • T1406 - Obfuscated Files or Information
  • T1636 - Protected User Data
  • T1513 - Screen Capture
  • T1418 - Software Packing

Related