The Android banking trojan Mamont has rapidly become one of the main instruments of mobile cybercrime against Russian users. According to analytics from F6, this malware accounts for 47% of all compromised Android devices in Russia, and fraud linked to Mamont exceeded 150 million rubles in November 2025 alone. Against the backdrop of declining activity of NFCGate, Mamont is steadily taking the lead among mobile banking trojans.
Mamont as a dominant Android banking trojan in Russia
F6 estimates that about 1.5% of Android smartphones in Russia show traces of malicious software. With an assumed installed base of 100 million devices, this is roughly 1.5 million compromised smartphones. Nearly 700,000 of them are infected specifically with Mamont, which makes it one of the most widespread mobile cyberthreats in the country.
In the third quarter of 2025, the number of infected devices grew by around 60 new cases per day. The average loss per successfully attacked victim is approximately 30,000 rubles. Based on these figures, experts estimate that the damage from operations involving Mamont in November 2025 alone could have surpassed 150 million rubles.
Data from Russia’s Ministry of Internal Affairs aligns with the F6 statistics: in the second half of 2025, Mamont accounted for almost 39% of detected mobile infections, while the “reverse” modification of NFCGate accounted for 52.4%. Analysts predict that in 2026 Mamont will likely consolidate its position as the primary Android threat for Russian users.
The first attacks associated with Mamont were recorded in September 2023, when the trojan was distributed through a fake Google Play page disguised as a delivery service app. In just ten days, attackers managed to steal nearly 3 million rubles. Since then, the malware has been actively developed, extended and hardened against detection.
Infection chain: APK phishing in messengers and social engineering
Disguised as “sensitive content” in chats and groups
Current versions of the Mamont Android trojan no longer rely on app stores. The primary attack vector has shifted to direct phishing distribution of APK files through popular messengers. Targets include open and semi‑closed chats, neighbourhood and local community groups, and other high-trust communication channels.
Malicious APKs are presented as photos, videos, lists of casualties or missing persons, “security tools” and other emotionally charged lures. Typical filenames include “Spiski_200-300”, “Spisok_propavshih”, “Foto_strashnoy_avarii”, “FOTO”, “MoeVideo”. To increase the open rate, messages often contain provocative text such as “Terrible… he died in a crash”. This is a classic example of social engineering — the abuse of human curiosity and empathy rather than technical vulnerabilities.
SMS privileges and stealthy background operation
After installation, the application requests permission to become the default SMS handler on the device. This is a critical privilege: it allows the trojan to read, intercept and send text messages, including one‑time passwords (OTPs) and notifications from banks, microfinance organizations and online services.
Once granted these rights, Mamont hides its interface, but pins a non-removable “updates” notification in the status bar. The user cannot easily dismiss it using standard tools. This background service allows Mamont to maintain persistent presence on the device, communicate with its operators and execute commands without drawing attention.
Mamont’s capabilities and Telegram-bot command-and-control
Mamont offers a full toolkit for theft of funds and further propagation. It intercepts and uploads SMS to a remote server, sends messages on behalf of the victim, performs USSD requests (service commands used by mobile operators), and mass‑sends phishing links to all contacts in the address book, thereby expanding the infection chain.
The command-and-control (C2) infrastructure is built around a Telegram bot. Immediately after launch, the malware sends an initialization message containing the device ID, Android version, list of installed apps and SIM card numbers. The background service then periodically polls the bot via the Telegram Bot API for new instructions.
Available commands enable operators to almost fully control the compromised smartphone: view active bots, start and stop SMS interception, exfiltrate SMS archives, execute USSD queries, launch mass messaging to all contacts, send targeted SMS, check device “status” and force the malware session to end if needed.
Criminal ecosystem, monetization and AI tools
After SMS archives are collected, an embedded analytics module performs fast context analysis: it estimates account balances, existing loans, typical OTP formats and notifications from financial services. Attackers often complement this with checks against open-source databases and known data leaks to build a detailed profile of each victim.
This information is usually sufficient for unauthorized access to online banking and microfinance accounts, fraudulent loan applications and illegal fund transfers. Within criminal teams operating Mamont, roles are separated: some manage infrastructure, others focus on social engineering, and “cash‑out” specialists handle monetization. Microfinance organizations are often prioritized as targets because their scoring and verification processes are typically less stringent than those of major banks. Proceeds are usually distributed via cryptocurrency wallets.
The Mamont control panel — the same Telegram bot — is widely sold and rented on underground markets. Typical pricing is around 300 USD per month for rental, or about 250 USD plus 15% of profits for a “licensed” version with support. Malicious APKs are generated automatically by a builder controlled through a separate bot. Low cost, a user‑friendly interface and minimal technical requirements significantly lower the barrier to entry, attracting diverse criminal groups.
Security researchers note that recent Mamont versions increasingly use artificial intelligence to assemble and tailor apps to specific targets. Generating a customized APK directly from a fraud panel takes only minutes, which dramatically accelerates campaigns. In this environment, previously dominant tools such as NFCGate are likely to become just one option among many Android banking trojans.
Risks for Android users and effective protection measures
The most dangerous aspect of Mamont is its ability to turn a victim’s smartphone into an attack platform. A compromised device is used to spread phishing links, initiate calls, perform financial transactions and support new fraud waves — often without the owner realizing they are part of a criminal operation.
To reduce the risk of infection with Mamont and similar Android banking trojans, it is advisable to:
– avoid installing APK files received via messengers, chats or social networks, especially those with shocking or emotional captions;
– disable installation from unknown sources wherever possible;
– refuse SMS and “default messaging app” permissions for applications whose origin and purpose are unclear;
– treat any “lists of casualties”, disturbing photos and videos from unknown or little‑known contacts with extreme caution;
– use reputable mobile security solutions and keep the operating system and apps up to date;
– configure transaction limits and additional confirmation mechanisms in your bank (for example, push notifications and authenticator apps instead of SMS codes).
The rapid spread of Mamont illustrates how quickly the mobile threat landscape is evolving: automation, Telegram-based control and AI‑assisted tooling make complex banking attacks accessible to a wide range of criminal groups. Strengthening digital hygiene, educating users and deploying multi‑layered protection on Android devices and in financial institutions are now essential steps to avoid becoming part of the next wave of mobile banking trojan victims.
