A new malicious campaign involving the Mamont Android banking trojan is actively targeting users, exploiting fake “Telegram accelerator” apps to compromise devices and steal money. According researchers, this wave of attacks began in mid-February and has already affected thousands of users who installed the infected APK outside of Google Play.
How attackers spread the Mamont banking trojan through Telegram
The current campaign is built entirely on social engineering — manipulation of users’ trust and emotions to trick them into taking risky actions. Attackers leave comments under posts in popular Telegram channels, claiming to offer a special app that “speeds up” Telegram or helps bypass restrictions and connectivity issues.
Victims are encouraged to follow a link to a separate Telegram channel, where an APK file is promoted as a useful utility for optimizing Telegram. In reality, this APK installs the Mamont Android banking trojan instead of any performance booster. By piggybacking on established, high-traffic channels and trending topics, criminals maximize their reach and exploit the perceived credibility of well-known communities.
The critical risk stems from sideloading — installing APK files from outside official app stores. To install such a file, users must explicitly allow apps from unknown sources, effectively granting the malware all requested permissions without realizing they are dealing with a banking trojan rather than a benign tool.
Capabilities of Mamont: from banking fraud to account hijacking
Mamont belongs to the class of Android banking trojans, malware designed primarily to steal money from victims’ bank accounts and payment services. After installation, Mamont requests broad access to SMS messages and push notifications, which is a common tactic among modern banking trojans.
With this access, the malware can intercept one-time passwords (OTPs) and security alerts sent by banks, payment providers, and online services. This allows attackers to:
— Confirm financial transactions without the device owner’s knowledge;
— Bypass two-factor authentication (2FA) in online banking and payment apps;
— Hijack messenger accounts by capturing login codes delivered via SMS.
Some Mamont variants also attempt to minimize their visibility by reducing on-screen activity, hiding icons, or delaying suspicious behavior. This stealthy approach increases the likelihood that the trojan will remain undetected until after fraudulent transfers are completed or online accounts are locked or stolen.
Mamont activity surge in 2025 and rapid adaptation to current events
Data indicates that 2025 has become a turning point for Mamont: the number of attacked users has increased nearly tenfold compared with the previous year. During this period, threat actors created numerous distribution schemes, including phishing websites, fake updates, and counterfeit apps allegedly designed to bypass blocks on popular services.
The “Telegram accelerator” scenario is just one illustration of a broader trend. Cybercriminals closely monitor public discussions and adapt their lures to what users care about at the moment — in this case, messaging performance, access restrictions, and convenience. Analysts emphasize that scammers actively exploit users’ trust, haste, and desire for simple workarounds, making any third‑party “booster”, “unblocker”, or “anonymous Telegram” app a red flag.
How to protect Android devices from Mamont and other banking trojans
Avoid installing APK files from untrusted sources
The most important defense measure is to avoid APK installation from chats, channels, and unofficial websites, even if they appear in large or reputable Telegram communities. Whenever possible, download apps only from Google Play or trusted corporate app catalogs. Disable the installation of apps from unknown sources in Android settings and enable it only in rare, justified cases, fully understanding the associated risks.
Verify links, channels, and “too good to be true” offers
Any proposal to “accelerate”, “unblock”, “optimize”, or “make Telegram anonymous” via a separate APK should be treated as potentially malicious. Before tapping a link, check who is posting it, how old the channel is, how many subscribers it has, and whether there are signs of fake activity. Aggressive app promotion in comments is a strong indicator of fraud and should be reported to channel administrators and ignored.
Use reputable mobile security solutions
Modern mobile security tools for Android can detect and block known malware families, including the Mamont banking trojan. Regular signature and heuristic updates help these solutions keep pace with new malware versions. It is recommended to enable real-time protection, perform periodic full scans of the device, and carefully review any security alerts or suspicious permission requests from newly installed apps.
The renewed wave of Mamont distribution via fake Telegram “accelerators” highlights that Android users remain one of the primary targets for financially motivated cybercrime. The strongest line of defense is the user’s own digital hygiene: cautious handling of APK files, critical evaluation of offers in messengers, consistent use of up-to-date security tools, and skepticism toward “miracle solutions” that promise instant access or performance gains. Raising overall cyber-awareness makes it significantly harder for banking trojans like Mamont to succeed — and directly reduces the attackers’ ability to monetize such schemes at scale.
