According to data collected by Kaspersky for January–August 2025, the Mamont Android banking trojan now shows the broadest activity on Russian devices. The number of affected users has increased 36× year over year versus the same period in 2024 and is approaching one million. In parallel, the multifunctional Triada backdoor has spiked, with the population of attacked users in Russia growing fivefold and numbering in the hundreds of thousands.
Mamont banking trojan: attack mechanics and monetization via SMS
Mamont is optimized for SMS banking fraud. After installation, it requests access to SMS messages and push notifications, intercepts one-time codes, and triggers unauthorized financial transactions. Certain variants also capture one-time passwords used by popular messengers, enabling account takeover beyond banking apps.
Distribution: social engineering and risky sideloading
Threat actors rely on social engineering and sideloading (installing apps from outside official stores). Victims receive files through messaging apps disguised as “photos” or “videos”; the attachments carry an .apk extension, indicating an Android installer. Campaigns also impersonate remote-work tools, delivery trackers, or educational apps—lures that exploit urgency and trust.
Why Mamont remains effective in 2025
Mamont abuses core Android permissions—access to SMS, notifications, and often Accessibility Services—to reliably capture codes and automate actions. Its success is amplified by the continued reliance on SMS-based two-factor authentication (2FA) and users’ willingness to install packages from chat links without verifying a developer’s signature. Industry guidance increasingly favors phishing-resistant authentication (for example, app-based prompts or hardware-backed keys) to mitigate these vectors.
Triada backdoor: deep persistence and broad device control
Triada is a modular backdoor offering extensive remote control. The current wave features capabilities to steal accounts in messengers and social networks, spoof caller IDs, monitor and control SMS, track browser activity, and silently send or delete messages. Combined, these functions give operators near-total insight into and control over a victim’s communications.
Preinstalled variants and supply chain exposure
Researchers also report Triada variants shipping with compromised firmware on new devices, commonly counterfeit lookalikes of popular models. In such cases, the malware can survive a factory reset, indicating a supply chain security problem. Remediation typically requires an official firmware reflash or service by an authorized center.
How to protect Android devices from Mamont and Triada
Install software only from trusted sources. Avoid APKs from chats and unknown websites. Any “photo.apk” or “video.apk” is a red flag.
Harden permissions. Regularly review access to SMS, notifications, Accessibility Services, and Device Administrator rights. Revoke anything nonessential.
Enable built-in and third‑party protections. Turn on Google Play Protect and deploy reputable mobile security tools capable of detecting banking trojans and backdoors.
Reduce reliance on SMS 2FA. Prefer in-app approvals or authenticator/hardware-backed codes when available. Set a SIM PIN and monitor operations tied to your phone number.
Verify device integrity. Before purchase, check the exact model and IMEI; avoid questionable sellers. If a firmware-level threat is suspected, perform an official reflash or contact an authorized service provider.
Incident response. Immediately disconnect the device from networks, notify your bank, change passwords using a clean device, factory reset and reinstall only from trusted sources, and restore from a known-good backup.
For organizations. Update mobile policies (MDM/EMM), restrict or log sideloading, enforce app allowlists, and train staff to spot malicious APKs. Consider mobile threat defense (MTD) integrations for continuous monitoring.
The sharp rise of Mamont and Triada in 2025 underscores how quickly Android threats evolve and scale. Organizations and individuals that limit sideloading, adopt phishing-resistant authentication, and continuously audit device permissions will materially reduce exposure to mobile banking fraud and account compromise. Acting now—before compromise—remains the most cost-effective control.
