There has been a 67% jump in Android malware and 40% of IoT attacks target critical industries and hybrid work, according to California-based cloud security firm Zscaler.

Its ThreatLabz 2025 Mobile, IoT & OT Threat Report outlines how threat actors are leveraging malware attacks and constantly evolving their tactics. The report uncovered hundreds of malicious apps in the Google Play Store that have been downloaded over 40 million times, targeting users that are searching for productivity and workflow apps.

Based on Zscaler’s mobile telemetry dataset, the ThreatLabz team identified several emerging mobile threats and new malicious activity, providing insights to help enterprises stay ahead of attackers in a mobile-first world.

Similar to last year, this year again saw threat actors developing and releasing malicious applications targeting trusted marketplaces and hybrid work environments. The result, which the report reveals is a 67% year-over-year increase in Android malware transactions, reflects the continued risks of spyware and banking malware. Researchers identified 239 such applications hosted on the Google Play Store, which were collectively downloaded 42 million times.

A key distribution channel for this malware was the tools category, disguising malicious applications as productivity and workflow tools. This tactic capitalises on users’ trust in functionality-driven applications, a trust that is particularly strong in hybrid and remote work settings where mobile devices are integral to professional tasks.

The analysis of Android attack volumes reveals that the manufacturing and energy sectors remain prime targets for cyber criminals due to the potential for significant returns. Notably, the energy sector experienced a 387% increase in attacks compared with the previous year, highlighting an escalating threat to critical infrastructure and greater exploitation of vulnerabilities within these essential industries.

In the IoT landscape, the manufacturing and transportation sectors continue to be the most frequently targeted verticals. This year, each sector accounted for 20.2% of all observed IoT malware attacks, collectively representing over 40% of total incidents. This marks a shift from 2024, when manufacturing alone represented 36% of total incidents, followed by transportation at 14%. This suggests that while manufacturing remains a critical target, threat actors are increasingly diversifying their efforts across other high-dependency IoT industries.

Roughly 40% of blocked transactions are linked to the Mirai family alone, and Mozi has overtaken Gafgyt as the second highest malware family. Together, Mirai, Mozi and Gafgyt account for roughly 75% of all malicious payloads in IoT environments.

Worldwide, mobile threats have surged, with many of these attacks concentrated in three key regions: India, accounting for 26% of all mobile attacks, the USA at 15% and Canada at 14%. India, in particular, experienced a 38% increase in mobile threat attacks over the previous year. The top five countries that receive the most mobile malware traffic are India (26%), USA (15%), Canada (14%), Mexico (5%) and South Africa (4%).

The report also revealed that the USA is both a hub for IoT activity (54.1%) and a primary target for malware attacks. The top five countries that receive the most IoT malware traffic are USA (54%), Hong Kong (15%), Germany (6%), India (5%) and China (4%).

“Attackers are pivoting to areas with maximum impact,” said Deepen Desai, chief security officer at Zscaler (www.zscaler.com). “We’re seeing a YoY rise of 67% in malware targeting mobile devices and 387% in IoT/OT attacks on energy sectors often hosting critical infrastructure, which is a massive swing. A zero-trust everywhere approach, combined with AI-powered threat detection, is imperative to reducing the attack surface, limit lateral movement, and provide organisations the defence they need against ever-evolving attacks.”

Additional findings this year include a new backdoor called Android Void malware that has infected 1.6 million Android-based TV boxes, primarily in India and Brazil. A remote access trojan (RAT), Xnotice, was identified for targeting job seekers in the oil and gas industry, particularly in the Middle East and North Africa.

Adware overtook the Joker malware family as the top mobile threat, with a leading 69% of cases, while Joker dropped to 23% of cases, from 38% last year.

The report also found that threat actors were abandoning card-focused fraud in favour of mobile payments.

The report is available at www.zscaler.com/campaign/threatlabz-mobile-iot-ot-report.