Q1 mobile threats show new variants

Kaspersky’s Q1 2026 Android threat report said on May 18 that it blocked more than 2.67 million attacks involving malware, adware or unwanted mobile software during the quarter, while flagging new versions of the SparkCat and Triada malware families. ESET, in separate May research, said North Korea-aligned ScarCruft used a gaming platform to distribute Android spyware and that a scam cluster it named CallPhantom reached millions of downloads on Google Play. Taken together, the reports show a quarter in which Android users faced both traditional malware and mass-market fraud apps. The findings were released by named security vendors and are based on their own telemetry and investigations. ### Which numbers in the quarter mattered most? Kaspersky said 2,676,328 attacks were prevented in Q1 2026, down from 3,239,244 in the previous quarter, but said the decline was driven mainly by fewer adware and RiskTool detections rather than lower user risk. The company said Trojan-Banker was the leading mobile malware category, accounting for 10.86% of total detections, and said it found more than 306,000 malicious installation packages, including 162,275 related to mobile banking Trojans. (securelist.com) ESET said its most visible scam finding involved 28 separate CallPhantom apps on Google Play that were downloaded more than 7.3 million times before removal. The apps claimed to provide call logs, SMS records and WhatsApp call history for any number, but ESET researcher Lukáš Štefanko said the data returned was fabricated. ### How did SparkCat change in 2026? Kaspersky said on April 2 that it found a new SparkCat variant in two App Store apps and one Google Play app, a year after earlier versions had been removed from both stores. (securelist.com) The company said the malware hid inside legitimate-looking apps, requested photo access in some cases and scanned users’ galleries for cryptocurrency wallet recovery phrases. (eset.com) Sergey Puzan, a cybersecurity expert at Kaspersky, said the updated SparkCat variant used multiple obfuscation layers, including code virtualization and cross-platform programming language usage. Kaspersky said the Android version searched images for keywords in Japanese, Korean and Chinese, while the iOS version scanned for English-language wallet mnemonic phrases using optical character recognition. (kaspersky.com) ### Why was Triada still in the picture? Kaspersky said Triada remained notable because newer versions were embedded in device firmware before sale, giving the malware system-level persistence that ordinary app removal would not fix. The company said a copy of the Trojan could infiltrate every application launched on an infected device by compromising the Zygote process. The April 2025 Triada research described capabilities including modifying cryptocurrency wallet addresses, replacing browser links, sending text messages, intercepting replies and stealing credentials from messaging and social-media apps. (kaspersky.com) Kaspersky’s Q1 2026 report cited new Triada versions among the quarter’s noteworthy discoveries. ### What did researchers say about ScarCruft’s Android spyware? (securelist.com) ESET said on May 5 that ScarCruft, also known as APT37, compromised a video game platform used by ethnic Koreans in China’s Yanbian region and trojanized Android games with an Android version of its BirdCall backdoor. The company said the campaign was aimed at espionage and that the malware could collect personal data and documents, take screenshots and make voice recordings. The ScarCruft case was different from CallPhantom’s mass-download model because ESET described it as a supply-chain attack tied to a specific gaming platform and target set. ESET said the operation had likely been ongoing since late 2024. ### What happened to the apps named in these reports? ESET said Google removed all 28 CallPhantom apps it reported from Google Play. (welivesecurity.com) Kaspersky said malicious code had been removed from the SparkCat-infected apps it identified in Apple’s App Store and Google Play. May 2026 remains the key marker for the next disclosures. ESET’s ScarCruft report was published on May 5, its CallPhantom report on May 7, and Kaspersky’s Q1 2026 Android threat landscape report on May 18, with additional vendor telemetry likely to appear in subsequent quarterly mobile threat reports. (welivesecurity.com) (eset.com)