The Google Play Store contains hundreds of malicious apps that have been downloaded over 40 million times, targeting users that are searching for productivity and workflow apps. This is the finding of Zscaler ThreatLabz 2025 Mobile, IoT, and OT Threat Report.
Based on Zscaler’s mobile telemetry dataset, the ThreatLabz team identified several emerging mobile threats and new malicious activity, providing valuable insights to help enterprises stay ahead of attackers in a mobile-first world.
Android-based malware transactions increased 67% year-over-year. Researchers found 239 malicious apps hosted in the Google Play Store, which were collectively downloaded 42 million times. Many of these apps fall into the “Tools” category, disguising malicious applications as productivity and workflow tools. This tactic capitalizes on users’ trust in functionality-driven applications–a trust that is particularly strong in hybrid and remote work settings where mobile devices are integral to professional tasks.
Manufacturing and Energy Sectors Main Targets
ThreatLabz’s analysis of Android attack volumes reveals that the manufacturing and energy sectors remain prime targets for cybercriminals due to the potential for significant returns. The energy sector experienced a 387% increase in attacks compared to the previous year, highlighting an escalating threat to critical infrastructure.
In the IoT landscape, the manufacturing and transportation sectors continue to be the most frequently targeted verticals. This year, each sector accounted for 20.2% of all observed IoT malware attacks, collectively representing over 40% of total incidents. This marks a shift from 2024, when manufacturing alone represented 36% of total incidents, followed by transportation at 14%. This suggests that threat actors are increasingly diversifying their efforts across other high-dependency IoT industries.
Mirai, Mozi and Gafgyt Most Prevalent IoT malware
Approximately 40% of blocked IoT transactions are linked to the Mirai family alone. Mozi has overtaken Gafgyt as the second-largest malware family. Together, these three are responsible for 75% of all malicious payloads in IoT environments.
Worldwide, mobile threats have surged, with the majority of these attacks concentrated in three key regions: India, accounting for 26% of all mobile attacks, the United States at 15%, and Canada at 14%. India, in particular, experienced a significant 38% increase in mobile threat attacks compared to the previous year.
For IoT threats, the United States is the top country at 54%, followed by Hong Kong (15%), Germany (6%), India (5%), and China (4%).
The report has also referred to the rise of a new backdoor called Android Void malware that has infected 1.6 million Android TV boxes, primarily in India and Brazil.
In addition, the Remote Access Trojan (RAT) Xnotice is targeting job seekers in the oil and gas industry, particularly in the Middle East and North Africa (MENA). Adware is now the top mobile threat, with a leading 69% of cases , followed by the Joker malware (23%). Threat actors are shifting their focus from payment card fraud to mobile payments.
“Attackers are pivoting to areas with maximum impact. We’re seeing a YoY rise of 67% in malware targeting mobile devices and 387% in IoT/OT attacks on energy sectors often hosting critical infrastructure, which is a massive swing,” said Deepen Desai, EVP and Chief Security Officer at Zscaler. “A Zero Trust everywhere approach, combined with AI-powered threat detection, is imperative to reducing the attack surface, limit lateral movement, and provide organizations the defense they need against ever-evolving attacks.”
