Zscaler Threat Report Highlights Android and IoT Security Risks

Zscaler, Inc. the leader in cloud security, today published the India findings from its Zscaler ThreatLabz 2025 Mobile, IoT, and OT Threat Report, outlining how threat actors are leveraging malware attacks and constantly evolving their tactics. The report uncovered hundreds of malicious apps in the Google Play Store that have been downloaded over 40 million times, targeting users that are searching for productivity and workflow apps. Based on Zscaler's mobile telemetry dataset, the ThreatLabz team identified several emerging mobile threats and new malicious activity, providing valuable insights to help enterprises stay ahead of attackers in a mobile-first world.

Hundreds of malicious apps downloaded over 40 million times

Similar to last year, this year we again saw threat actors developing and releasing malicious applications targeting trusted marketplaces and hybrid work environments. The result, which the report reveals is a 67% year-over-year increase in Android malware transactions, reflects the continued risks of spyware and banking malware. ThreatLabz researchers identified 239 such applications hosted on the Google Play Store, which were collectively downloaded 42 million times.

A key distribution channel for this malware was the "Tools" category, disguising malicious applications as productivity and workflow tools. This tactic capitalizes on users' trust in functionality-driven applications–a trust that is particularly strong in hybrid and remote work settings where mobile devices are integral to professional tasks.

Retail and Hospitality remain top target for mobile and IoT attacks

ThreatLabz's analysis of India telemetry reveals that Retail & Wholesale (38%) and Hospitality, Restaurants and Leisure (31%) as the most frequently targeted verticals, followed by Manufacturing (16%) and Energy, Utilities, Oil & Gas (8%).  The concentration in consumer-facing and operations-heavy environments underscores attackers focus on high-transaction, high-dependency IoT deployments.

Most prevalent IoT malware families in India

Backdoor and botnet style malware families dominated detections. IoT.Backdoor.Gen.LZ was the most prevalent with 85% of observed cases, followed by ABRisk.IOTX 0 (8%) and IoT.Exploit.CVE 2020 8195 (1%).

Mobile attacks cluster in India, US and Canada; US is the IoT threat epicenter at 54 percent

Worldwide, mobile threats have surged, with the majority of these attacks concentrated in three key regions: India, accounting for 26% of all mobile attacks, the United States at 15%, and Canada at 14. India, in particular, experienced a significant 38% increase in mobile threat attacks compared to the previous year.

The top five countries that receive the most mobile malware traffic are:

·        India (26%)

·        United States (15%)

·        Canada (14%)

·        Mexico (5%)

·        South Africa (4%)

“India’s challenge is stark with breakneck digitization across UPI, super apps, and a sprawling IoT estate, making the country a high-value target,” said Suvabrata (Suva) Sinha, CISO in Residence, Zscaler. “The way forward for security leaders is to operationalize Zero Trust end-to-end, put identity- and device-centric access in front of users, apps, and OT; continuously inspect encrypted traffic to expose phishing and embed mobile threat defense into enterprise policy and extend these controls to branch, OT, and cellular IoT so attackers have nowhere to hide.”

The report also revealed that the US is both a hub for IoT activity (54.1%) and a primary target for malware attacks. The top five countries that receive the most IoT malware traffic are:

• United States (54%)
• Hong Kong (15%)
• Germany (6%)
• India (5%)
• China (4%)

“Attackers are pivoting to areas with maximum impact. We’re seeing a YoY rise of 67% in malware targeting mobile devices and 387% in IoT/OT attacks on energy sectors often hosting critical infrastructure, which is a massive swing,” said Deepen Desai, EVP and Chief Security Officer at Zscaler. “A Zero Trust everywhere approach, combined with AI-powered threat detection, is imperative to reducing the attack surface, limit lateral movement, and provide organizations the defense they need against ever-evolving attacks.”