Mamont

Mamont is an Android banking Trojan family first observed at the end of 2023 and heavily active through 2024, 2025, and Q1 2026. It is repeatedly described as the dominant mobile banking Trojan family in Kaspersky telemetry, accounting for 36.70% of mobile banker attacks in 2024, 61.85% of detected mobile banking Trojans in Q3 2025, and 73.5% of banking Trojan activity in Q1 2026. The malware is distributed mostly in Russia and the CIS, with multiple reports stating campaigns targeted Android users in Russia; one analyzed variant was also disguised as a dating app targeting Uzbek-speaking users.

Mamont is commonly delivered through social-engineering lures. Reported infection vectors include instant messages asking victims to identify a person in a photo, fake offers of free household appliances in neighborhood chats, and a late-2024 scheme in which scammers advertised discounted or wholesale goods, moved victims into Telegram chats, then sent a phishing link to an APK masquerading as a parcel-tracking app. In that campaign, victims were given a tracking number to enter into the app, and Kaspersky reported more than 31,000 blocked attacks in October and November 2024. A specific sample in that scheme was associated with MD5 12936056e8895e6a662731c798b27333, and apisys003[.]com was identified as a command-and-control server. Another analyzed Mamont campaign used a fake dating app named Tanishuv distributed from https://humouz.xyz/Tanishuv.apk; the primary APK SHA-256 was 0f12f7110022d27bd8bf46172a469fb78b15d79bd7cffca94cac8101dcb6065e and it decrypted and installed a second-stage payload with SHA-256 60720498750e7d36694d1ba4cf10dabe7aa733c423703225f5a9fd3be9ffaa6e. That sample communicated with C2 at http://84.21.189.36:2288.

Capabilities described across the reports include requesting permissions for background execution, notifications, SMS, calls, and phone-state access; intercepting push notifications; stealing SMS messages including messages from the previous three days; sending SMS messages; issuing USSD requests from primary or secondary SIMs; placing calls; collecting device information, installed apps, phone numbers, SIM and operator details; harvesting bank card data; and exfiltrating one-time codes from SMS or banking notifications. Mamont receives remote commands over a WebSocket channel using JSON commands such as call, callTwo, sms, smsTwo, oldsms, hide, show, changeIcon, custom, and photo. These commands allow the operators to send USSD requests, send SMS, hide or alter the app icon, prompt victims for arbitrary input, and collect photos from the device. Reports assess the custom and photo functionality as enabling additional social-engineering fraud, including impersonation of regulators or law enforcement.

One dissected Mamont sample functioned as a modular multi-stage dropper. It unpacked an embedded data.bin file into a second APK, silently installed it, and launched it. The companion malware requested READ_SMS, SEND_SMS, READ_PHONE_NUMBERS, READ_PHONE_STATE, CALL_PHONE, and POST_NOTIFICATIONS permissions, parsed SMS content for financial terms in Uzbek, Russian, and English, extracted amounts from banking alerts, and supported SMS-based financial fraud.

Mamont is tracked by detections such as Trojan-Banker.AndroidOS.Mamont, including variants such as Mamont.bc, Mamont.jo, Mamont.jx, and Mamont.jg. The content does not attribute Mamont to a named threat actor, but consistently associates it with financially motivated Android campaigns targeting banking users, especially in Russia and nearby regions.