Zscaler ThreatLabz Reveals 67% Jump in Android Malware and 40% of IoT Attacks Target Critical Industries and Hybrid Work

Rhea-AI Summary

Zscaler (NASDAQ: ZS) published its 2025 Mobile, IoT, and OT Threat Report on Nov 5, 2025, finding a 67% YoY increase in Android malware transactions and 239 malicious Google Play apps downloaded 42 million times.

The report notes a 387% rise in attacks on the energy sector, IoT attacks concentrated in Manufacturing and Transportation (each 20.2%), and the US accounting for 54% of IoT malware traffic. Additional findings: Adware leads mobile cases at 69%, Mirai/Mozi/Gafgyt comprise ~75% of IoT payloads, and new threats include Android Void, Xnotice RAT, and widespread infected TV boxes.

Positive

• Android malware transactions up 67% YoY
• 239 malicious Play Store apps with 42M installs
• Energy sector attacks rose 387% YoY
• Mirai, Mozi, Gafgyt comprise ~75% of IoT payloads

Negative

• Adware accounts for 69% of mobile threat cases
• Manufacturing and Transportation each represent 20.2% of IoT attacks
• US receives 54% of IoT malware traffic
• Android Void infected 1.6M TV boxes

Insights

Cybersecurity Market Analyst

Rising mobile and IoT attacks concentrate risk on critical industries and validate demand for cloud Zero Trust security.

The report documents a 67% year‑over‑year jump in Android malware transactions and a striking 387% increase in attacks on the energy sector, plus 239 malicious Play Store apps with 42 million installs, which together describe a clear mechanism: threat actors exploit popular app categories and widely deployed IoT/OT endpoints to gain high-impact access. These facts show attackers target high-dependency systems and trusted distribution channels, increasing the volume and potential impact of incidents.

Key dependencies and risks include heavy concentration of IoT malware families (Mirai, Mozi, Gafgyt ~75% combined) and geographic clustering of activity (mobile: India 26%, US 15%; IoT: US 54%), which means defensive effectiveness depends on detection coverage across those families and regions and on timely patching or network segmentation in affected verticals. The dataset periods (June 2024–May 2025 for mobile and IoT malware; device fingerprinting Mar–May 2025) support the temporal relevance of the findings.

Watch for three concrete, monitorable signals over the next 3–12 months: wider industry uptake or procurement notices referencing Zero Trust or cloud‑native IoT security, follow‑on telemetry showing whether Mirai/Mozi share of blocked transactions rises or falls, and any reported incidents in the energy, manufacturing, or transportation verticals tied to mobile/IoT compromises. These metrics will indicate whether the threat surge translates into sustained demand for the defensive offerings described.

The Report Reveals 239 Malicious Play Apps with Over 42M User Installs

Key Findings:

• Critical infrastructure in the energy sector experienced a 387% increase in attacks compared to the previous year
• India continues to be the top target for mobile attacks, with 26% of activity
• The US remains the top target for IoT attacks, with 54% of activity
  
  

SAN JOSE, Calif., Nov. 05, 2025 (GLOBE NEWSWIRE) -- Zscaler, Inc. (NASDAQ: ZS), the leader in cloud security, today published the findings of its Zscaler ThreatLabz 2025 Mobile, IoT, and OT Threat Report, outlining how threat actors are leveraging malware attacks and constantly evolving their tactics. The report uncovered hundreds of malicious apps in the Google Play Store that have been downloaded over 40 million times, targeting users that are searching for productivity and workflow apps. Based on Zscaler's mobile telemetry dataset, the ThreatLabz team identified several emerging mobile threats and new malicious activity, providing valuable insights to help enterprises stay ahead of attackers in a mobile-first world.

Hundreds of malicious apps downloaded over 40 million times

Similar to last year, this year we again saw threat actors developing and releasing malicious applications targeting trusted marketplaces and hybrid work environments. The result, which the report reveals is a 67% year-over-year increase in Android malware transactions, reflects the continued risks of spyware and banking malware. ThreatLabz researchers identified 239 such applications hosted on the Google Play Store, which were collectively downloaded 42 million times.

A key distribution channel for this malware was the "Tools" category, disguising malicious applications as productivity and workflow tools. This tactic capitalizes on users' trust in functionality-driven applications–a trust that is particularly strong in hybrid and remote work settings where mobile devices are integral to professional tasks.

Manufacturing remains a top target for mobile and IoT attacks

ThreatLabz's analysis of Android attack volumes reveals that the Manufacturing and Energy sectors remain prime targets for cybercriminals due to the potential for significant returns. Notably, the energy sector experienced a substantial 387% increase in attacks compared to the previous year, highlighting an escalating threat to critical infrastructure and greater exploitation of vulnerabilities within these essential industries.

In the IoT landscape, the Manufacturing and Transportation sectors continue to be the most frequently targeted verticals. This year, each sector accounted for 20.2% of all observed IoT malware attacks, collectively representing over 40% of total incidents. This marks a shift from 2024, when Manufacturing alone represented 36% of total incidents, followed by Transportation at 14%. This suggests that while Manufacturing remains a critical target, threat actors are increasingly diversifying their efforts across other high-dependency IoT industries.

Most prevalent IoT malware

Roughly 40% of blocked transactions are linked to the Mirai family alone, and Mozi has overtaken Gafgyt as the second highest malware family. Together, Mirai, Mozi, and Gafgyt account for roughly 75% of all malicious payloads in IoT environments.

Mobile attacks cluster in India, US and Canada; US is the IoT threat epicenter at 54 percent

Worldwide, mobile threats have surged, with many of these attacks concentrated in three key regions: India, accounting for 26% of all mobile attacks, the United States at 15%, and Canada at 14%. India, in particular, experienced a significant 38% increase in mobile threat attacks compared to the previous year.

The top five countries that receive the most mobile malware traffic are:

• India (26%)
• United States (15%)
• Canada (14%)
• Mexico (5%)
• South Africa (4%)
  
  

The report also revealed that the US is both a hub for IoT activity (54.1%) and a primary target for malware attacks. The top five countries that receive the most IoT malware traffic are:

• United States (54%)
• Hong Kong (15.%)
• Germany (6%)
• India (5%)
• China (4%)
  
  

“Attackers are pivoting to areas with maximum impact. We’re seeing a YoY rise of 67% in malware targeting mobile devices and 387% in IoT/OT attacks on energy sectors often hosting critical infrastructure, which is a massive swing,” said Deepen Desai, EVP and Chief Security Officer at Zscaler. “A Zero Trust everywhere approach, combined with AI-powered threat detection, is imperative to reducing the attack surface, limit lateral movement, and provide organizations the defense they need against ever-evolving attacks.”

Additional highlights and new findings this year

• A new backdoor called Android Void malware has infected 1.6 million Android-based TV boxes, primarily in India and Brazil
• New Remote Access Trojan (RAT), Xnotice, was identified for targeting job seekers in the oil and gas industry, particularly in MENA
• Adware overtook the Joker malware family as the top mobile threat, with a leading 69% of cases, while Joker dropped to 23% of cases, from 38% last year
• Threat actors are abandoning card-focused fraud in favor of mobile payments
  
  

Defending against growing IoT, OT and Mobile threats

Zscaler Zero Trust Branch delivers comprehensive security and operational efficiency for branch offices, remote sites, and distributed networks, designed for environments that rely heavily on mobile, IoT, cellular IoT, and OT technologies. Using a cloud-native and AI-driven Zero Trust architecture, Zscaler aims to ensure all users, devices, and applications are safeguarded with continuous real-time verification and robust policy enforcement, regardless of their location relative to the traditional network perimeter.

Zscaler Cellular offers secure, scalable, and efficient connectivity as a service for IoT and mobile devices that rely on cellular connections. This solution, powered by the Zscaler Zero Trust Exchange™ platform, addresses the growing security challenges posed by billions of IoT devices and mobile endpoints, which traditional security methods often fail to secure effectively. It achieves this by enforcing granular policies, providing centralized visibility, and eliminating attack surfaces for all cellular traffic.

Download your copy

The 2025 Mobile, IoT, and OT Threat Report highlights the critical importance of securing mobile endpoints, IoT devices, and OT systems. Access the full report at https://www.zscaler.com/campaign/threatlabz-mobile-iot-ot-report.

Research Methodology
Mobile
The research methodology for this report includes analysis of mobile transactions and associated cyberthreats based on data collected from the Zscaler cloud between June 2024 and May 2025. The dataset comprises more than 20 million threat-related mobile transactions.

IoT/OT
The team focused their research on understanding the distinct attributes and activity of IoT devices via device fingerprinting (DFP) and analyzing the IoT malware threat landscape.

Device fingerprinting data from March 2025 to May 2025 included:

• A complete inventory of devices, including device types and manufacturers
• The volume and source of IoT device transactions
• The industries and geographies contributing to IoT traffic
  
  

IoT malware threat data from June 2024 to May 2025 included:

• The most active malware families
• The industries and geographies most targeted by IoT attacks
• The top attacked devices
  
  

About Zscaler
Zscaler (NASDAQ: ZS) accelerates digital transformation so customers can be more agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange™ platform protects thousands of customers from cyberattacks and data loss by securely connecting users, devices, and applications in any location. Distributed across more than 160 data centers globally, the SASE-based Zero Trust Exchange is the world’s largest in-line cloud security platform.

Media Contact
Taylor Dunton, Senior Director, Public Relations, press@zscaler.com

A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/a9909238-c36f-4286-a7b6-5916db8e5847

FAQ

What did Zscaler report about Android malware in the 2025 Threat Report (ZS)?

Zscaler reported a 67% year-over-year increase in Android malware transactions and 239 malicious Play Store apps with 42 million installs.

How much did attacks on the energy sector increase in ZS's Nov 5, 2025 report?

The report found a 387% increase in attacks on the energy sector versus the prior year.

Which countries are top targets for mobile and IoT attacks in Zscaler's 2025 report (ZS)?

Mobile: India 26%, US 15%, Canada 14%. IoT: US 54%, Hong Kong 15%.

What IoT malware families dominate according to Zscaler (ZS)?

Mirai, Mozi, and Gafgyt together account for roughly 75% of IoT malicious payloads.

What new threats did Zscaler identify in the 2025 Mobile, IoT, and OT Threat Report (ZS)?

New items include the Android Void backdoor (1.6M TV boxes infected) and the Xnotice RAT targeting oil and gas job seekers.