Executive Summary

The Zscaler ThreatLabz 2025 Mobile, IoT, and OT Threat Report, published on November 5, 2025, paints a concerning picture of the evolving threat landscape. The report highlights a 67% year-over-year increase in Android malware, underscoring the persistent challenge of keeping malicious applications off official app stores. Researchers discovered 239 distinct malware-laden apps on the Google Play Store that were downloaded a staggering 42 million times. These apps frequently disguised themselves as benign 'Tools' to gain user trust. Furthermore, the report signals a significant pivot by threat actors towards Industrial Control Systems (ICS), with IoT/OT attacks against the energy sector skyrocketing by 387%. This dual trend indicates that attackers are simultaneously scaling consumer-level threats while sharpening their focus on high-value critical infrastructure targets.

Threat Overview

The report identifies two major areas of escalating risk:

1. Mobile Malware Proliferation: Despite efforts by Google to secure its ecosystem, threat actors continue to successfully publish malicious apps on the Play Store. The primary findings include:

• 239 malicious apps identified and removed from the Google Play Store.
• 42 million total downloads of these apps before removal.
• The 'Tools' category was the most abused, with attackers creating fake productivity apps to lure users in hybrid work environments.
• India was the top target for mobile malware attacks.

This demonstrates that social engineering remains a highly effective distribution vector, as users willingly grant permissions to apps they believe are legitimate.

2. Surge in IoT/OT Attacks: The report reveals a dramatic and alarming increase in attacks targeting Operational Technology (OT) and the Internet of Things (IoT), particularly within critical infrastructure sectors.

• Energy Sector: 387% increase in attacks.
• Transportation Sector: 382% increase in attacks.
• Healthcare Sector: 224% increase in attacks.
• Manufacturing remains the most targeted sector overall.
• The United States was the top target for IoT attacks, receiving 54% of all malicious traffic observed.

This trend suggests that threat actors are moving from opportunistic IoT attacks to deliberate targeting of critical national infrastructure, posing a risk of physical disruption and damage.

Technical Analysis

The mobile malware detailed in the report often uses common TTPs:

1. Masquerading (T1447 - Masquerade as Legitimate Application): Attackers create apps with convincing icons, descriptions, and functionalities that mimic legitimate tools, such as file converters, QR code scanners, or system cleaners.
2. Abuse of Permissions: Once installed, the apps request excessive permissions (e.g., access to contacts, SMS, storage) that are not necessary for their stated function. Users often grant these permissions without scrutiny.
3. Payload Delivery: The app may contain the malicious payload directly, or it may act as a dropper, downloading the main payload from a C2 server after installation to evade static analysis during the app store review process.
4. Malicious Activity: The final payload can range from adware and spyware to banking trojans and ransomware.

For OT attacks, threat actors often exploit exposed and unpatched IoT devices, using default credentials or known vulnerabilities to gain a foothold before attempting to pivot into the core OT network.

Impact Assessment

• Widespread Consumer Compromise: The 42 million downloads represent a massive number of individuals whose data, privacy, and finances are put at risk.
• Erosion of Trust in App Stores: The continued presence of malware on official app stores erodes user trust and complicates mobile security for both individuals and enterprises.
• Risk to Critical Infrastructure: The surge in OT attacks increases the risk of real-world consequences, such as power outages, transportation disruptions, and compromised patient care in hospitals.
• Corporate Espionage and Data Theft: Compromised mobile devices used for work can serve as a gateway into corporate networks, leading to enterprise data breaches.

IOCs

Specific names or hashes of the 239 malicious applications were not provided in the source articles.

Cyber Observables for Detection

Detection & Response

1. Mobile Threat Defense (MTD): Deploy an MTD solution on corporate-owned and BYOD mobile devices. MTD can detect malicious apps, risky configurations, and active threats that app store scanning might miss.
2. User Education: Train users to be skeptical of new apps, especially in categories like 'Tools'. Teach them to scrutinize requested permissions and to avoid installing apps from unknown developers or with few reviews.
3. OT Network Monitoring: For industrial environments, deploy specialized OT security monitoring solutions that understand industrial protocols (e.g., Modbus, DNP3) and can baseline normal behavior to detect anomalies indicative of an attack. This is a form of D3-NTA: Network Traffic Analysis.

Mitigation

1. Mobile Application Vetting: Use MDM/UEM platforms to create an enterprise app store containing only vetted, approved applications for business use. Block the installation of apps from unknown sources.
2. Principle of Least Privilege: When installing any new app, users should only grant the absolute minimum permissions required for its core functionality.
3. Network Segmentation for OT: Strictly segment OT networks from IT networks using a DMZ and unidirectional gateways where possible. All traffic between IT and OT must be inspected and controlled. This is a critical D3-NI: Network Isolation strategy.
4. IoT/OT Device Hardening: Change default passwords, disable unnecessary services, and implement a patching program for all IoT and OT devices.