Industry Attacks Surge, Mobile Malware Spreads: The ThreatLabz 2025 Mobile, IoT & OT Report

Mobile devices, IoT sensors, and OT systems are no longer distinct domains; they are the interconnected backbone of modern business and infrastructure. From the factory floor and hospital ward to the global supply chain, this convergence powers innovation and efficiency. However, it has also created a sprawling, interdependent attack surface that threat actors are exploiting with increasing speed and sophistication.

To help organizations navigate this evolving landscape, Zscaler ThreatLabz has published the 2025 Mobile, IoT, and OT Threat Report. Our research analyzes billions of blocked attacks within the Zscaler Zero Trust Exchange to reveal how attackers are targeting vulnerabilities across mobile devices, IoT environments, and the expanding ecosystem of cellular-connected IoT.

The findings are clear: as connectivity grows, so does the risk.

Key Findings from the 2025 ThreatLabz Report

This year’s research identifies a significant increase in threats across the board, with attackers focusing on critical industries and leveraging trusted platforms to deliver malware.

• Android malware transactions increased by 67% year-over-year, fueled by sophisticated spyware and banking trojans.
• Attacks targeting the Energy sector increased by 387%, Transportation by 382%, and Healthcare by 224%, underscoring the growing risk to critical industries.
• ThreatLabz identified 239 malicious applications on the Google Play Store that were downloaded a collective 42 million times, showing how attackers can bypass official marketplace protections.
• IoT botnets remain a dominant force, with the Mirai, Mozi, and Gafgyt malware families accounting for 75% of all malicious IoT payloads.

Routers continue to be the primary target for IoT attacks, making up over 75% of all observed incidents as attackers exploit them as entry points for botnet expansion and lateral movement.

Increased Focus on Critical Industries

While Manufacturing remains the top target for IoT malware, our report shows a significant increase in attacks against other essential sectors. Threat actors are following the path of digital transformation, targeting industries where disruption has the most significant impact.

The notable growth in attacks on the Energy, Healthcare, Transportation, and Government sectors highlights a strategic shift. Attackers recognize the high-stakes environment in these verticals, where the potential for operational disruption, theft of sensitive data, and reputational damage is significant. The interconnectedness of these industries, coupled with their vital role in society, makes them prime targets for sophisticated campaigns.

The Blurring Lines of Attack

Our research shows that attackers no longer differentiate between device types; they see a single, connected ecosystem to exploit.

• Mobile as a Key Entry Point: With the rise of hybrid work and BYOD policies, mobile devices are a primary entry point. Attackers use advanced phishing (mishing), banking trojans, and spyware to compromise endpoints and gain access to corporate resources.
• Automated Attacks via IoT Botnets: Threat actors continue to exploit unpatched or misconfigured IoT devices, especially public-facing routers. Once compromised, these devices are recruited into powerful botnets like Mirai to launch DDoS attacks, propagate malware, and move laterally across networks.
• The Cellular Shadow Surface: The rapid adoption of cellular-connected IoT devices in logistics, manufacturing, and smart infrastructure creates new blind spots. Without granular visibility and SIM-level security, organizations are exposed to data exfiltration, device misuse, and potential perimeter breaches.

One of the most prominent examples of this converged threat is the evolution of mobile banking malware.

Banking Malware: The Digital Wallet is a Prime Target

The convenience of mobile banking has transformed how we manage our finances, but this has not gone unnoticed by threat actors. Modern Android banking malware has evolved from simple credential stealers into multi-functional Trojans designed to bypass security controls and steal funds.

Threat actors deploy sophisticated banking trojans like Anatsa, Ermac, and TrickMo, which often masquerade as legitimate utilities or productivity apps on both official and third-party app stores. Once installed, they use highly deceptive techniques to capture usernames, passwords, and even the two-factor authentication (2FA) codes needed to authorize transactions. Our research shows the rise in mobile malware is driven largely by the profitability and effectiveness of these banking Trojans.

Key Features of Modern Android Banking Malware:

• Overlay Attacks: The malware detects when a user opens a legitimate banking app and places a fake, pixel-perfect login window over it to steal credentials.
• SMS Interception & Redirection: To defeat 2FA, Trojans like Ermac gain permission to read and hide incoming SMS messages, allowing them to capture one-time passwords (OTPs).
• Abuse of Accessibility Services: The Anatsa trojan is known for its abuse of Accessibility Services permissions to perform on-device fraud, simulating user taps to navigate banking apps and approve transactions autonomously.
• Keylogging and Screen Recording: Many variants log keystrokes or record the screen's content to ensure they capture sensitive credentials, even if other methods fail.

Remote Access Trojan (RAT) Capabilities: Advanced malware, including variants of TrickMo, doubles as a full-featured RAT, giving an attacker direct remote control over a device.

Securing the Future with a Zero Trust Approach

The convergence of Mobile, IoT, and OT threats renders traditional, perimeter-based security models ineffective. Defending this complex landscape requires a unified strategy built on the principles of zero trust.

This approach must extend to the cellular shadow surface. With Zscaler for Cellular IoT, organizations can apply the power of the Zero Trust Exchange directly to SIM-enabled devices, replacing vulnerable public-facing IPs with a direct, secure path to the Zscaler cloud. This enables organizations to enforce granular policies at the SIM level, inspect all IoT traffic for threats, and prevent lateral movement.

Simultaneously, organizations must secure the thousands of IoT and OT devices operating within their physical locations. On flat networks inside branches, factories, and warehouses, a single compromised sensor or controller can become a gateway for an attacker to move laterally and disrupt operations. By deploying Zscaler for Branch and Factory, all traffic from these sites—including from headless IoT/OT devices—is routed through the Zscaler cloud for full inspection and policy enforcement. This isolates locations from the corporate WAN and from each other, preventing a breach in one site from spreading across the business.

Ultimately, organizations must move toward a security architecture that eliminates the attack surface, prevents lateral threat movement, and stops data loss. This involves implementing granular segmentation to isolate critical systems, applying AI-driven threat detection to identify anomalies, and enforcing consistent security policies across every device, user, and application—regardless of how or where they connect.

Download the Full Report

The findings in this blog are just the beginning. The Zscaler ThreatLabz 2025 Mobile, IoT, and OT Threat Report provides deep-dive analysis, case studies, and actionable recommendations to help you secure your connected ecosystem.

Download the full report today to explore:

• Detailed breakdowns of the top malware families and attack techniques.
• In-depth analysis of the most targeted industries and geographies.
• Best practices for implementing a zero trust architecture for Mobile, IoT, and OT.
• Our 2026 predictions for the evolving threat landscape.