Zscaler has released the India findings from its ThreatLabz 2025 Mobile, IoT, and OT Threat Report, highlighting a sharp escalation in mobile malware activity and growing risks across IoT and operational technology (OT) environments. The report positions India as the world’s most targeted country for mobile malware, accounting for over a quarter of all observed attacks globally.
Based on Zscaler’s mobile telemetry dataset, the ThreatLabz research team identified hundreds of malicious applications hosted on trusted app marketplaces, along with a significant rise in malware targeting enterprise mobile, IoT, and OT environments. The findings reflect how attackers are adapting tactics to exploit mobile-first work patterns, digital payments, and expanding IoT footprints.
Malicious apps on trusted platforms see massive adoption
The report identified 239 malicious applications on the Google Play Store, collectively downloaded 42 million times, largely masquerading as productivity and workflow tools. According to Zscaler, this represents a 67% year-over-year increase in Android malware transactions, driven primarily by spyware and banking malware.
Researchers noted that the “Tools” category was a dominant distribution channel, with attackers exploiting user trust in functional apps—particularly in hybrid and remote work environments where mobile devices are central to daily operations.
Retail and hospitality sectors face the highest exposure
Analysis of India-specific telemetry showed that Retail & Wholesale (38%) and Hospitality, Restaurants and Leisure (31%) were the most frequently targeted verticals for mobile and IoT attacks. These were followed by Manufacturing (16%) and Energy, Utilities, Oil & Gas (8%).
Zscaler said the concentration of attacks in consumer-facing and operations-heavy sectors reflects adversaries’ focus on environments with high transaction volumes and heavy reliance on IoT deployments.
Backdoor and botnet malware dominate IoT threats
On the IoT front, the report found that backdoor- and botnet-style malware families accounted for the majority of detections in India. IoT.Backdoor.Gen.LZ was the most prevalent, representing 85% of observed cases, followed by ABRisk.IOTX 0 (8%) and IoT.Exploit.CVE 2020 8195 (1%).
India leads global mobile malware activity
Globally, mobile threats were concentrated in a small number of regions. India accounted for 26% of all mobile malware attacks worldwide, followed by the United States (15%) and Canada (14%). India also recorded a 38% year-over-year increase in mobile threat activity.
The top five countries receiving mobile malware traffic were:
- India (26%)
- United States (15%)
- Canada (14%)
- Mexico (5%)
- South Africa (4%)
“India’s challenge is stark with breakneck digitisation across UPI, super apps, and a sprawling IoT estate, making the country a high-value target,” said Suvabrata (Suva) Sinha, CISO in Residence, Zscaler. “The way forward for security leaders is to operationalise Zero Trust end-to-end, put identity- and device-centric access in front of users, apps, and OT; continuously inspect encrypted traffic to expose phishing and embed mobile threat defense into enterprise policy and extend these controls to branch, OT, and cellular IoT so attackers have nowhere to hide.”
United States remains the epicentre of IoT malware traffic
While India led mobile malware activity, the United States emerged as the largest hub and target for IoT malware, accounting for 54% of global IoT malware traffic. Other countries included Hong Kong (15%), Germany (6%), India (5%), and China (4%).
“Attackers are pivoting to areas with maximum impact. We’re seeing a YoY rise of 67% in malware targeting mobile devices and 387% in IoT/OT attacks on energy sectors often hosting critical infrastructure, which is a massive swing,” said Deepen Desai, EVP and Chief Security Officer at Zscaler. “A Zero Trust everywhere approach, combined with AI-powered threat detection, is imperative to reducing the attack surface, limit lateral movement, and provide organisations the defense they need against ever-evolving attacks.”
Emerging threats and evolving attack patterns
The report also highlighted several new and evolving threat vectors observed during the year. These included Android Void malware, which infected 1.6 million Android-based TV boxes, primarily in India and Brazil, and a new Remote Access Trojan, Xnotice, targeting job seekers in the oil and gas sector.
ThreatLabz researchers also noted a shift in attacker economics. Adware overtook the Joker malware family as the most prevalent mobile threat, accounting for 69% of cases, while Joker declined sharply. At the same time, attackers were observed moving away from card-based fraud toward mobile payment exploitation.
Security implications for enterprises
The findings underscore how mobile devices, IoT systems, and OT environments are increasingly interconnected—and exposed. As enterprises expand digital services and connected infrastructure, Zscaler’s report suggests that traditional perimeter-based security models are struggling to keep pace with the scale and speed of modern attacks.
The report concludes that organisations operating in mobile-first and IoT-heavy environments must prioritise continuous visibility, identity- and device-centric controls, and real-time inspection of encrypted traffic to reduce exposure across distributed digital ecosystems.