Mamont¶
Mamont was the most active Android banking trojan family in 2024, accounting for 36.70% of all mobile banking malware attacks detected by Kaspersky. Kaspersky documented the family in December 2024, revealing a Russia-exclusive banking trojan distributed as fake parcel-tracking applications. The family blocked 31,000+ attacks in October-November 2024 alone. Despite targeting only Russian users, its sheer volume made it the dominant mobile banking threat globally for the year, surpassing established families like Anatsa, GodFather, and Hook in detection counts.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | 2024 |
| Last Seen | Active (ongoing campaigns) |
| Status | Active, high volume |
| Type | Banking trojan, notification interceptor |
| Attribution | Unknown; targets Russia exclusively |
| Aliases | None known |
Vendor Names¶
| Vendor | Name |
|---|---|
| Kaspersky | HEUR:Trojan-Banker.AndroidOS.Mamont |
| DrWeb | Android.BankBot.Mamont |
| ESET | Android/Spy.Banker.Mamont |
Origin and Lineage¶
Mamont is independently developed with no known code connection to other banking trojan families. Its focus on the Russian market distinguishes it from the European and global banking trojans that dominate the mobile threat landscape. The family's approach (fake parcel-tracking apps, push notification interception) is technically simpler than western-targeting families like Octo or Hook but highly effective at scale.
Distribution¶
Mamont distributes exclusively through social engineering via fake parcel-tracking applications:
| Vector | Details |
|---|---|
| Smishing | SMS messages claiming a parcel is ready for delivery |
| Social media | Telegram channels and forums promoting fake tracking apps |
| Fake websites | Landing pages mimicking Russian postal and delivery services |
The social engineering relies on Russian-language delivery notifications directing users to install a "tracking app" that is the Mamont APK. The lure themes rotate across Russian delivery services and e-commerce platforms.
Capabilities¶
| Capability | Description |
|---|---|
| Push notification interception | Intercepts push notifications including banking OTP codes |
| SMS interception | Reads and hides incoming SMS messages |
| SMS sending | Sends SMS from victim's device (for spreading and premium SMS) |
| Contact exfiltration | Uploads contact list to C2 |
| Device info collection | IMEI, phone number, installed banking apps |
| Photo theft | Captures and exfiltrates photos from device storage |
| Overlay attacks | Displays phishing screens over Russian banking apps |
| Self-propagation | Forwards malicious links via SMS to victim's contacts |
Permissions¶
| Permission | Purpose |
|---|---|
| BIND_NOTIFICATION_LISTENER_SERVICE | Intercept all push notifications including OTPs |
| READ_SMS | Read incoming SMS messages for credential and OTP theft |
| RECEIVE_SMS | Intercept SMS in real-time before the user sees them |
| SEND_SMS | Send SMS from victim device for spreading and premium fraud |
| READ_CONTACTS | Exfiltrate contact list for targeting and self-propagation |
| READ_EXTERNAL_STORAGE | Access photos and files on device storage |
| READ_PHONE_STATE | Collect device identifiers (IMEI, phone number) |
| INTERNET | Communicate with C2 server |
| RECEIVE_BOOT_COMPLETED | Restart malware service after device reboot |
Push Notification Interception¶
Mamont's primary credential theft mechanism targets push notifications rather than traditional overlay attacks. By intercepting push notifications from banking apps, the trojan captures OTP codes, transaction confirmations, and other sensitive data delivered through the Android notification system. This requires BIND_NOTIFICATION_LISTENER_SERVICE permission.
Technical Details¶
Notification Listener¶
The malware registers as a notification listener service, gaining access to all push notifications displayed on the device:
- Filters notifications by package name (targeting Russian banking apps)
- Extracts text content including OTP codes
- Forwards notification data to C2 in real-time
- Optionally hides notifications from the user
Telegram C2 Communication¶
Mamont uses Telegram bot API as a secondary C2 channel alongside its HTTP infrastructure. Stolen data -- including intercepted SMS, notifications, and screenshots -- can be forwarded to operator-controlled Telegram channels. This dual-channel approach provides resilience: if the HTTP C2 server is taken down, the Telegram channel continues to receive exfiltrated data. The use of Telegram as C2 is shared with families like Raton and some SpyNote variants.
HTTP C2¶
- HTTP-based communication with JSON payloads
- Registration with device fingerprint on first launch
- Polling-based command retrieval
- Exfiltrated data (SMS, notifications, contacts) sent via POST requests
C2 Infrastructure¶
| Component | Details |
|---|---|
| Primary protocol | HTTP with JSON payloads |
| Secondary channel | Telegram Bot API |
| Registration | Device fingerprint (IMEI, phone number, installed apps) on first launch |
| Command retrieval | Polling-based at regular intervals |
| Data exfiltration | POST requests for SMS, notifications, contacts; Telegram for real-time alerts |
Target Regions¶
| Region | Details |
|---|---|
| Russia | Exclusive target, all lures in Russian |
Mamont targets major Russian banks and financial apps. The exclusive Russian focus and the use of Russian-language social engineering suggest domestic operators. This pattern differs from most documented banking trojans which target multiple countries.
Notable Campaigns¶
2024: Mamont emerges as the highest-volume mobile banking trojan globally. Kaspersky's 2024 mobile threat report places it at 36.70% of all banking malware detections.
2024, October-November: Kaspersky documents the parcel-tracking distribution, blocking 31,000+ attacks in two months. The analysis reveals push notification interception as the primary theft mechanism.
2025, March: Russian authorities arrested three suspects linked to the Mamont operation. Despite the arrests, new Mamont samples continued to surface, suggesting either additional operators or that the infrastructure remained active.
Detection¶
| Indicator Type | Details |
|---|---|
| Notification listener registration | App registering as NotificationListenerService without legitimate reason |
| Targeted package monitoring | Filtering notifications by Russian banking app package names |
| SMS send/receive patterns | Bulk SMS access combined with notification listener is unusual for utility apps |
| Telegram API calls | Network connections to api.telegram.org from a parcel-tracking app |
| Russian-language strings | Hardcoded Russian-language UI strings in APK resources |
Related Families¶
| Family | Relationship |
|---|---|
| Raton | Both use Telegram bot API as a C2 channel for data exfiltration |
| SpyNote | Some variants similarly leverage Telegram for C2, though SpyNote is a full RAT rather than a banking-focused trojan |
| FakeCalls | Both focus on a single national market with localized social engineering |