In 2016, the number of malicious installation packages hit more than 8.5 million–three times more than the year before, according to a report on mobile malware evolution from Kaspersky Lab, released on Tuesday. The firm registered nearly 40 million attacks by malicious mobile software over the course of the year as well.

Geographically speaking, the nations with the highest number of attacks were Bangladesh, Iran, Nepal, China, and Indonesia, the report stated.

The No. 1 malware threat of 2016? Trojans, which gained super-user privileges that allowed them to secretly install advertising applications and display ads on the infected device, and even buy apps on Google Play, the report found. And this trend shows no sign of slowing down.

The Trojans attacked Android devices via vulnerabilities that are patched in newer versions–however, most users do not update their phones in a timely manner, leaving them open to danger.

“Cybercriminals are taking advantage of the fact that most devices do not receive OS updates (or receive them late), and are thus vulnerable to old, well-known and readily available exploits,” the report stated.

SEE: Android ransomware up more than 50%, locking users’ devices until they pay

Because this malware installs its modules in the system directory, it makes remedying the situation difficult, the report noted. “Some advertising Trojans are even able to infect the recovery image, making it impossible to solve the problem by restoring to factory settings,” it stated.

Kaspersky Lab also found installations of the modular trojan Backdoor.AndroidOS.Triada, which allowed hackers to alter text messages sent by other apps and steal money from the device owner.

Google Play remains a popular place for cybercriminals to find business: Kaspersky Lab detected about 50 new applications infected by, the new modification of And many of these apps were installed more than 100,000 times.

“Representatives of this class of malicious software have been repeatedly found in the official Google Play app store, for example, masquerading as a guide for Pokemon GO,” the report stated. “This particular app was downloaded over half a million times and was detected as”

Ransomware attacks grew the most over 2016: Trojan-Ransom increased almost 6.5 times, now representing 4% of all malware installation packages. Kaspersky Lab detected 261,214 mobile ransomware Trojans in 2016. “This growth was caused by the active distribution of two families of mobile ransomware – Trojan-Ransom.AndroidOS.Fusob and Trojan-Ransom.AndroidOS.Congur,” according to the report. The criminals behind the Trojan usually demand between $100 to $200 to unlock a device, Kaspersky Lab noted.

Hackers also evolved their use of mobile banking Trojans over 2016, many of which learned how to bypass new Android security measures and continue stealing user information.

“This year, we will continue to closely monitor the development of mobile banking Trojans: the developers of this class of malware are the first to use new technologies and are always looking for ways to bypass security mechanisms implemented in the latest versions of mobile operating systems,” the report noted.

Internet of Things (IoT) devices are also a growing target for cybercriminals, with an “attack-the-router” Trojan Switcher targeting the Wi-Fi network that an infected device is connected to. “If the Trojan manages to guess the password to the router, it changes the DNS settings, implementing a DNS-hijacking attack,” the report stated.

The 3 big takeaways for TechRepublic readers

1. A new report from Kaspersky Lab found that the number of malicious installation packages hit more than 8.5 million in 2016, three times more than 2015.

2. Trojans were the No. 1 malware threat of 2016, due in part to cybercriminals attacking mobile devices that had not been updated.

3. Ransomware attacks and IoT attacks are increasingly common, the report found.