background image blur
background image
  • Blog
    >
  • News
    >
  • When Governments Block App Stores, People Download Malware Instead

When Governments Block App Stores, People Download Malware Instead

Image of author
By Tech Writer and VPN Researcher Gintarė Mažonaitė
clock icon
Last updated: 1 July, 2026
An image of a phone that has a malware warning on it

Key Takeaways

  • Mobile malware infections in Russia jumped 70% in the first half of 2026 compared to the same period last year, driven largely by users downloading apps from unofficial sources.
  • Because many apps are unavailable in official stores due to sanctions and Russian government restrictions, installing APK files from third-party links has become routine behavior for Russian users.
  • The Android banking trojan Mamont, which steals SMS data, payment information, and personal data, has grown to account for 15% of all detected infections, up from 10–12% last year.
  • Cybercriminals are exploiting this new normal by disguising trojans as familiar apps, bank updates, and AI tools, targeting people who have no safe alternative for getting the software they need.

Mobile malware infections in Russia surged 70% in the first half of 2026 compared to the same period a year ago, according to Meduza, as first reported by Russian business daily Kommersant. The primary cause, cybersecurity experts say, isn’t a sudden wave of careless users; it's a predictable consequence of restricting access to official app stores.

Because apps are unavailable through legitimate channels, installing APK files from third-party sources, like links shared in messaging apps, search engine results, and unofficial websites, has become routine for millions of Russian Android users. Anton Basharin, managing director of AppSec Solutions, said that criminals are exploiting exactly this, creating fake "banks" or "app updates" to distribute malware. Growing interest in AI services has added another angle: Trojans are now being distributed disguised as AI tools.

The standout threat is the Android banking trojan Mamont. Active since 2023, it has grown from accounting for 10–12% of all detected infections last year to 15% this year. Once installed, it gains access to SMS notifications, payment data, and personal information. Approximately 1.5M Android devices in Russia are estimated to have been compromised by it.

I want to be clear about what this actually means for an ordinary person. You need apps; maybe your bank's app, a messaging tool, something your employer requires. It's not available in the Play Store. So you find a download link somewhere. It looks fine. It installs okay. And quietly, in the background, something that isn't what you downloaded starts reading your SMS messages and harvesting your payment data. That's not a hypothetical edge case. That's the situation: 1.5M people are already in.

The Cost of Censorship

The Russian government's approach to internet control is designed, at least in its stated framing, to protect Russian citizens and preserve national security. What it has actually produced, in this case, is a digital environment where the safest, most secure way to get software – a vetted app from an official store – has been made unavailable, and the most dangerous alternative has become the default.

That’s the cost of internet censorship that rarely makes the headlines. The discussion tends to center on what people can't say or see, on political speech and blocked news sites. But censorship has a technical surface, too. When governments restrict which services can operate, which platforms can distribute software, and which tools people can access, they don't eliminate the need for those tools. They just eliminate the safe version of getting them. The risk gets pushed down onto individual users who have no good option left.

I don't think this is unique to Russia. Any government that decides it can manage its citizens' internet access through restriction and blockage is implicitly accepting this trade-off: that the people most harmed by the resulting vulnerability won't be the political dissidents or the bad actors the policy was supposedly aimed at. They'll be ordinary people who just needed an app and clicked the wrong link because there was no right link to click.

The Pattern Extends Beyond App Stores

It's worth noting that Mamont has been spreading since 2023, and the conditions enabling it have only deepened since then. The fact that cybercriminals are now layering AI service impersonation on top of banking trojan distribution shows how quickly threat actors adapt to whatever gap government policy opens up. Restrict official app access, and criminals build fake app update flows. Create demand for AI tools, and criminals build fake AI tools that are actually trojans. The attack surface expands in direct proportion to the restrictions placed on legitimate access.

A free and open internet – one where people can access vetted software through secure, official channels – isn’t just a political ideal. It's a practical safety infrastructure. When that infrastructure is dismantled in the name of control, the people left most exposed are the ones with the least ability to protect themselves. That's not a side effect of internet censorship. It's one of its most reliable outcomes.


Share on
Facebook share Twitter share Reddit share Linkedin share

Be part of the resistance, quietly.

Get Mysterium VPN Arrow icon
awareness campaign banner img
Image of author
Gintarė Mažonaitė
Tech Writer and VPN Researcher

Gintarė is a cybersecurity writer at Mysterium VPN, where she explores online privacy, VPN technology, and the latest digital threats. With hands-on experience researching and writing about data protection and digital freedom, Gintarė makes complex security topics accessible and actionable.

Read more by this author
© Copyright 2026 UAB "MN Intelligence"