Mobile Advertising Trojans, the former top mobile malware threat from 2016, went into decline in2017. Criminals continue to aggressively infect users, but the techniques they have been using have been modified over the last 12 months.
According to the annual “Mobile Malware Evolution” report, some Trojan families started to use monetization schemes involving paid SMS and WAP-billing services in order to preserve and increase profits.
Malicious programs using super-user rights have been a major mobile threat over the last few years, and possibly one of the most powerful. With root privileges, the Trojans have the capability to secretly install various applications, as well as bombard the infected device with ads to make further use of the smartphone impossible. Along with an almost unlimited number of possibilities, it is also harder to detect and delete such Trojans. However, in 2017 these Trojans faced some challenges.
Based on Kaspersky Lab observations, the overall number of mobile advertising Trojans exploiting super-user rights declined in 2017, in comparison with the previous year. This was triggered by the overall decrease in the number of mobile devices running older versions of Android, which are the main targets of Trojans, primarily because the common vulnerabilities they exploit are usually patched in the newer versions of the system. According to Kaspersky Lab data, the percentage of users with devices running Android 5.0 or older declined from more than 85% in 2016 to 57% in 2017, while the proportion of Android 6.0 (or newer) users more than doubled – 21% in 2016 compared to 50% in 2017 (6% of users updated their devices during 2016, 7% – during 2017). However, this type of Trojan remained the most popular among the top 20 mobile threats of 2017.
In 2017, Kaspersky Lab discovered new modifications of advertising Trojans that weren’t exploiting root access vulnerabilities to show ads, but were instead trying other methods, such as premium SMS services. Two Trojans related to the Ztorg malware family with such functionality were downloaded dozens of thousands of times from Play Store.
At the same time Kaspersky Lab researchers have recorded a comeback in the amount of mobile Trojan clickers that are stealing money from Android users through WAP-billing, a type of direct mobile payment with no additional registration. These Trojans click on pages with paid services, and once a subscription is activated, money from a victim’s account flows directly to the hackers’ accounts. This trend has not been observed for a while, but in 2017 the mobile threat started to spread actively. Some of the discovered WAP-clickers also had modules for crypto-currency mining.
The ransomware epidemics that hit the world last year were also reflected in the mobile threat landscape. Kaspersky Lab discovered 544,107 installation packages for mobile ransomware Trojans, which is twice as high as in 2016 and 17 times more than in 2015. This increasing volume was detected during the first months of the year due to the high activity of the Congur Trojan family (83% of all installation packages in 2017), a blocker that sets or resets the device PIN (passcode) and then demands money for unblocking the device.
Although mobile ransomware capabilities and techniques remained practically the same throughout the year, some ransomware functionality has been discovered among banking Trojan families, such as Svpeng and Faketoken, with the modifications able to encrypt users’ files.
In 2017, Kaspersky Lab mobile security products reported:
- 42.7 million attempted attacks by mobile malware (40m in 2016)
- Over 4.9 million users of Android-based devices protected (1.2 times more than in 2016)
- Iran (57.25%), Bangladesh (42.76%) and Indonesia (41.14%) were the top 3 countries attacked by mobile malware
- 5,730,916 installation packages for mobile Trojans detected (1.5 times less than in 2016)
- 110,184 unique users targeted by mobile ransomware (1.4 times lower than 2016)
- 94,368 mobile banking Trojans detected (1.3 times less than in 2016).
More information can be found in theFinancial Cyberthreats in 2017 report.
“Mobile malware continues to play a significant role in the threat landscape – with more companies than ever using mobile devices to enable employees, criminals see an opportunity to exploit this trend,” says Adam Fisch, Senior Corporate Communications Manager at Kaspersky Lab. “Mobile malware continues to play a significant role in the threat landscape – with more companies than ever using mobile devices to enable employees, criminals see an opportunity to exploit this trend. Mobile threat infections can lead to increased traffic and battery use which, although they may not be noticeable by an individual user, puts added costs and strain onto businesses. For example, malware that turns devices into surreptitious cryptocurrency miners, can lead to rapid battery consumption, increased traffic and even device failure, resulting in added costs for businesses as assets are used and worn out.”
To reduce the risk of infection and to stay protected, users are advised to do the following:
- Pay attention to the apps installed on your device and avoid downloading them from unknown sources
- Always keep your device updated
- Regularly run a system scan to check for possible infections.
Kaspersky Lab also recommends that users install a reliable security solution on their device, such as Kaspersky Internet Security for Android, which aims to protect users’ privacy and personal information from Android mobile threats.
Read more about the evolution of mobile threats in 2017 on Securelist.com