Kaspersky Lab†issued its annual “Mobile Malware Evolution” report, which found that mobile advertising Trojans, the top mobile malware threat from 2016, went into decline in 2017. This threat does continue to aggressively spread, however, and in the last year, some Trojan families began to use monetization schemes involving paid SMS and WAP-billing services in order to preserve and increase profits.
Malicious programs taking advantage of super-user rights have become a major mobile threat in recent years. With root privileges, these Trojans have the capability to secretly install various applications or bombard an infected device with ads to make use of the smartphone impossible. In addition to having almost unlimited access, these Trojans are also extremely difficult to detect and remove.
Based on Kaspersky Lab observations, the overall number of mobile advertising Trojans exploiting super-user rights declined in 2017, in comparison with the previous year. This decline appears to have been triggered by an overall decrease in the number of mobile devices running older versions of Android, which are the main targets of these Trojans, as potentially exploited vulnerabilities are patched in newer versions. According to Kaspersky Lab data, the proportion of users with devices running Android 5.0 or older dropped from more than 85 percent in 2016 to 57 percent in 2017. The proportion of Android 6.0 (or newer) users more than doubled, rising from 21 percent in 2016 to 50 percent in 2017.
In 2017, Kaspersky Lab discovered new modifications of advertising Trojans that were not exploiting root access vulnerabilities to show ads, but were instead leveraging other methods, such as taking advantage of premium SMS services. For example, two Trojans related to the†Ztorg†malware family with such functionality were downloaded dozens of thousands of times from the Google Play Store.
Simultaneously, Kaspersky Lab researchers recorded a rise in the number of mobile Trojan clickers that are stealing money from Android users through†WAP-billing, a type of direct mobile payment that does not require registration. These Trojans click on pages with paid services, and once a subscription is activated, money from a victim’s account flows directly to the cybercriminals. Some of the WAP-clickers discovered in 2017 also incorporated modules for cryptocurrency mining.
The ransomware epidemics that hit the world in 2017 were also reflected in the mobile threat landscape. Kaspersky Lab discovered 544,107 installation packages for mobile ransomware Trojans last year, which is twice as high as in 2016 and 17 times more than in 2015. This increasing volume was detected during the first months of the year due to the high activity of the†Congur Trojan family†(83% of all installation packages in 2017), a blocker that sets or resets a device’s PIN or passcode and then demands money to unlock the device.
Although mobile ransomware capabilities and techniques remained primarily the same throughout the year, some ransomware functionality has been discovered among banking Trojan families, such as†Svpeng†and†Faketoken, with the modifications able to encrypt people’s files.
In 2017, Kaspersky Lab mobile security products reported:
- 7 million attempted attacks by mobile malware (40M in 2016)
- Over 4.9 million users of Android-based devices protected (1.2 times more than in 2016)
- Iran (57.25%), Bangladesh (42.76%) and Indonesia (41.14%) were the top 3 countries attacked by mobile malware
- 5,730,916 installation packages for mobile Trojans detected (1.5 times less than in 2016)
- 110,184 unique users targeted by mobile ransomware (1.4 times lower than 2016)
- 94,368 mobile banking Trojans detected (1.3 times less than in 2016). More information can be found in the†Financial Cyberthreats in 2017 report.
“The mobile threat landscape is evolving in direct connection with what is happening in the global mobile market,” said Roman Unuchek, security expert at Kaspersky Lab. “Right now, mobile advertising Trojans that exploit root rights are in decline, but if new versions of Android firmware happened to be vulnerable, new opportunities will be presented and we will see their growth return. The same is true for cryptocurrency – with the increasing activity of miners around the world, we expect to see further modifications of mobile malware with mining modules inside, even though the performance power of mobile devices is not so high.”
To reduce the risk of infection and to stay protected, Kaspersky Lab advises consumers to adhere to the following best practices:
- Pay attention to the apps installed on your device and avoid downloading apps from unknown sources.
- Always keep your device updated.
- Regularly run a system scan to check for possible infections.
Kaspersky Lab also recommends that consumers install a reliable security solution on their devices, such as†Kaspersky Internet Security for Android, which aims to protect users’ privacy and personal information from Android mobile threats.