Mobile malware evolution 2018 | Securelist

Statistical data in this report comes from all kaspersky lab mobile security solutions, not just kaspersky mobile antivirus for android. consequently, the comparative data for 2017 may differ from the data for the same period published in the previous report. The analytic scope was expanded due to the growing popularity of various kaspersky lab products and its geographic reach, which allowed statistically reliable data to be obtained. In general, the more products we use to compile the statistics, the more accurate the mobile threat landscape that emerges.

numbers of the year

in 2018, kaspersky lab products and technologies detected:

Reading: List of known android malware apps 2018

  • 5,321,142 malicious installation packages
  • 151,359 new mobile banking Trojans
  • 60,176 new mobile ransomware Trojans

trends of the year

Mobile device users in 2018 faced what could be the strongest cyber attack ever seen. Throughout the year, we saw new mobile device infection techniques (eg DNS hijacking) and an increase in the use of proven distribution schemes (eg SMS spam). virus writers focused on:

  • droppers (trojan-dropper), designed to evade detection
  • attacks on bank accounts via mobile devices
  • applications that cybercriminals can use to cause damage (risktool )
  • adware applications

In 2018, we discovered three mobile apt campaigns primarily aimed at spying on victims, including reading social media messages. Along with these campaigns, this report addresses all of the major events in the world of mobile threats that occurred during the year.

the rise of the droppers

In the last three years, Trojan droppers have become the weapon of choice for cybercriminals specializing in mobile malware. the methods for assembling these matryoshka-like programs were simplified, allowing them to be easily created, used, and sold by various groups. A dropper creator may have multiple clients involved in the development of ransomware Trojans, banking Trojans, and apps that display persistent ads. droppers are used as a means to hide the original malicious code, which simultaneously:

  • counteract detection. the dropper works particularly well against detection based on file hashes, as it generates a new hash each time, while internal malware doesn’t change a single byte.
  • allows any number of unique files to be created. Virus writers need this, for example, when using their platform with a fake app store.

Although mobile droppers are nothing new, in the first quarter of 2018 we saw a sharp increase in the number of users attacked by malware packages. the largest contribution was made by members of the trojan-dropper.androidos.piom family. growth continued in the second quarter and beyond, but much more smoothly. there is no doubt that established groups that have not yet adopted drippers will soon create their own or buy ready-made ones. this trend will affect the statistical map of detected threats: we will see fewer unique mobile malware families, replaced by droppers of various types.

banking Trojans ride the wave

Last year’s statistics on the number of attacks related to mobile banking Trojans were striking. at the beginning of 2018, it seemed that these types of threats had stabilized both in the number of unique samples discovered and in the number of users attacked. however, already in the second quarter the situation had radically changed for the worse. New records were set in terms of the number of mobile banking Trojans detected and the number of users attacked. The root cause of this walk is unclear, but the main culprits are the creators of the asacub and hqwar Trojans. the first one has quite a long history: according to our data, the group behind it has been working for more than three years. asacub evolved from an sms trojan that was armed from the start with tools to counter-remove and intercept incoming calls and sms messages. Subsequently, the creators of the malware strengthened their logic and began mass distribution using the same attack vector as before: social engineering via SMS. online forums where people often expect messages from unknown users have become a source of mobile numbers. then the avalanche spread method was activated, and the infected devices themselves became distributors: asacub was sent to everyone in the victim’s phone book.

However, the banking Trojans in 2018 were remarkable not only in terms of scale, but also in terms of mechanics. One aspect of this is the increasingly common use of accessibility services in banking threats. this is partly a response to new versions of android making it more and more difficult to overlay phishing windows on banking apps, and partly the fact that using accessibility allows the trojan to lodge on the device to that users cannot remove it by themselves. Furthermore, cybercriminals can use accessibility services to hijack a perfectly legitimate app and force it, for example, to launch a banking app to make a money transfer right there on the victim’s device. techniques have also appeared to counter dynamic analysis; for example, the rotexy Trojan checks whether it is running in a sandbox. however, this is not exactly new, as we have observed such behavior before. That said, it should be noted that, combined with obfuscation, anti-dynamic analysis techniques can be effective if virus writers manage to infiltrate their Trojan into a popular app store, in which case both static and dynamic processing they may be powerless. Although sandbox detection cannot be said to be a common practice among cybercriminals, the trend is clear and we are inclined to believe that such techniques will become very sophisticated in the near future.

See Also:  Does Tinder Show Your Exact Location? Does Location Update Automatically? ?

adware and potentially dangerous software

Throughout 2018, these two mobile app classes were in the top 3 for the number of installation packages detected. The reasons for this are many, but the main one is the fact that adware and attacks on advertisers are a relatively safe method of enrichment for cybercriminals. attacks of this type do not cause harm to mobile device owners, except for some rare cases of devices overheating and burning due to the activity of an adware application deployed on them with root access. the damage is done by advertisers as they pay for bots to click on their banners – infected mobile devices. Sure, there are adware apps that make it nearly impossible to use an infected device. For example, the victim might have to click on a dozen banners before they can send an SMS. the problem is compounded by the fact that in the initial stages the user does not know which installation of the application (a flashlight or a favorite game, for example) caused such dire consequences, since the ads are displayed at random times and without from the adware interface. transportation app. and it only takes one such app to be installed and launched for dozens of other similar ones to appear, turning the device into an adware zombie. in the worst case, this new wave will have a module with an exploit that will allow it to write itself to the system directory or to the factory revert script. After that, the only way to restore the device’s operational capacity is to search for the original factory version of the firmware and download it via usb.

On a side note, a click per banner costs less than a peanut, which is the key reason for the endless stream of unique adware applications: the more cybercriminals create and distribute, the more money they make. Finally, adware modules are often encrypted without regard to the sensitivity of the transmitted data, which means that requests to the advertiser’s infrastructure can be sent in unencrypted http traffic and contain any amount of information about the victim, including geolocation.

A slightly different situation is seen with risktool software, which had the largest share of all mobile threats detected in 2018. In-app purchases have long been a feature around the world, in which the device is linked to an account linked to a bank card. . all processes are transparent to the user and purchases can be canceled. risktool-type apps also feature an option for users to buy access to new levels in a game or a picture of a pretty girl, for example, but the payment is not transparent to the user. the application itself sends an sms to a special number without the user’s participation and receives a confirmation message, to which risktool reacts; therefore, the application knows about the successful payment and displays the purchased content. but the release of the promised content is at the discretion of the creators of the application.

As a result, there are a lot of venture tool programs out there that are used to sell any content, but don’t require any significant development effort; in terms of technical implementation, sending a single sms is feasible for any novice programmer.

There is currently no reason to believe that the flood of adware and risky tool-class applications will subside, and 2019 will likely see a similar picture.

sharp rise in mobile miners

In 2018, we saw mobile trojan miner attacks increase fivefold. This growth can be attributed to several factors:

  • mobile devices are equipped with increasingly powerful graphics processors, making them a more efficient tool for mining cryptocurrencies
  • mobile devices are relatively easy to infect
  • mobile devices are ubiquitous

Although miners are not the most notorious type of mobile malware, the load they generate can be easily detected by the owner of the device. and as soon as the latter suspects malicious activity, he will take steps to get rid of the infection. therefore, to compensate for the victim exit, cybercriminals are deploying new large-scale campaigns and improving their malware anti-removal mechanisms.

See Also:  7 Best GIF Apps For Android And iPhone YOu Can Use To Make Animation

Technologically unassuming, mobile miners generally rely on off-the-shelf cross-platform malware code (e.g. one that works fine on linux): one only needs to insert the address of the receiving cryptocurrency wallet and wrap the payload useful within a mobile application with a minimal graphical interface. distribution is done through various types of spam and other typical methods.

Although the miners cannot claim to have displaced other mobile malware from the top positions in 2018, this does not deny the seriousness of the threat. If the miner is poorly coded or its author too greedy, the malware can damage the device’s battery or worse, cause it to overheat and crash.


In 2018, we detected 5,321,142 malicious mobile installer packages, a decrease of 409,774 from last year.

Despite this drop, in 2018 we saw a doubling of the number of mobile malware attacks: 116.5 million (vs. 66.4 million in 2017).

Mobile malware evolution 2018 | Securelist Number of attacks defeated by Kaspersky Lab products, 2018

The number of attacked users also continued its upward trajectory. From the beginning of January to the end of December 2018, Kaspersky Lab protected 9,895,774 unique Android device users, 774,000 more than in 2017.

See also: How To Root Android Without PC Using Root APKs

Mobile malware evolution 2018 | Securelist Number of attacked users, 2018

Mobile malware evolution 2018 | Securelist Geography of attacked users, 2018

Top 10 countries by percentage of users attacked by mobile malware

* countries with less than 25,000 active users of kaspersky lab mobile solutions during the reporting period are excluded from the rating. ** unique users attacked in the country as a percentage of all users of kaspersky lab mobile solutions in the country.

both iran (44.24%) and bangladesh (42.98%) maintained their leading positions in the top 10, but in iran the percentage of infected devices dropped significantly by 13 p.p. As in the previous year, the most widespread malware in iran was the trojan.androidos.hiddapp family. in bangladesh, as in 2017, ewind family adware was the most common.

nigeria (37.72%) rose from fifth place in 2017 to third; The most common adware comes from the ocikq, agent, and mobidash families.

types of mobile malware

Mobile malware evolution 2018 | Securelist Distribution of new mobile threats by type, 2017 and 2018

Of all the threats detected in 2018, the situation of mobile ransomware Trojans (1.12%) was the most optimistic, with a drastic reduction in its share of 8.67 p.p. the story was similar with spyware Trojans (1.07%), whose share fell 3.55 p.p. adware apps (8.46%) also lost ground compared to 2017.

Trojan horse threats were a notable exception, nearly doubling their share from 8.63% to 17.21%. This growth reflects the appetite of cybercriminals to use mobile droppers to wrap all kinds of payloads: banking Trojans, ransomware, adware, etc. it looks like this trend will continue in 2019.

Unfortunately, like Trojans, the proportion of financial threats in the form of mobile bankers also nearly doubled, from 1.54% to 2.84%.

Surprisingly, SMS Trojans (6.20%) ranked in the top 5 by number of objects detected. This dying breed of threat is common in only a handful of countries, but that didn’t stop its share from rising from 2017. While there’s no talk of an imminent resurgence of this class, it’s still worth disabling paid subscriptions in your mobile device.

risktool class threat writers in 2018 were just as active as last year and not only regained the top position (52.06%), but even showed a slight increase.

top 20 mobile malware

The malware classification below does not include potentially unwanted software such as risktool and adware.

* percentage of all users attacked by this type of malware in the total number of users attacked.

To end 2018, the first place in our mobile malware top 20, as in previous years, is occupied by the dangerous object.multi.generic verdict (68.28%) used for malware detected using cloud technologies in mobile devices. cases where antivirus databases do not yet have signatures or heuristics to detect it. this way, the latest malware is discovered.

in second place was the verdict trojan.androidos.boogr.gsh (10.67%). this is assigned to files recognized as malicious by our machine learning system.

The third, fourth, seventh and ninth positions were occupied by members of the trojan-banker.androidos.asacub family, one of the main financial threats of 2018.

Fifth and eighth places went to Trojan droppers from the trojan-dropper.androidos.hqwar family; may contain malware from various families related to financial threats and adware.

The top 10 threats also included the old Trojan-banker.androidos.svpeng.q (2.87%), which was the most common mobile banking Trojan in 2016. This Trojan uses phishing windows to steal bank card details and also attacks banking sms systems.

See Also:  Unable to Download Apps on Your Android Phone? 6 Ways to Fix It

Positions 13 and 20 stand out in the ranking, respectively occupied by trojan.androidos.triada.dl (1.99%) and trojan.androidos.dvmap.a (1.44%). Both of these Trojans are extremely dangerous as they use root privileges to carry out their malicious activity. in particular, they place their components in the system area of ​​the device, to which the user has only read access and therefore cannot be removed with normal system tools.

mobile banking trojans

See also: Dogecoin – Meaning, working, purchase and much more

In 2018, we detected 151,359 mobile banking Trojan installation packages, 1.6 times more than the previous year.

Mobile malware evolution 2018 | Securelist Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, 2018

By monitoring the activity of mobile banking Trojans, we saw a huge jump in the number of attacks using this malware. nothing like this has been observed before. growth began in May 2018 and attacks peaked in September. the culprits were the asacub and hqwar families, as their members spread with record frequency.

Mobile malware evolution 2018 | Securelist Number of attacks by mobile banking Trojans, 2017 and 2018

Mobile malware evolution 2018 | Securelist Countries by share of users attacked by mobile bankers, 2018

Top 10 countries by percentage of all users attacked by mobile bankers

* countries with less than 25,000 active users of kaspersky lab mobile solutions during the reporting period are excluded from the rating. ** unique users attacked by mobile bankers in the country as a percentage of all users of kaspersky lab mobile solutions in the country.

In the first position, like last year, was Russia, where 2.32% of users encountered mobile banking Trojans. the most common families in russia were asacub, svpeng and agent.

in second place, South Africa (1.27%), where family members of banking agents were the most active propagators. US users (0.82%) most often encountered members of the svpeng and asacub banking families.

The most common family of mobile bankers in 2018 was asacub: its members attacked 62.5% of all users who encountered mobile bankers.

mobile ransomware Trojans

Statistics from the first quarter of 2018 showed that the number of ransomware Trojans spreading without the help of users or downloaders had dramatically decreased. the reason for this was the widespread use of a two-stage mechanism to distribute these malware via Trojan droppers. A total of 60,176 mobile ransomware installation packages were detected throughout 2018, nine times fewer than in 2017.

Mobile malware evolution 2018 | Securelist Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab, 2018

The number of mobile ransomware-related attacks gradually decreased during the first half of the year. however, June 2018 saw a sharp increase in the number of attacks, almost 3.5 times.

Mobile malware evolution 2018 | Securelist Number of attacks by mobile ransomware Trojans, 2017 and 2018

In 2018, kaspersky lab products protected 80,638 users in 150 countries against mobile ransomware.

Mobile malware evolution 2018 | Securelist Countries by share of users attacked by mobile ransomware, 2018

Top 10 countries by percentage of all users attacked by mobile ransomware

* countries with less than 25,000 active users of kaspersky lab mobile solutions during the reporting period are excluded from the rating. ** unique users attacked by mobile ransomware in the country as a percentage of all users of kaspersky lab mobile solutions in the country.

For the second year in a row, the country most attacked by mobile ransomware was the United States, where it was found by 1.42% of users. As in the previous year, members of the trojan-ransom.androidos.svpeng family were the most common ransomware Trojans in the country.

in second place, kazakhstan (0.53%), the most active ransomware families were trojan-ransom.androidos.small and trojan-ransom.androidos.rkor. the latter is no different from other ransomware in that it shows victims an indecent image and accuses them of viewing illegal materials.

In fact, the Trojan does not carry any personal data nor does it “suspend the service of the device”, as the warning states. but the process of removing malware from an infected device can be difficult.


For seven years, the world of mobile threats has been constantly evolving, not only in terms of the number of malware and technological refinement of each new malware modification, but also due to the increasing ways in which money and Valuable information can be acquired through mobile devices. the year 2018 showed that a relative lull in certain types of malware can be followed by an epidemic. last year it was the asacub and co. banking Trojan; in 2019 it could be a wave of ransomware looking to regain lost ground.

See also: Top Mobile Application Penetration Testing Tools for Android and iOS

Leave a Reply

Your email address will not be published. Required fields are marked *