• IT threat evolution Q1 2023
• IT threat evolution Q1 2023. Non-mobile statistics
• IT threat evolution Q1 2023. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q1 2023:

• 4,948,522 mobile malware, adware and riskware attacks were blocked.
• The most common threat to mobile devices was adware: 34.8% of all detected threats.
• 307,529 malicious installation packages were detected, of which:
  • 57,601 packages were related to mobile banking Trojans,
  • 1767 packages were mobile ransomware Trojans.

Quarterly highlights

Malware, adware and unwanted software attacks on mobile devices were down slightly year-on-year. Kaspersky mobile security systems thwarted a total of 4.9 million attacks in Q1 2023.

Number of attacks targeting users of Kaspersky mobile solutions, Q3 2021–Q1 2023 (download)

During the period in question, we detected several mobile photo editors on Google Play, which, besides their legitimate features, contained a dropper hidden inside a heavily obfuscated library. The dropper payload was designed to subscribe the user to paid services and intercept notifications.

We assigned our new find the verdict of Trojan.AndroidOS.Subscriber.aj and alerted Google Play, which then took down the malicious files. Kaspersky systems detect new files associated with this Trojan as Trojan.AndroidOS.Fleckpe.

Also in the first quarter, we came across what we designated as Trojan.AndroidOS.Bithief.f, a malicious modification of Skype that stole the victim’s cryptocurrency. The Trojan monitors the contents of the clipboard on the user’s computer and sends any crypto wallet addresses that it detects to the command-and-control server. The server responds with the hacker’s wallet address, so the malware substitutes that for the user’s address. And then inattentive users send their cryptocurrency to the wrong guys.

Mobile threat statistics

After a noticeable decrease in malicious installers in Q4 2022 due to reduced activity by Trojan-Dropper.AndroidOS.Ingopack, we observed a minor increase in new malware varieties.

Number of detected malicious installation packages, Q1 2022–Q1 2023 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q4 2022 and Q1 2023 (download)

Adware was back at the top of the rankings with 34.8%. The most widespread adware families in Q1 2023 were MobiDash (22.5%), HiddenAd (21.9%) and Adlo (12.4%).

Share of users attacked by a certain type of threat out of all attacked mobile users in Q4 2022 and Q1 2023 (download)

The share of users attacked by mobile Trojans increased in the first quarter, mostly due to the malware that we detect as Trojan.AndroidOS.Fakemoney.v and Trojan.AndroidOS.Adinstall.l. The former is a fake investment app that harvests victims’ payment details, and the latter, adware that comes pre-installed on certain devices, capable of downloading and running code (typically ads).

TOP 20 mobile malware programs

Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.

DangerousObject.Multi.Generic (13.27%), the verdict we assign to miscellaneous unrelated malware that we detect with our cloud technology, topped the rankings as usual. This was followed by Trojan-Spy.AndroidOS.Agent.acq (8.60%), a malicious modification of WhatsApp that secretly monitors notifications the user receives.

Trojan.AndroidOS.Boogr.gsh (8.39%), a collective verdict for miscellaneous malware we detect with our machine learning technology, was in third place. This verdict is analogous to DangerousObject.AndroidOS.GenericML (3.46%), but unlike it, received through analysis of a similar file in the Kaspersky infrastructure.

Next were the previously mentioned fake investment app Trojan.AndroidOS.Fakemoney.v (7.48%) and the subscription Trojan described in many past reports — Trojan.AndroidOS.GriftHorse.l (6.13%).

Regional malware

This section describes mobile malware that mostly targets those who reside in certain countries.

* Country where the malware was most active
* Unique users attacked by the malware in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same malware

Members of the Banbra malware family continued to attack users in Brazil in Q1 2023. These are banking Trojans that abuse Accessibility features to interact with other applications installed on the device.

In Indonesia, users were exposed to spreading SmsThief.td SMS spies masquerading as public services, system apps or marketplaces.

Wroba banking Trojans, which we have covered several times, and the Bray mobile malware distributed under the guise of useful apps, such as call blockers, were busy in Japan.

Turkish users found themselves targeted by several banking Trojans, including the fairly primitive Agent.la and the well-known Cebruser. The Hqwar dropper operating in Turkey is also typically used to deliver various banking malware.

Users in Iran had to deal with hidden, hard-to-remove Hiddapp programs and the FakeGram family, third-party Telegram clients that automatically add users to channels they do not indent to join.

A variant of the GriftHorse subscription Trojan was mostly active in Kazakhstan. Focusing on users in a certain country is expected behavior for this Trojan family, as phishing messages used to lure the user into subscription to a fake service have to be localized.

Mobile banking Trojans

The number of banking Trojan installers began to increase again, exceeding 57,000 in Q1 2023.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q1 2022–Q1 2023 (download)

TOP 10 mobile bankers

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

Q1 2023 saw a noticeable year-on-year increase in activity by the aforementioned mobile malware Agent.la (3,08%) и Banbra (2,46%), which landed outside the TOP 10 in Q4 2022.

Mobile ransomware Trojans

The number of mobile ransomware programs remained low after dropping in 2022, apparently because the niche had ceased to be as profitable for scammers as it once had been.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q1 2022 — Q1 2023 (download)

TOP 10 mobile ransomware verdicts

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

The distribution of mobile ransomware apps across quarters changed only insignificantly. Pigetrl (62.22%) still accounted for the lion’s share of threats, followed by Small.as (3.65%) and various modifications of Rkor.

While monitoring the network traffic of our own corporate Wi-Fi network dedicated for mobile devices using the Kaspersky Unified Monitoring and Analysis Platform (KUMA), we noticed suspicious activity that originated from several iOS-based phones. Since it is impossible to inspect modern iOS devices from the inside, we created offline backups of the devices in question, inspected them using the Mobile Verification Toolkit’s mvt-ios and discovered traces of compromise.
We are calling this campaign “Operation Triangulation”, and all the related information we have on it will be collected on the Operation Triangulation page. If you have any additional details to share, please contact us: triangulation[at]kaspersky.com.

What we know so far

Mobile device backups contain a partial copy of the filesystem, including some of the user data and service databases. The timestamps of the files, folders and the database records allow to roughly reconstruct the events happening to the device. The mvt-ios utility produces a sorted timeline of events into a file called “timeline.csv”, similar to a super-timeline used by conventional digital forensic tools.
Using this timeline, we were able to identify specific artifacts that indicate the compromise. This allowed to move the research forward, and to reconstruct the general infection sequence:

• The target iOS device receives a message via the iMessage service, with an attachment containing an exploit.
• Without any user interaction, the message triggers a vulnerability that leads to code execution.
• The code within the exploit downloads several subsequent stages from the C&C server, that include additional exploits for privilege escalation.
• After successful exploitation, a final payload is downloaded from the C&C server, that is a fully-featured APT platform.
• The initial message and the exploit in the attachment is deleted

The malicious toolset does not support persistence, most likely due to the limitations of the OS. The timelines of multiple devices indicate that they may be reinfected after rebooting. The oldest traces of infection that we discovered happened in 2019. As of the time of writing in June 2023, the attack is ongoing, and the most recent version of the devices successfully targeted is iOS 15.7.
The analysis of the final payload is not finished yet. The code is run with root privileges, implements a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C&C server.

Forensic methodology

It is important to note, that, although the malware includes portions of code dedicated specifically to clear the traces of compromise, it is possible to reliably identify if the device was compromised. Furthermore, if a new device was set up by migrating user data from an older device, the iTunes backup of that device will contain the traces of compromise that happened to both devices, with correct timestamps.

Preparation

All potential target devices must be backed up, either using iTunes, or an open-source utility idevicebackup2 (from the package libimobiledevice). The latter is shipped as a pre-built package with the most popular Linux distributions, or can be built from the source code for MacOS/Linux.
To create a backup with idevicebackup2, run the following command:
idevicebackup2 backup --full $backup_directory

You may need to enter the security code of the device several times, and the process may take several hours, depending on the amount of user data stored in it.

Install MVT

Once the backup is ready, it has to be processed by the Mobile Verification Toolkit. If Python 3 is installed in the system, run the following command:
pip install mvt

A more comprehensive installation manual is available the MVT homepage.

Optional: decrypt the backup

If the owner of the device has set up encryption for the backup previously, the backup copy will be encrypted. In that case, the backup copy has to be decrypted before running the checks:
mvt-ios decrypt-backup -d $decrypted_backup_directory $backup_directory

Parse the backup using MVT

mvt-ios check-backup -o $mvt_output_directory $decrypted_backup_directory
This command will run all the checks by MVT, and the output directory will contain several JSON and CSV files. For the methodology described in this blogpost, you will need the file called timeline.csv.

Check timeline.csv for indicators

1. The single most reliable indicator that we discovered is the presence of data usage lines mentioning the process named “BackupAgent”. This is a deprecated binary that should not appear in the timeline during regular usage of the device. However, it is important to note that there is also a binary named “BackupAgent2”, and that is not an indicator of compromise. In many cases, BackupAgent is preceded by the process “IMTransferAgent”, that downloads the attachment that happens to be an exploit, and this leads to modification of the timestamps of multiple directories in the “Library/SMS/Attachments”. The attachment is then deleted, leaving only modified directories, without actual files inside them:
   2022-09-13 10:04:11.890351Z Datausage IMTransferAgent/com.apple.datausage.messages (Bundle ID: com.apple.datausage.messages, ID: 127) WIFI IN: 0.0, WIFI OUT: 0.0 - WWAN IN: 76281896.0, WWAN OUT: 100956502.0
2022-09-13 10:04:54.000000Z Manifest Library/SMS/Attachments/65/05 - MediaDomain
2022-09-13 10:05:14.744570Z Datausage BackupAgent (Bundle ID: , ID: 710) WIFI IN: 0.0, WIFI OUT: 0.0 - WWAN IN: 734459.0, WWAN OUT: 287912.0
2. There are also less reliable indicators, that may be treated as IOCs if several of them happened within a timeframe of minutes:
   • Modification of one or several files: com.apple.ImageIO.plist, com.apple.locationd.StatusBarIconManager.plist, com.apple.imservice.ids.FaceTime.plist
   • Data usage information of the services com.apple.WebKit.WebContent, powerd/com.apple.datausage.diagnostics, lockdownd/com.apple.datausage.security

   Example:
   2021-10-30 16:35:24.923368Z Datausage IMTransferAgent/com.apple.MobileSMS (Bundle ID: com.apple.MobileSMS, ID: 945) WIFI IN: 0.0, WIFI OUT: 0.0 - WWAN IN: 31933.0, WWAN OUT: 104150.0
2021-10-30 16:35:24.928030Z Datausage IMTransferAgent/com.apple.MobileSMS (Bundle ID: com.apple.MobileSMS, ID: 945)
2021-10-30 16:35:24.935920Z Datausage IMTransferAgent/com.apple.datausage.messages (Bundle ID: com.apple.datausage.messages, ID: 946) WIFI IN: 0.0, WIFI OUT: 0.0 - WWAN IN: 47743.0, WWAN OUT: 6502.0
2021-10-30 16:35:24.937976Z Datausage IMTransferAgent/com.apple.datausage.messages (Bundle ID: com.apple.datausage.messages, ID: 946)
2021-10-30 16:36:51.000000Z Manifest Library/Preferences/com.apple.locationd.StatusBarIconManager.plist - HomeDomain
2021-10-30 16:36:51.000000Z Manifest Library/Preferences/com.apple.ImageIO.plist - RootDomain

   Another example: modification of an SMS attachment directory (but no attachment filename), followed by data usage of com.apple.WebKit.WebContent, followed by modification of com.apple.locationd.StatusBarIconManager.plist. All the events happened within a 1-3 minute timeframe, indicating the result of a successful zero-click compromise via an iMessage attachment, followed by the traces of exploitation and malicious activity.
   2022-09-11 19:52:56.000000Z Manifest Library/SMS/Attachments/98 - MediaDomain
2022-09-11 19:52:56.000000Z Manifest Library/SMS/Attachments/98/08 - MediaDomain
2022-09-11 19:53:10.000000Z Manifest Library/SMS/Attachments/98/08 - MediaDomain
2022-09-11 19:54:51.698609Z OSAnalyticsADDaily com.apple.WebKit.WebContent WIFI IN: 77234150.0, WIFI OUT: 747603971.0 - WWAN IN: 55385088.0, WWAN OUT: 425312575.0
2022-09-11 19:54:51.702269Z Datausage com.apple.WebKit.WebContent (Bundle ID: , ID: 1125)
2022-09-11 19:54:53.000000Z Manifest Library/Preferences/com.apple.locationd.StatusBarIconManager.plist - HomeDomain
2022-06-26 18:21:36.000000Z Manifest Library/SMS/Attachments/ad/13 - MediaDomain
2022-06-26 18:21:36.000000Z Manifest Library/SMS/Attachments/ad - MediaDomain
2022-06-26 18:21:50.000000Z Manifest Library/SMS/Attachments/ad/13 - MediaDomain
2022-06-26 18:22:03.412817Z OSAnalyticsADDaily com.apple.WebKit.WebContent WIFI IN: 19488889.0, WIFI OUT: 406382282.0 - WWAN IN: 66954930.0, WWAN OUT: 1521212526.0
2022-06-26 18:22:16.000000Z Manifest Library/Preferences/com.apple.ImageIO.plist - RootDomain
2022-06-26 18:22:16.000000Z Manifest Library/Preferences/com.apple.locationd.StatusBarIconManager.plist - HomeDomain
2022-03-21 21:37:55.000000Z Manifest Library/SMS/Attachments/fc - MediaDomain
2022-03-21 21:37:55.000000Z Manifest Library/SMS/Attachments/fc/12 - MediaDomain
2022-03-21 21:38:08.000000Z Manifest Library/SMS/Attachments/fc/12 - MediaDomain
2022-03-21 21:38:23.901243Z OSAnalyticsADDaily com.apple.WebKit.WebContent WIFI IN: 551604.0, WIFI OUT: 6054253.0 - WWAN IN: 0.0, WWAN OUT: 0.0
2022-03-21 21:38:24.000000Z Manifest Library/Preferences/com.apple.locationd.StatusBarIconManager.plist - HomeDomain

3. An even less implicit indicator of compromise is inability to install iOS updates. We discovered malicious code that modifies one of the system settings file named com.apple.softwareupdateservicesd.plist. We observed update attempts to end with an error message “Software Update Failed. An error ocurred downloading iOS”.

Network activity during exploitation

On the network level, a successful exploitation attempt can be identified by a sequence of several HTTPS connection events. These can be discovered in netflow data enriched with DNS/TLS host information, or PCAP dumps:

• Legitimate network interaction with the iMessage service, usually using the domain names *.ess.apple.com
• Download of the iMessage attachment, using the domain names .icloud-content.com, content.icloud.com
• Multiple connections to the C&C domains, usually 2 different domains (the list of known domains follows). Typical netflow data for the C&C sessions will show network sessions with significant amount of outgoing traffic.

Network exploitation sequence, Wireshark dump

The iMessage attachment is encrypted and downloaded over HTTPS, the only implicit indicator that can be used is the amount of downloaded data that is about 242 Kb.

Encrypted iMessage attachment, Wireshark dump

C&C domains

Using the forensic artifacts, it was possible to identify the set of domain name used by the exploits and further malicious stages. They can be used to check the DNS logs for historical information, and to identify the devices currently running the malware:
addatamarket[.]net
backuprabbit[.]com
businessvideonews[.]com
cloudsponcer[.]com
datamarketplace[.]net
mobilegamerstats[.]com
snoweeanalytics[.]com
tagclick-cdn[.]com
topographyupdates[.]com
unlimitedteacup[.]com
virtuallaughing[.]com
web-trackers[.]com
growthtransport[.]com
anstv[.]net
ans7tv[.]net

Every once in a while, someone will come across malicious apps on Google Play that seem harmless at first. Some of the trickiest of these are subscription Trojans, which often go unnoticed until the user finds they have been charged for services they never intended to buy. This kind of malware often finds its way into the official marketplace for Android apps. The Jocker family and the recently discovered Harly family are just two examples of this. Our latest discovery, which we call “Fleckpe”, also spreads via Google Play as part of photo editing apps, smartphone wallpaper packs and so on.

Fleckpe technical description

Our data suggests that the Trojan has been active since 2022. We have found eleven Fleckpe-infected apps on Google Play, which have been installed on more than 620,000 devices. All of the apps had been removed from the marketplace by the time our report was published but the malicious actors might have deployed other, as yet undiscovered, apps, so the real number of installations could be higher.

And here is a description of Fleckpe’s modus operandi. When the app starts, it loads a heavily obfuscated native library containing a malicious dropper that decrypts and runs a payload from the app assets.

Malicious library loading

The payload contacts the threat actors’ C&C server, sending information about the infected device, such as the MCC (Mobile Country Code) and MNC (Mobile Network Code), which can be used to identify the victim’s country and carrier. The C&C server returns a paid subscription page. The Trojan opens the page in an invisible web browser and attempts to subscribe on the user’s behalf. If this requires a confirmation code, the malware gets it from notifications (access to which was asked at the first run).

Intercepting notifications

Having found the code, the Trojan enters it in the appropriate field and completes the subscription process. The victim proceeds to use the app’s legitimate functionality, for example, installs wallpapers or edits photos, unaware of the fact that they are being subscribed to a paid service.

Entering the confirmation code

The Trojan keeps evolving. In recent versions, its creators upgraded the native library by moving most of the subscription code there. The payload now only intercepts notifications and views web pages, acting as a bridge between the native code and the Android components required for purchasing a subscription. This was done to significantly complicate analysis and make the malware difficult to detect with the security tools. Unlike the native library, the payload has next to no evasion capabilities, although the malicious actors did add some code obfuscation to the latest version.

Core logic inside the native method

Victims

We found that the Trojan contained hard-coded Thai MCC and MNC values, apparently used for testing. Thai-speaking users notably dominated the reviews for the infected apps on Google Play. This led us to believe that this particular malware targeted users from Thailand, although our telemetry showed that there had been victims in Poland, Malaysia, Indonesia and Singapore.

The Thai test MCC and MNC values

Kaspersky security products detect the malicious app as Trojan.AndroidOS.Fleckpe.

Conclusion

Sadly, subscription Trojans have only gained popularity with scammers lately. Their operators have increasingly turned to official marketplaces like Google Play to spread their malware. Growing complexity of the Trojans has allowed them to successfully bypass many anti-malware checks implemented by the marketplaces, remaining undetected for long periods of time. Affected users often fail to discover the unwanted subscriptions right away, let alone find out how they happened in the first place. All this makes subscription Trojans a reliable source of illegal income in the eyes of cybercriminals.

To avoid malware infection and subsequent financial loss, we recommend to be cautious with apps, even those coming from Google Play, avoid giving permissions they should not have, and install an antivirus product capable of detecting this type of Trojans.

IOCs

Package names
com.impressionism.prozs.app
com.picture.pictureframe
com.beauty.slimming.pro
com.beauty.camera.plus.photoeditor
com.microclip.vodeoeditor
com.gif.camera.editor
com.apps.camera.photos
com.toolbox.photoeditor
com.hd.h4ks.wallpaper
com.draw.graffiti
com.urox.opixe.nightcamreapro

MD5
F671A685FC47B83488871AE41A52BF4C
5CE7D0A72B1BD805C79C5FE3A48E66C2
D39B472B0974DF19E5EFBDA4C629E4D5
175C59C0F9FAB032DDE32C7D5BEEDE11
101500CD421566690744558AF3F0B8CC
7F391B24D83CEE69672618105F8167E1
F3ECF39BB0296AC37C7F35EE4C6EDDBC
E92FF47D733E2E964106EDC06F6B758A
B66D77370F522C6D640C54DA2D11735E
3D0A18503C4EF830E2D3FBE43ECBE811
1879C233599E7F2634EF8D5041001D40
C5DD2EA5B1A292129D4ECFBEB09343C4
DD16BD0CB8F30B2F6DAAC91AF4D350BE
2B6B1F7B220C69D37A413B0C448AA56A
AA1CEC619BF65972D220904130AED3D9
0BEEC878FF2645778472B97C1F8B4113
40C451061507D996C0AB8A233BD99FF8
37162C08587F5C3009AFCEEC3EFA43EB
BDBBF20B3866C781F7F9D4F1C2B5F2D3
063093EB8F8748C126A6AD3E31C9E6FE
8095C11E404A3E701E13A6220D0623B9
ECDC4606901ABD9BB0B160197EFE39B7

C&C
hxxp://ac.iprocam[.]xyz
hxxp://ad.iprocam[.]xyz
hxxp://ap.iprocam[.]xyz
hxxp://b7.photoeffect[.]xyz
hxxp://ba3.photoeffect[.]xyz
hxxp://f0.photoeffect[.]xyz
hxxp://m11.slimedit[.]live
hxxp://m12.slimedit[.]live
hxxp://m13.slimedit[.]live
hxxp://ba.beautycam[.]xyz
hxxp://f6.beautycam[.]xyz
hxxp://f8a.beautycam[.]xyz
hxxp://ae.mveditor[.]xyz
hxxp://b8c.mveditor[.]xyz
hxxp://d3.mveditor[.]xyz
hxxp://fa.gifcam[.]xyz
hxxp://fb.gifcam[.]xyz
hxxp://fl.gifcam[.]xyz
hxxp://a.hdmodecam[.]live
hxxp://b.hdmodecam[.]live
hxxp://l.hdmodecam[.]live
hxxp://vd.toobox[.]online
hxxp://ve.toobox[.]online
hxxp://vt.toobox[.]online
hxxp://54.245.21[.]104
hxxp://t1.twmills[.]xyz
hxxp://t2.twmills[.]xyz
hxxp://t3.twmills[.]xyz
hxxp://api.odskguo[.]xyz
hxxp://gbcf.odskguo[.]xyz
hxxp://track.odskguo[.]xyz

In 2022, Kaspersky security solutions detected 1,661,743 malware or unwanted software installers, targeting mobile users. Although the most common way of distributing such installers is through third-party websites and dubious app stores, their authors every now and then manage to upload them to official stores, such as Google Play. These are usually policed vigorously, and apps are pre-moderated before being published; however, the authors of malicious and unwanted software employ a variety of tricks to bypass platform checks. For instance, they may upload a benign application, then update it with malicious or dubious code infecting both new users and those who have already installed the app. Malicious apps get removed from Google Play as soon as they are found, but sometimes after having been downloaded a number of times.

With many examples of malicious and unwanted apps on Google Play being discovered after complaints from users, we decided to take a look at what the supply and demand of such malware on the dark web looks like. It is especially important to analyze how this threat originates, because many cybercriminals work in teams, buying and selling Google Play accounts, malware, advertising services, and more. It’s a whole underground world with its own rules, market prices, and reputational institutions, an overview of which we present in this report.

Methodology

Using Kaspersky Digital Footprint Intelligence, we were able to collect examples of offers of Google Play threats for sale. Kaspersky Digital Footprint Intelligence allows discreet monitoring of pastebin sites and restricted underground online forums to discover compromised accounts and information leakages. The offers presented in this report were published between 2019 and 2023 and were collected from the nine most popular forums for the purchase and sale of goods and services related to malware and unwanted software.

Key findings

• The price of a loader able to deliver a malicious or unwanted app to Google Play ranges between $2,000 and $20,000.
• To keep their activities low-profile, a large percentage of attackers negotiate strictly through personal messages on forums and messengers, for example, in Telegram.
• The most popular application categories to hide malware and unwanted software include cryptocurrency trackers, financial apps, QR-code scanners and even dating apps.
• Cybercriminals accept three main kinds of payment: a percentage of the final profit, subscription or rent, and one-time payment.
• Cybercriminals offer to launch Google ads to attract more people to download malicious and unwanted apps. The cost of ads depends on the target country. Ads for users from the USA and Australia cost the most — up to about $1 (US).

Types of malicious services offered on the dark web

As on legitimate online marketplaces, there are also various offers on the dark web for customers with different needs and budgets. In the screenshot below, you can see an offer list, which gives an overview of the number of different goods and services that may be needed to target Google Play users. The author of the list calls the prices too high; however, they do not contradict the prices we’ve seen in other dark web offers. The main products that attackers buy are developers’ Google Play accounts that can be either hacked or registered by cybercriminals using stolen identities, as well as source code of various tools that help the buyer to upload their creations to Google Play. Also, such services as VPS (for $300), or Virtual Private Server, which the attackers use to control infected phones or to redirect user traffic, as well as web-based injections are offered. A web injection is malicious functionality that monitors the victim’s activity, and if they open a web page that is of interest to the cybercriminals, an injector replaces it with a malicious one. Such a feature is offered for $25–80 apiece.

A dark web service provider calls these prices too high, and indicates that they sell the same services cheaper

Let’s take a look at some specific programs and services that cybercriminals offer for sale.

Google Play loaders

In most of the offers we analyzed, attackers sell Google Play loaders, programs whose purpose is to inject malicious or unwanted code into a Google Play app. This app is then updated on Google Play, and the victim may download the malicious update onto their phone. Depending on what exactly was injected into the app, the user may obtain the final payload with the update or get a notification prompting them to enable installation of unknown apps and install it from an external source. In the latter case, until the user agrees to install the additional app, the notification does not disappear. After installing the app, the user is asked for permissions to access key data from the phone, such as Accessibility Services, camera, microphone, etc. The victim may not be able to use the original legitimate app until they give the permissions required to perform malicious activities. Once all the requested permissions are granted, the user is finally able to use the app’s legitimate features, but at the same moment their devices become infected.

To convince the buyer to purchase their loaders, cybercriminals sometimes offer to provide a video demonstration, as well as to send a demo version to the potential client. Among the loader features, their authors may highlight the user-friendly UI design, convenient control panel, victim country filter, support for the latest Android versions, and more. Cybercriminals may also supplement the trojanized app with functionality for detecting a debugger or sandbox environment. If a suspicious environment is detected, the loader may stop its operations, or notify the cybercriminal that it has likely been discovered by security investigators.

Google Play loaders are the most popular offer on the dark web among Google Play threats

Often loader authors specify the types of legitimate apps their loaders work with. Malware and unwanted software is frequently injected into cryptocurrency trackers, financial apps, QR-code scanners and even dating apps. Cybercriminals also highlight how many downloads the legitimate version of the target app has, which means how many potential victims can be infected by updating the app with malicious or unwanted code. Most frequently, sellers promise to inject code into an app with 5,000 downloads or more.

Cybercriminals sell a Google Play loader injecting code into a cryptocurrency tracker

Binding service

Another frequent offer on the dark web is binding services. In essence, these do exactly the same thing that Google Play loaders do — hide a malicious or unwanted APK file in a legitimate application. However, unlike a loader, which adapts the injected code to pass the security checks on Google Play, a binding service inserts malicious code into an app that is not necessarily suitable for the official Android marketplace. Often, malicious and unwanted apps created with a binding service are distributed through phishing texts, dubious websites with cracked games and software, and more.

As binding services have a lower successful installation rate than loaders, the two differ greatly in price: a loader can cost about $5,000, while a binding service usually costs about $50–$100 per file.

Seller’s description of a binding service

The advantages and features of binding services listed in sellers’ ads are often similar to those of loaders. Binders usually lack Google Play-related features, though.

Malware obfuscation

The purpose of malware obfuscation is to bypass security systems by complicating malicious code. In this case, the buyer pays either for processing a single application, or for a subscription, for example, once per month. The service provider may even offer discounts for the purchase of packages. For example, one of the sellers offers obfuscation of 50 files for $440, while the cost of processing only one file by the same provider is about $30.

Google Play threat obfuscation offer for $50 apiece

Installations

To increase the number of downloads of a malicious app, many attackers offer to purchase installations by increasing app traffic through Google ads. Unlike other dark web offers, this service is completely legitimate and is used to attract as many downloads of the application as possible, no matter if it is a still-legitimate application or an already poisoned one. Installation costs depend on the targeted country. The average price is $0.5, with offers ranging from $0.1 to $1. In the screenshot below, ads for users from the USA and Australia cost the most — $0.8.

Seller specifies the installation price for each country

Other services

Dark web sellers also offer to publish the malicious or unwanted app for the buyer. In this case, the buyer does not interact directly with Google Play, but can remotely receive the fruits of the app’s activity, for example, all victim data stolen by it.

Average prices and common rules of sale

Kaspersky experts analyzed the prices in dark web ads offering Google Play-related services, and found that fraudsters accept different payment methods. The services can be provided for a share of the final profit, rented, or sold for a one-time price. Some sellers also hold auctions of their goods: since the number of items sold is limited, they are not very likely to be discovered, so buyers may be willing to compete for them. For example, in one of the auctions we found, the bidding for a Google Play loader started at $1,500, the bid increment (step) was equal to $200, and the “blitz” — the instant purchase price — was $7,000.

Cybercriminals auction a Google Play loader

The offered blitz price is not the highest. Prices for loaders we observed on dark web forums range between $2,000 and $20,000, depending on the malware complexity, novelty and prevalence, as well as the additional functions. The average price for a loader is $6,975.

Example of average offer for a Google Play loader

However, if cybercriminals want to buy the loader source code, the price immediately rockets, reaching the upper limit of the price range.

Seller offers a Google Play loader source code for $20,000

As opposed to a loader, a Google Play developer account (either hacked or newly created by the cybercriminals) can be bought quite cheaply, for example, for $200, and sometimes even for as little as $60. The price depends on the account features, such as the number of already published apps, number of their downloads, etc.

User wants to buy a Google Play account with access to the developer’s email

In addition to the many offers for sale, we also found numerous messages on the dark web about wanting to buy a particular product or service for a certain price.

Cybercriminal looking for a new Google Play loader

User wants to buy a new loader because their developer “went on a binge”

How deals are made

Sellers on the dark web offer whole packages of different tools and services. To keep their activities low-profile, a large percentage of attackers negotiate strictly through private messages on dark web forums or personal messages on social networks and in messengers, for example in Telegram.

It may seem that service providers could easily deceive buyers, and make a profit from their apps themselves. Often this is the case. However, it is also common among dark web sellers to maintain their reputation, promise guarantees, or accept payment after the terms of the agreement have been fulfilled. To reduce risks when making deals, cybercriminals often resort to the services of disinterested intermediaries — escrow services or middlemen. An escrow may be a special service and supported by a shadow platform, or a third party disinterested in the results of the transaction. Note, however, that on the dark web nothing eliminates the risk of being scammed with 100% probability.

Conclusion and recommendations

We continuously monitor the mobile threat landscape to keep our users safe and informed of the most important developments. Not long ago, we published a report about the threats smartphone users faced in 2022. However, looking at the volume of supply and demand of such threats on the dark web, we can assume that the number of threats in the future will only grow — and become more complex and advanced.

To stay protected from mobile threats:

• Do not enable the installation of unknown apps. If some app urges you to do it, it is most likely infected. If it is possible, uninstall the app, and scan the device with an antivirus.
• Check the permissions of the apps that you use and think carefully before granting an app permissions it doesn’t need to perform its main functions, especially when it comes to high-risk permissions such as Accessibility Services. The only permission that a flashlight app needs is to use the flashlight.
• Use a reliable security solution that can help you to detect malicious apps and adware before they start misbehaving on your device.
• Update your operating system and important apps as soon as updates become available. To be sure that an app update is benign, enable automatic system scan in your security solution, or scan the device right after the updates are installed.

For organizations, it is necessary to protect their developer accounts with strong passwords and 2FA, as well as monitor the dark web to detect and mitigate credential leaks as early as possible.

To inquire about Kaspersky threat monitoring services for your organization, please contact us at dfi@kaspersky.com.

Financial gain remains the key driver of cybercriminal activity. In the past year, we’ve seen multiple developments in this area – from new attack schemes targeting contactless payments to multiple ransomware groups continuing to emerge and haunt businesses. However, traditional financial threats – such as banking malware and financial phishing, continue to take up a significant share of such financially-motivated cyberattacks.

In 2022, we saw a major upgrade of the notorious Emotet botnet as well as the launch of massive campaigns by Emotet operators throughout the year. For instance, malicious spam campaigns targeting organizations grew 10-fold in April 2022, spreading Qbot and Emotet malware. We also witnessed the emergence of new banking Trojans that hunt for banking credentials, and greater activity on the part of some well-known ones, such as Dtrack, Zbot and Qbot.

The good news is that regardless of these continuous advancements, we’ve witnessed a steady decrease in the number of attacks by banking Trojans. Security solutions integrated into operating systems, two-factor authentication and other verification measures have helped reduce the number of vulnerable users. Additionally, in many markets mobile banking has been pushing out online banking, with more and more convenient and secure banking apps emerging.

Meanwhile, cryptocurrency became a prominent target for those seeking monetary gain. The amount of cryptocurrency-related phishing grew significantly in 2022, and with an endless array of new coins, NFT and other DeFi projects, scammers are continuously duping users. Funds lost via cryptocurrency are hard to track and impossible to return with the help of a regulatory body, as is done with banks and fiat currency, so this trend is likely to continue gaining traction.

Some advanced persistent threat (APT) actors also started tapping into the cryptocurrency market. We previously reported on the Lazarus group, which developed VHD ransomware for the purpose of monetary gain. Now we see that APT actors have also switched to crypto. BlueNoroff developed an elaborate phishing campaign that targeted startups and distributed malware for stealing all crypto in the account tied to the device. They impersonated numerous venture capital groups and investors with considerable success. The NaiveCopy campaign, another example of an advanced threat, targeted stock and cryptocurrency investors in South Korea. And there is more room for further development – hardware wallets and smart contracts could provide a new juicy target for attackers.

This report shines a spotlight on the financial cyberthreat landscape in 2022. It presents a continuation of our previous annual financial threat reports (2018, 2019, 2020, 2021), which provide an overview of the latest trends across the threat landscape. We look at phishing threats commonly encountered by users and companies, as well as the dynamics of various Windows and Android-based financial malware.

Methodology

For this report, we conducted a comprehensive analysis of financial cyber threats in 2022. We focused on malicious software that targets financial services institutions such as online banking, payment systems, e-money services, online stores, and cryptocurrency services. This category of financial malware also includes those seeking unauthorized access to financial organisations’ IT infrastructures.

In addition to financial malware, we also examined phishing activities. This entailed studying the design and distribution of financially themed web pages and emails that impersonate well-known legitimate sites and organizations with the intention of deceiving potential victims into disclosing their private information.

To gain insights into the financial threat landscape, we analyzed data on malicious activities on the devices of Kaspersky security product users. Individuals who use these products voluntarily made their data available to us through Kaspersky Security Network. All data collected from Kaspersky Security Network was anonymized.

We compared the data from 2022 to that of 2021 to identify year-on-year trends in malware development. However, we also included occasional references to earlier years to provide further insights into the evolutionary trends in financial malware.

Key findings

Phishing

• Financial phishing accounted for 36.3% of all phishing attacks in 2022.
• E-shop brands were the most popular lure, accounting for 15.56% of attempts to visit phishing sites.
• PayPal was the almost exclusive focus of phishers in the electronic payment systems category, with 84% of phishing pages targeting the platform.
• Cryptocurrency phishing saw 40% year-on-year growth in 2022, with 5,040,520 detections compared to 3,596,437 in 2021

PC malware

• The number of users affected by financial malware continued to decline in 2022, dropping by 14% from 2021.
• Ramnit and Zbot were the most prevalent malware families, targeting over 50% of affected users.
• Consumers remained the primary target of financial cyberthreats, accounting for 61.8% of attacks.

Mobile malware

• The number of Android users attacked with banking malware decreased by around 55% in 2022 compared to the previous year.
• Bian surpassed Agent as the most active mobile malware family in 2022, with 22% of attacks compared to Agent’s 20%.
• The geographical distribution of affected users by Android banking malware in 2022 shows that Spain had the highest percentage of targeted users with 1.96%, followed by Saudi Arabia with 1.11% and Australia with 1.09%.

Financial phishing

Phishing continues to be one of the most widespread forms of cybercrime thanks to the low entry threshold and its effectiveness. As we covered previously, cybercriminals can launch phishing campaigns with minimal effort by purchasing ready-made phishing kits.

Phishing is typically built around a classic scheme: first create a website, then craft emails or notifications that mimic real organizations and prompt users to follow a link to the site, share their personal or payment information, or download a program disguised as malware. Phishers mimic every type of organization, including banks, government services, retail and entertainment, as long as the service has a strong user base.

Financial services in particular are of high interest to phishers due to the direct connection to money and payment data. In 2022, 36.3% of all phishing attacks detected by Kaspersky anti-phishing technologies were related to financial phishing.

Distribution of financial phishing cases by type, 2022 (download)

In this report, financial phishing includes banking-specific, but also e-shop and payment systems.

Payment-system phishing refers to phishing pages that mimic well-known payment brands, such as PayPal, MasterCard, Visa, and American Express. E-shops mean online stores and auction sites such as Amazon, Aliexpress, the App Store, and eBay.

In 2022, e-shop brands were the most popular type of lure used by phishers. 15.56% of attempts to visit phishing sites blocked by Kaspersky in 2022 were related to e-shops. If we look at the distribution within financial phishing, e-shops account for 42% of financial phishing cases. E-shops were followed by payment systems (10.39%) and banks (10.39%). Online shopping continues to grow worldwide and, accordingly, the number of brands that are being mimicked by phishers grows with novel schemes appearing on a regular basis.

E-shop brands most frequently exploited in financial phishing schemes, 2022 (download)

In 2022, Apple remains the most exploited brand by scammers, with almost 60% of attacks. The allure of winning the latest model of a new device has proved irresistible to many users, especially during the current global crisis with increasing prices. Not only did we see a spike in these types of scams during major Apple events, but also scammers frequently use Apple to lure victims by offering, for instance, newly released iPhones as prizes for predicting match outcomes during major events like the FIFA World Cup. Meanwhile, Amazon remained in second place with 14.81% of attacks.

In the realm of electronic payment systems, PayPal has traditionally been a popular target for exploitation by scammers. However, recent data indicates that this year it is not only the primary but the near exclusive focus of phishers, with a staggering 84.23% of phishing pages for electronic payment systems targeting PayPal. As a result, the shares of other payment systems have plummeted, with MasterCard International down to 3.75%, Visa Inc. down to 3.10%, and American Express down to 2.02% in 2022.

Payment system brands most frequently exploited in financial phishing schemes, 2022  (download)

Example of a phishing page mimicking the PayPal login page

Cryptophishing

In 2022, cryptocurrency phishing rose sufficiently to be included as a separate category. While the total number of attempts to visit such sites makes up just a fraction (0.87%) of all phishing, this category of phishing demonstrated 40% year-on-year growth with 5,040,520 detections in 2022 compared to 3,596,437 in 2021. This boom in cryptophishing may be partially explained by the cryptomarket havoc we saw last year. That said, it is so far unclear whether the trend will continue, and this will significantly depend on the trust users put in cryptocurrency.

Example of a phishing page offering crypto

Cryptoscams exploit the topic of cryptocurrency to deceive people and steal their money, often through promises of high returns on investments. Common types include Ponzi schemes, ICO scams, phishing scams, and fake wallet scams.

Example of a phishing page asking for crypto details

Banking malware

This section analyzes banking malware used for stealing login credentials for online banking or payment systems, as well as capturing one-time passwords for two-factor authentication.

Our analysis of financial cyberthreats in 2022 revealed that the number of users affected by financial malware continued to decline. The figures showed a decrease from 405,985 in 2021 to 350,808 in 2022, marking a 14% drop. This decline followed the trend observed over the previous years, with a 35% drop in 2021, a 20% decline in 2020, and a near 13% decrease in 2019. Financial PC malware is on the wane due to the challenges and costs associated with maintaining and developing a botnet capable of successfully attacking users. To execute a successful attack, the Trojan must wait until the user manually logs in to their bank’s website, which has become more infrequent with the growth in popularity of mobile banking apps. Furthermore, the latest versions of operating systems come with built-in security systems, and prolonged presence in the system raises the probability of malware detection. This might also indicate a pivot toward advanced targeted attacks as cybercriminals start to prioritize large business targets.

Additionally, cybercriminals are adapting their tactics to exploit the shift toward mobile banking. As users increasingly switch to phone banking, attackers are developing new techniques to compromise mobile devices and steal sensitive information.

Dynamic change in the number of unique users attacked by banking malware in 2021 – 2022  (download)

Main actors among banking malware

Our 2022 analysis of financial cyberthreats revealed the presence of several families of banking malware with varying lifecycles. Ramnit emerged as the most prevalent malware family with a share of 34.4%, followed by Zbot with 16.2%. Interestingly, the analysis highlights that over 50% of affected users were targeted only by these two families. Ramnit activity increased substantially compared to the previous year, when its slice was only 3.4%. This malware worm spreads through spam emails with links to infected websites, and steals financial information. Emotet, previously named by Europol the world’s most dangerous malware, made a return to the Top 3 most active malware families after law enforcement shut it down in January 2021.

The lifecycle of Emotet vividly demonstrates how malware families continue to evolve and expand their capabilities to infiltrate and compromise financial systems.

Top 10 PC banking malware families

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Geography of attacked users

In this year’s report, we calculated the percentage of Kaspersky users in each country that encountered a financial cyberthreat relative to all users that were attacked by financial malware. This approach helps us identify the countries with the highest risk of computer infection due to financial malware.

The 2022 report shows the distribution of financial malware attacks across different countries. The Top 20 countries in the list below account for more than half of all infection attempts.

Top 20 countries and territories by share of attacked users

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

The data shows that Turkmenistan has the highest share of attacked users with 6.6%, followed by Afghanistan and Tajikistan with 6.5% and 4.9% respectively.

Types of users attacked

The 2022 numbers show that the distribution of financial cyberthreats remained relatively stable, with consumers (61.8%) still being the primary target and corporate users (38.2%) accounting for a smaller percentage of attacks. The 2022 increase is relatively small, at less than 1%, and does not represent a significant shift in the overall distribution of attacks.

Malware attack distribution by type (corporate vs consumer), 2021 – 2022 (download)

This can be attributed to the fact that the world has become accustomed to the new style of post-pandemic work, with many companies continuing to operate in remote or hybrid work modes. The trend of working from home or remotely is no longer new, and many companies have adapted to it. As a result, they have also learned how to deal with potential threats and have implemented measures to ensure the security of their employees’ devices and data. Now employees are likely using similar devices and security measures for personal and work purposes, making it harder for cybercriminals to differentiate between consumer and corporate targets.

Mobile banking malware

We have been observing a steady and steep downward trend in the number of Android users affected by banking malware for at least four years now. In 2022, the number of Android users attacked with banking malware was 57,219, which is more than 2.5 times less than the figures reported in the previous year, representing a drop of around 55%.

This trend marked a continuation from previous years, with the number of Android users attacked dropping by 55% in 2020 and by almost 50% in 2021, resulting in a total of 147,316 users affected in 2021.

Number of Android users attacked by banking malware by month, 2020 – 2022 (download)

Despite the steady decline in the number of Android users affected by banking malware, it is important for users not to become complacent, as cybercriminals continue to evolve their malware and find new ways to carry out attacks. In 2022, we identified over 200,000 new banking Trojan installers, which is twice the number reported in the previous year.

Comparing the most active mobile malware families of 2021 to those of 2022, we see some significant changes. In 2021, Agent was the most prevalent mobile malware, representing 26.9% of attacks. However, in 2022, Bian surpassed Agent as the most active mobile malware family, with 24.25% attacks compared to Agent’s 21.57%.

As for the other malware families on the list, Anubis (11.24%) and Faketoken (10.53%) maintained their positions in the Top 5, respectively. Asacub also remained in the Top 5 list, with almost 10% of attacks, but dropped to fifth place from its third-place ranking in 2021.

Top10 Android banking malware families

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Svpeng, which was the third most prevalent malware family in 2021, with 21.4% of attacks, dropped to sixth place in 2022, with 6.08% attacks. Meanwhile, Cebruser, Gustuff, Bray, and Sova entered the list.

Geography of attacked users

The geographical distribution of affected users by Android banking malware in 2021 shows some differences between the two lists of Top 10 countries and regions. In the first list, Japan had the highest percentage of targeted users with 2.18%, followed by Spain with 1.55%, while in the second list, Spain had the highest percentage with 1.96%, followed by Saudi Arabia with 1.11%.

Australia appeared in both lists, with a 0.48% share in the first list and a 1.09% share in the second. Turkey also appeared in both lists, with a 0.71% share in the first list and a 0.99% share in the second. Italy had a 0.29% share in the first list and a 0.17% share in the second list, while Japan had a 0.30% share in the second list.

Top 10 countries and territories, 2021

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 25,000) have been excluded from the rankings.
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Top 10 countries and territories, 2022

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 25,000) have been excluded from the rankings.
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Overall, the two lists show that banking malware continues to be a global threat, affecting users in different countries and regions.

Conclusion

Year 2022 demonstrated that banking malware attacks continue to decline, both for PC and mobile malware. Still, the number of such attacks remains significant and users, as always, need to stay vigilant. At the same time, cybercriminals are switching their focus to cryptocurrency, as these attacks are harder to track. With new payment systems emerging, we are sure to see new attacks in the future and, potentially, yet more targeting of cryptocurrency.

Additionally, financial phishing schemes remain a top category in all phishing, with fraudsters continuing to hunt for banking and other sensitive data, exploiting trusted brands. This activity isn’t likely to die down, and we will continue to witness new schemes emerge on a regular basis.

For protection against financial threats, Kaspersky recommends to:

• Install only applications obtained from reliable sources
• Refrain from approving rights or permissions requested by applications without first ensuring they match the application’s feature set
• Never open links or documents included in unexpected or suspicious-looking messages
• Use a reliable security solution, such as Kaspersky Premium, that protects you and your digital infrastructure from a wide range of financial cyberthreats

To protect your business from financial malware, Kaspersky security experts recommend:

• Providing cybersecurity awareness training, especially for employees responsible for accounting, that includes instructions on how to detect phishing pages
• Improving the digital literacy of staff
• Enabling a Default Deny policy for critical user profiles, particularly those in financial departments, which ensures that only legitimate web resources can be accessed
• Installing the latest updates and patches for all software used

 The state of stalkerware in 2022 (PDF)

Main findings of 2022

The State of Stalkerware is an annual report by Kaspersky which contributes to a better understanding of how many people in the world are affected by digital stalking. Stalkerware is a commercially available software that can be discretely installed on smartphone devices, enabling perpetrators to monitor an individual’s private life without their knowledge.

Stalkerware can be downloaded and easily installed by anyone with an Internet connection and physical access to a smartphone. A perpetrator violates the victim’s privacy as they can then use the software to monitor huge volumes of personal data. Depending on the type of software, it is usually possible to check device location, text messages, social media chats, photos, browser history and more. Stalkerware works in the background, meaning that most victims will unaware that their every step and action is being monitored.

In most countries around the world, the use of stalkerware software is currently not prohibited but installing such an application on another individual’s smartphone without their consent is illegal and punishable. However, it is the perpetrator who will be held responsible, not the developer of the application.

Along with other related technologies, stalkerware is part of tech-enabled abuse and often used in abusive relationships. As this is part of a wider problem, Kaspersky is working with relevant experts and organizations in the field of domestic violence, ranging from victim support services and perpetrator programs through to research and government agencies, to share knowledge and support professionals and victims alike.

2022 data highlights

• In 2022, Kaspersky data shows that 29,312 unique individuals around the world were affected by stalkerware. Compared to the downwards trend that has been recorded in previous years, this is similar to the total number of affected users in 2021. Taking into account the developments in digital stalking software over the past few years, the data suggests there is a trend towards stabilization. More broadly, it is important to note that the data covers the affected number of Kaspersky users, with the global number of affected individuals likely to be much higher. Some affected users may use another cybersecurity solution on their devices, while some do not use any solution at all.
• In addition, the data reveals a stable proliferation of stalkerware over the 12 months of 2022. On average, 3333 users each month were newly affected by stalkerware. The stable detection rate indicates that digital stalking has become a persistent problem that warrants wider societal attention. Members from the Coalition Against Stalkerware estimate that there could be close to one million victims globally affected by stalkerware every year.
• According to the Kaspersky Security Network, stalkerware is most commonly used in Russia, Brazil, and India, but continues to be a global phenomenon affecting all countries. Regionally, the data reveals that the largest number of affected users can be found in the following countries:
  • Germany, Italy, and France (Europe);
  • Iran, Turkey, and Saudi Arabia (Middle East and Africa);
  • India, Indonesia, and Australia (Asia-Pacific);
  • Brazil, Mexico, and Ecuador (Latin America);
  • United States (North America);
  • Russian Federation, Kazakhstan and Belarus (Eastern Europe (except European Union countries), Russia and Central Asia).
• Globally, the most commonly used stalkerware app is Reptilicus with 4,065 affected users.

2022 trends observed by Kaspersky

Methodology

The data in this report has been taken from aggregated threat statistics obtained from the Kaspersky Security Network. The Kaspersky Security Network is dedicated to processing cybersecurity-related data streams from millions of volunteer participants around the world. All received data is anonymized. To calculate the statistics, the consumer line of Kaspersky’s mobile security solutions has been reviewed according to the Coalition Against Stalkerware’s detection criteria on stalkerware. This means that the affected number of users have been targeted by stalkerware only. Other types of monitoring or spyware apps that fall outside of the Coalition’s definition are not included in the report statistics.

The statistics reflect unique mobile users affected by stalkerware, which is different from the total number of detections. The number of detections can be higher as stalkerware may have been detected several times on the same device of the same unique user if they decided not to remove the app upon receiving a notification.

Finally, the statistics reflect only mobile users using Kaspersky’s IT security solutions. Some users may use another cybersecurity solution on their devices, while some do not use any solution at all.

Global detection figures: affected users

This section compares the global and regional statistics collected by Kaspersky in 2022 with statistics from previous years. In 2022, a total number of 29,312 unique users were affected by stalkerware. Graphic 1, below, shows how this number has varied from year to year since 2018.

Graphic 1 – Evolution of affected users year-on-year since 2018

Graphic 2, below, shows the number of unique affected users per month from 2021 to 2022. In 2022, the situation is almost identical to 2021, indicating that the rate of stalkerware proliferation has stabilized. On average, 3333 users were newly affected by stalkerware every month.

Graphic 2 – Unique affected users per month over the 2021-2022 period

Global and regional detection figures: geography of affected users

Stalkerware continues to be a global problem. In 2022, Kaspersky detected affected users in 176 countries.

Countries most affected by stalkerware in 2022

In 2022, Russia (8,281), Brazil (4,969), and India (1,807) were the top 3 countries with the most affected users. Those three countries remain in leading positions according to Kaspersky statistics since 2019. Compared to previous years, it is noteworthy that the number of affected users in the U.S. has dropped down the ranking and now features in fifth place with 1,295 affected users. Conversely, there has been an increase noted in Iran which has moved up to fourth place with 1,754 affected users.

Compared to 2021, however, only Iran features as a new entrant in the top 5 most affected countries. The other four countries – Russia, Brazil, India, and the U.S. – have traditionally featured at the top of the list. Looking at the other half of the top 10 most affected countries, Turkey, Germany, and Mexico have remained among the countries most affected compared to last year. New entrants into the top 10 most affected countries in 2022 are Saudi Arabia and Yemen.

Table 1 – Top 10 countries most affected by stalkerware in the world in 2022

In Europe, the total number of unique affected users in 2022 was 3,158. The three most affected countries in Europe were Germany (737), Italy (405) and France (365). Compared to 2021, all countries up to including seventh place in the list (the Netherlands) continue to feature as the most affected countries in Europe. New entrants in the list are Switzerland, Austria, and Greece.

Table 2 – Top 10 countries most affected by stalkerware in Europe in 2022

In Eastern Europe (excluding European Union countries), Russia, and Central Asia, the total number of unique affected users in 2022 was 9,406. The top three countries were Russia, Kazakhstan, and Belarus.

Table 3 – Top 10 countries most affected by stalkerware in Eastern Europe (excluding EU countries), Russia and Central Asia in 2022

In the Middle East and Africa region, the total number of affected users was 6,330, slightly higher than in 2021. While Iran with 1,754 affected users features at the top of this list in 2022, Turkey’s 755 affected users has seen the country move up to second in the region, followed closely by Saudi Arabia with 612 affected users.

Table 4 – Top 10 countries most affected by stalkerware in Middle East & Africa in 2022

In the Asia-Pacific region, the total number of affected users was 3,187. India remains far ahead of the other countries in the region, with 1,807 affected users. Indonesia occupies second place with 269 affected users, while Australia is third with 190 affected users.

Table 5 – Top 10 countries most affected by stalkerware in Asia-Pacific region in 2022

The Latin America and the Caribbean region is dominated by Brazil with 4,969 affected users. This accounts for approximately 32% of the region’s total number of affected users. Brazil is followed by Mexico and Ecuador in the list, while Colombia has moved into fourth place. A total number of 6,170 affected users were recorded in the region.

Table 6 – Top 10 countries most affected by stalkerware in Latin America in 2022

Finally, in North America, 87% of all affected users in the region are found in the United States. This is to be expected given the relative size of the population in the United Sates compared to Canada. Across the North America region, 1,585 users were affected in total.

Table 7 – Number of users affected by stalkerware in North America in 2022

Global detection figures – stalkerware applications

This section lists the stalkerware applications most commonly used to control smartphones around the world. In 2022, the most popular app was Reptilicus (4,065 affected users). This year, Kaspersky detected 182 different stalkerware apps.

Table 8 – Top 10 list of stalkerware applications in 2022

Stalkerware provides a means to gain control over a victim’s life. Their capabilities vary depending on the type of application and whether it has been paid for or obtained freely. Typically, stalkerware masquerades as legitimate anti-theft or parental control apps, when in reality they are very different – most notably due to their installation without consent and notification of the person being tracked, and their operation in stealth mode on smartphone devices,

Below are some of the most common functions that may be present in stalkerware applications:

• Hiding app icon
• Reading SMS, MMS and call logs
• Getting lists of contacts
• Tracking GPS location
• Tracking calendar events
• Reading messages from popular messenger services and social networks, such as Facebook, WhatsApp, Signal, Telegram, Viber, Instagram, Skype, Hangouts, Line, Kik, WeChat, Tinder, IMO, Gmail, Tango, SnapChat, Hike, TikTok, Kwai, Badoo, BBM, TextMe, Tumblr, Weico, Reddit etc.
• Viewing photos and pictures from phones’ image galleries
• Taking screenshots
• Taking front (selfie-mode) camera photos

Are Android OS and iOS devices equally affected by stalkerware?

Stalkerware tools are less frequent on iPhones than on Android devices because iOS is traditionally a closed system. However, perpetrators can work around this limitation on ‘jailbroken’ iPhones, but they still require direct physical access to the phone to jailbreak it. iPhone users fearing surveillance should always keep an eye on their device.

Alternatively, an abuser can offer their victim an iPhone – or any other device – with pre-installed stalkerware. There are many companies that make these services available online, allowing abusers to have these tools installed on new phones, which can then be delivered in factory packaging under the guise of a gift to the intended victim.

Together keeping up the fight against stalkerware

Stalkerware is foremost not a technical problem, but an expression of a problem within society which therefore requires action from all areas of society. Kaspersky is not only actively committed to protecting users from this threat but also maintaining a multilevel dialogue with non-profit organizations, and industry, research and public agencies around the world to work together on solutions that tackle the issue.

In 2019, Kaspersky was the first cybersecurity company in the industry to develop a new attention-grabbing alert that clearly notifies users if stalkerware is found on their device. While Kaspersky’s solutions have been flagging potentially harmful apps that are not malware – including stalkerware – for many years, the new notification alerts the user to the fact that an app has been found on their device that may be able to spy on them.

In 2022, as part of Kaspersky’s launch of a new consumer product portfolio, the Privacy Alert was expanded and now not only informs the user about the presence of stalkerware on the device, but also warns the user that if stalkerware is removed the person who installed the app will be alerted. This may lead to an escalation of the situation. Moreover, the user risks erasing important data or evidence that could be used in a prosecution.

In 2019, Kaspersky also co-founded the Coalition Against Stalkerware, an international working group against stalkerware and domestic violence that brings together private IT companies, NGOs, research institutions, and law enforcement agencies working to combat cyberstalking and help victims of online abuse. Through a consortium of more than 40 organizations, stakeholders can share expertise and work together to solve the problem of online violence. In addition, the Coalition’s website, which is available in 7 different languages, provides victims with help and guidance in case they may suspect stalkerware is present on their devices.

From 2021-2023, Kaspersky was a consortium partner of the EU project DeStalk, co-funded by the Rights, Equality, and Citizenship Program of the European Union. The five project partners that formed the consortium combined the expertise of the IT Security Community, Research, and Civil Society Organizations, and Public Authorities. As a result, the DeStalk project trained a total of 375 professionals directly working in women’s support services and perpetrator programs, and officials from public authorities on how to effectively tackle stalkerware and other digital forms of gender-based violence, as well as raising public awareness on digital violence and stalkerware.

As part of the project, Kaspersky developed an e-learning course on cyberviolence and stalkerware within its Kaspersky Automated Security Awareness Platform, a freely available online micro learning training platform which can be accessed in five different languages. To date, more than 130 professionals have completed the e-learning course with a further 80 currently participating. Although the DeStalk project has ended, the e-learning course is still available on the DeStalk project website.

In June 2022, Kaspersky launched a website dedicated to TinyCheck to disseminate further information about the tool. TinyCheck is a free, safe and open-source tool that can be used by non-profit organizations and police units to help support victims of digital stalking. In 2020, the tool was created to check devices for stalkerware and monitoring apps without making the perpetrator aware of the check. It does not require installation on a user’s device because it works independently to avoid detection by a stalker. TinyCheck scans a device’s outgoing traffic using a regular Wi-Fi connection and identifies interactions with known sources such as stalkerware-related servers. TinyCheck can also be used to check any device on any platform, including iOS, Android, or any other OS’.

Think you are a victim of stalkerware? Here are a few tips…

Whether or not you are a victim of stalkerware, here are a few tips to better protect yourself:

• Protect your phone with a strong password that you never share with your partner, friends, or colleagues.
• Change passwords for all of your accounts periodically and don’t share them with anyone.
• Only download apps from official sources, such as Google Play or the Apple App Store.
• Install a reliable IT security solution like Kaspersky for Android on devices and scan them regularly. However, in the case of potentially already installed stalkerware, this should only be done after the risk to the victim has been assessed, as the abuser may notice the use of a cybersecurity solution.

Victims of stalkerware may be victims of a larger cycle of abuse, including physical.

In some cases, the perpetrator is notified if their victim performs a device scan or removes a stalkerware app. If this happens, it can lead to an escalation of the situation and further aggression. This is why it is important to proceed with caution if you think you are being targeted by stalkerware.

• Reach out to a local support organization: to find one close to you, check the Coalition Against Stalkerware website.
• Keep an eye out for the following warning signs: these can include a fast-draining battery due to unknown or suspicious apps using up its charge, and newly installed applications with suspicious access to use and track your location, send or receive text messages and other personal activities. Also check if your “unknown sources” setting is enabled, it may be a sign that unwanted software has been installed from a third-party source. However, the above indicators are circumstantial and do not indicate the unequivocal presence of stalkerware on the device.
• Do not try to erase the stalkerware, change any settings or tamper with your phone: this may alert your potential perpetrator and lead to an escalation of the situation. You also risk erasing important data or evidence that could be used in a prosecution.

For more information about our activities on stalkerware or any other request, please write to us at: ExtR@kaspersky.com.

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Figures of the year

In 2022, Kaspersky mobile products and technology detected:

• 1,661,743 malicious installers
• 196,476 new mobile banking Trojans
• 10,543 new mobile ransomware Trojans

Trends of the year

Mobile attacks leveled off after decreasing in the second half of 2021 and remained around the same level throughout 2022.

Kaspersky mobile cyberthreat detection dynamics in 2020–2022 (download)

Cybercriminals continued to use legitimate channels to spread malware.

Similarly to 2021, we found a modified WhatsApp build with malicious code inside in 2022. It was notable for spreading via ads inside the popular Snaptube app and through the Vidmate in-app store.

The spread of malware through Google Play continued as well. In particular, we found several mobile Trojan subscribers on Google’s official Android app marketplace in 2022. These secretly signed users up for paid services. In addition to the previously known Jocker and MobOk families, we discovered a new family, named Harly and active since 2020. Harly malware programs were downloaded a total of 2.6 million times from Google Play in 2022. Also last year, fraudsters abused the marketplace to spread various scam apps, which promised welfare payments or lucrative energy investments.

Mobile banking Trojans were not far behind. Despite Europol having shut down the servers of FluBot (also known as Polph or Cabassous, the largest mobile botnet in recent years), users had to stay on guard, as Google Play still contained downloaders for other banking Trojan families, such as Sharkbot, Anatsa/Teaban, Octo/Coper, and Xenomorph, all masquerading as utilities. For instance, the Sharkbot downloader in the screenshot below imitates a file manager. This type of software is capable of requesting permission to install further packages the Trojan needs to function on the unsuspecting user’s device.

The Sharkbot banking Trojan downloader on Google Play

Exploitation of popular game titles, where malware and unwanted software mimicked a pirated version of a game or game cheats, remained a popular mobile spread vector in 2022. The most frequently imitated titles included Minecraft, Roblox, Grand Theft Auto, PUBG, and FIFA. The malware spread primarily through questionable web sites, social media groups, and other unofficial channels.

Mobile cyberthreat statistics

Installer numbers

We detected 1,661,743 malware or unwanted software installers in 2022 — 1,803,013 less than we did in 2021. The number had been declining gradually since a 2020 increase.

Number of detected malicious installation packages in 2019–2022 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type in 2021 and 2022 (download)

RiskTool-type potentially unwanted software (27.39%) topped the rankings in 2022, replacing the previous leader, adware (24.05%). That said, the share of RiskTool had decreased by 7.89 percentage points, and the share of adware, by 18.38 percentage points year-on-year.

Various Trojan-type malware was third in the rankings with 15.56%, its cumulative share increasing by 6.7 percentage points.

Geography of mobile threats

TOP 10 countries by share of users attacked by mobile malware

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security (under 10,000).
** Unique users attacked as a percentage of all Kaspersky mobile security users in the country.

China had the largest share of users who experienced a mobile malware attack: 17.70%. Of these, 16.06% got hit by SMS-abusing malware that we detected as Trojan.AndroidOS.Najin.a.

Other countries with significant shares of attacked users were Syria (15.61%) and Iran (14.53%), where the most frequently encountered mobile cyberthreat was Trojan-Spy.AndroidOS.Agent.aas, a WhatsApp modification carrying a spy module.

Distribution of attacks by type of software used

Distribution of attacks by type of software used in 2022 (download)

Similarly to previous years, 2022 saw malware used in most mobile attacks (67.78%). The shares of attacks that used Adware- and RiskWare-type applications had increased to 26.91% from 16.92% in 2021 and to 5.31% from 2.38% in 2021, respectively.

Mobile adware

The Adlo family accounted for the largest share of detected installers (22.07%) in 2022. These are useless fake apps that download ads. Adlo replaced the previous leader, the Ewind family, which had a share of 16.46%.

TOP 10 most frequently detected adware families in 2022

* The share of the adware-type family in the total number of adware installers detected.

RiskTool-type apps

The SMSreg family retained its lead by number of detected RiskTool-type apps: 36.47%. The applications in this family make payments (for example by transferring cash to other individuals or paying for mobile service subscriptions) by sending text messages without explicitly notifying the user.

TOP 10 most frequently detected RiskTool families, 2022

* The share of the RiskTool family in the total number of RiskTool installers detected.

TOP 20 most frequently detected mobile malware programs

Note that the malware rankings below exclude riskware or potentially unwanted software, such as RiskTool or adware.

* Unique users attacked by the malware as a percentage of all attacked Kaspersky mobile security users.
First and third places went to DangerousObject.Multi.Generic (18.97%) and Trojan.AndroidOS.Generic (6.70%), respectively, which are verdicts we use for malware detected with cloud technology. Cloud technology is triggered whenever the antivirus databases lack data for detecting a piece of malware, but the antivirus company’s cloud already contains information about the object. This is essentially how the latest malware types are detected.

The Trojans in second and ninth places (8.65% and 2.37%) belonged to the Trojan-SMS.AndroidOS.Fakeapp family. This type of malware is capable of sending text messages and calling preset numbers, displaying ads, and hiding its icon on the device.

WhatsApp modifications equipped with a spy module, detected as Trojan-Spy.AndroidOS.Agent.aas (6.01%) and Trojan-Spy.AndroidOS.Agent.acq (1.34%) were in fourth and twentieth positions, respectively.

Scam apps detected as Trojan.AndroidOS.Fakemoney.d (4.65%) were the fifth-largest category. These try to trick users into believing that they are filling out an application for a welfare payout.

Members of the Trojan.AndroidOS.GriftHorse family, which subscribe the user to premium SMS services, took both sixth and eleventh places (4.32% and 2%, respectively).

The banking Trojan dropper Trojan-Dropper.AndroidOS.Agent.sl (3.22%) was seventh.

The verdict of DangerousObject.AndroidOS.GenericML (2.96%) sank to eighth place. The verdict is assigned to files recognized as malicious by our machine-learning systems.

Tenth place was taken by Trojan.AndroidOS.Fakeapp.ed (2.19%). This verdict refers to a category of fraudulent apps which target users in Russia by posing as a stock-trading platform for investing in gas.

Trojan-Downloader.AndroidOS.Agent.kx (1.72%) rose to twelfth position. This type of malware is distributed as part of legitimate software, downloading advertising modules.

Trojan.AndroidOS.Soceng.f (1.67%), in thirteenth place, sends text messages to people on your contact list, deletes files on the SD card, and overlays the interfaces of popular apps with its own window.

Malware from the Trojan-Dropper.AndroidOS.Hqwar family, which unpacks and runs various banking Trojans, occupied fourteenth and nineteenth places (1.49 and 1.35%).

Trojan.AndroidOS.Fakeapp.dw was fifteenth (1.43%). The verdict applies to a variety of scam apps, such as those supposedly offering the user to earn some extra cash.

Trojan-Ransom.AndroidOS.Pigetrl.a (1.43%) took sixteenth place. Unlike classic Trojan-Ransom malware, which typically demands a ransom, it simply locks the screen and asks to enter a code. The application offers no instructions on obtaining the code, which is embedded in the program itself.

Trojan-Downloader.AndroidOS.Necro.d sank to seventeenth position (1.4%). This malware is capable of downloading, installing, and running other applications when commanded by its operators.

Trojan-SMS.AndroidOS.Agent.ado, which sends text messages to shortcodes, was eighteenth (1.36%).

Mobile banking Trojans

We detected 196,476 mobile banking Trojan installers in 2022, a year-on-year increase of 100% and the highest figure in the past six years.

The Trojan-Banker.AndroidOS.Bray family accounted for two-thirds (66.40%) of all detected banking Trojans. This family attacked mostly users in Japan. It was followed by the Trojan-Banker.AndroidOS.Fakecalls family (8.27%) and Trojan-Banker.AndroidOS.Bian (3.25%).

The number of mobile banking Trojan installers detected by Kaspersky in 2019–2022 (download)

Although the number of detected malware installers rose in 2022, mobile banking Trojan attacks had been decreasing since a 2020 rise.

The number of mobile banking Trojan attacks in 2021–2022 (download)

TOP 10 most frequently detected mobile banking Trojans

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security users attacked by banking threats.
Of all mobile banking Trojans that were active in 2022, Trojan-Banker.AndroidOS.Bian.h (28.74%) accounted for the largest share of attacked users, more than half of those in Spain.

TOP 10 countries by share of users attacked by mobile banking Trojans

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security (under 10,000).
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security users in the country.
Spain had the largest share of unique users attacked by mobile financial threats in 2022 (1.96%), with 85.90% of the affected users encountering the aforementioned Trojan-Banker.AndroidOS.Bian.h.

It was followed by Saudi Arabia (1,11%), also due to Trojan-Banker.AndroidOS.Bian.h, which affected 97.92% of users in that country.

Australia (1.09%) was third, with 98% of the users who encountered banking Trojans there attacked by Trojan-Banker.AndroidOS.Gustuff.

Mobile ransomware Trojans

We detected 10,543 mobile ransomware Trojan installers in 2022, which was 6,829 less than the 2021 figure.

The number of mobile ransomware Trojan installers detected by Kaspersky in 2019–2022 (download)

The number of mobile ransomware Trojan attacks also continued to decline, a process that started in late 2021.

The number of mobile ransomware Trojan attacks in 2021–2022 (download)

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security users attacked by ransomware Trojans.
Trojan-Ransom.AndroidOS.Pigetrl.a remained the leading ransomware Trojan family in 2022 (75.10%). It was also one of the TOP 20 most frequently detected mobile malware types. Russia accounted for as much as 92.74% of detections.

That malware family was followed by Trojan-Ransom.AndroidOS.Rkor, which blocks the screen and demands the user to pay a fine for some illegal content they had supposedly viewed. Members of this family took six out of ten places in our rankings, with as much as 65.27% attacked users located in Kazakhstan.

TOP 10 countries by share of users attacked by mobile ransomware Trojans

* Excluded from the rankings are countries with relatively few Kaspersky mobile security users (under 10,000).
** Unique users attacked by mobile ransomware Trojans as a percentage of all Kaspersky mobile security users in the country.
We observed the highest shares of users attacked by mobile ransomware Trojans in 2022 in China (0.65%), Yemen (0.49%), and Kazakhstan (0.36%).

Users in China mostly encountered Trojan-Ransom.AndroidOS.Congur.y, most users in Yemen were affected by Trojan-Ransom.AndroidOS.Pigetrl.a, and a majority of users in Kazakhstan were hit by Trojan-Ransom.AndroidOS.Rkor.br.

Conclusion

The cybercriminal activity leveled off in 2022, with attack numbers remaining steady after a decrease in 2021. That said, cybercriminals are still working on improving both malware functionality and spread vectors. Malware is increasingly spreading through legitimate channels, such as official marketplaces and ads in popular apps. This is true for both scam apps and dangerous mobile banking malware.

Potentially unwanted applications (RiskWare) accounted for a majority of newly detected threats in 2022, replacing the previous leader, adware. Most mobile cyberattacks used malware as before.

Roaming Mantis (a.k.a Shaoye) is well-known as a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal device information; it also uses phishing pages to steal user credentials, with a strong financial motivation.

Kaspersky has been investigating the actor’s activity throughout 2022, and we observed a DNS changer function used for getting into Wi-Fi routers and undertaking DNS hijacking. This was newly implemented in the known Android malware Wroba.o/Agent.eq (a.k.a Moqhao, XLoader), which was the main malware used in this campaign.

DNS changer via malicious mobile app

Back in 2018, Kaspersky first saw Roaming Mantis activities targeting the Asian region, including Japan, South Korea and Taiwan. At that time, the criminals compromised Wi-Fi routers for use in DNS hijacking, which is a very effective technique. It was identified as a serious issue in both Japan and South Korea. Through rogue DNS servers, all users accessing a compromised router were redirected to a malicious landing page. From mid-2019 until 2022, the criminals mainly used smishing instead of DNS hijacking to deliver a malicious URL as their landing page. The landing page identified the user’s device platform to provide malicious APK files for Android or redirect to phishing pages for iOS.

Infection flow with DNS hijacking

In September 2022, we carried out a deep analysis of Wroba.o (MD5 f9e43cc73f040438243183e1faf46581) and discovered the DNS changer was implemented to target specific Wi-Fi routers. It obtains the default gateway IP address as the connected Wi-Fi router IP, and checks the device model from the router’s admin web interface.

Code for checking Wi-Fi router model

The following strings are hardcoded for checking the Wi-Fi router model:

From these hardcoded strings, we saw that the DNS changer functionality was implemented to target Wi-Fi routers located in South Korea: the targeted models have been used mainly in South Korea.

Next, the DNS changer connects to the hardcoded vk.com account “id728588947” to get the next destination, which is “107.148.162[.]237:26333/sever.ini”. The “sever.ini” (note the misspelling of server) dynamically provided the criminal’s current rogue DNS IP addresses.

Rogue DNS from a vk.com hardcoded account to compromise the DNS setting

Checking the code of the DNS changer, it seems to be using a default admin ID and password such as “admin:admin”. Finally, the DNS changer generates a URL query with the rogue DNS IPs to compromise the DNS settings of the Wi-Fi router, depending on the model, as follows.

Hardcoded default ID and password to compromise DNS settings using the URL query

We believe that the discovery of this new DNS changer implementation is very important in terms of security. The attacker can use it to manage all communications from devices using a compromised Wi-Fi router with the rogue DNS settings. For instance, the attacker can redirect to malicious hosts and interfere with security product updates. In 2016, details of another Android DNS changer were published, demonstrating why DNS hijacking is critical.

Users connect infected Android devices to free/public Wi-Fi in such places as cafes, bars, libraries, hotels, shopping malls and airports. When connected to a targeted Wi-Fi model with vulnerable settings, the Android malware will compromise the router and affect other devices as well. As a result, it is capable of spreading widely in the targeted regions.

Investigation of landing page statistics

As we mentioned above, the main target regions of the DNS changer were mainly South Korea. However, the attackers not only targeted South Korea but also France, Japan, Germany, the United States, Taiwan, Turkey and other regions. Smishing has been observed to be the main initial infection method in these regions, except South Korea, though we should keep in mind that the criminals may update the DNS changer function to target Wi-Fi routers in those regions in the near future.

In December 2022, we confirmed some landing pages and got an understanding of the number of downloaded APK files. Below are some examples of the download URLs from the landing page statistics.

The number of downloaded APK files was reset at the beginning of December 2022. After a few days, we got the above numbers from the landing pages, and it showed us that Android malware was still being actively downloaded for some targeted regions. It also showed us that the most affected region was Japan, followed by Austria and France. From this investigation, we noted that the criminals have now also added Austria and Malaysia to their main target regions.

According to the download URLs for each region above, with the exception of South Korea, it seems that the criminals randomly generated and registered these domains to resolve the IP addresses of the landing page. It seems pretty obvious these domains were used as a link in the smishing for the initial infection. Regarding South Korea, the URLs have a legitimate domain because of DNS hijacking. Resolving the legitimate domain for “m.xxx.zzz” (for mobile) and “www.xxx.zzz” with rogue DNS and legitimate DNS yields the following results, respectively:

As you can see, their rogue DNS only works in the mobile domain, which is “m.xxx.zzz”. We believe the criminals only filtered a limited number of domains that can be resolved to their landing page to hide their activity from security researchers.

Geography based on KSN

Our telemetry showed the detection rate of Wroba.o (Trojan-Dropper.AndroidOS.Wroba.o) for each region such as France (54.4%), Japan (12.1%) and the United States (10.1%). When compared with the landing page statistics above, the results are similar in that many detections have been observed in France, Japan, Austria and Germany. On the other hand, while we had previously monitored landing pages for the United States, this time we haven’t seen those landing pages.

Conclusions

From 2019 to 2022, Kaspersky observed that the Roaming Mantis campaign mainly used smishing to deliver a malicious URL to their landing page. In September 2022, we analyzed the new Wroba.o Android malware and discovered a DNS changer function that was implemented to target specific Wi-Fi routers used mainly in South Korea. Users with infected Android devices that connect to free or public Wi-Fi networks may spread the malware to other devices on the network if the Wi-Fi network they are connected to is vulnerable. Kaspersky experts are concerned about the potential for the DNS changer to be used to target other regions and cause significant issues. Kaspersky products detect this Android malware as HEUR:Trojan-Dropper.AndroidOS.Wroba.o or HEUR:Trojan-Dropper.AndroidOS.Agent.eq, providing protection from this cyberthreat to Kaspersky’s customers and users.

IoCs

MD5 of Wroba.o
2036450427a6f4c39cd33712aa46d609
8efae5be6e52a07ee1c252b9a749d59f
95a9a26a95a4ae84161e7a4e9914998c
ab79c661dd17aa62e8acc77547f7bd93
d27b116b21280f5ccc0907717f2fd596
f9e43cc73f040438243183e1faf46581

Domains of landing pages:
1hy5.cwdqh[.]com
3.wubmh[.]com
3y.tmztp[.]com
53th.xgunq[.]com
5c2d.zgngu[.]com
5.hmrgt[.]com
8.ondqp[.]com
9v.tbeew[.]com
d.vbmtu[.]com
g.dguit[.]com
j.vbrui[.]com
k.uvqyo[.]com
kwdd.cehsg[.]com
mh.mgtnv[.]com
o.wgvpd[.]com
r48.bgxbm[.]com
t9o.qcupn[.]com
vj.nrgsd[.]com
w3.puvmw[.]com
xtc9.rvnbg[.]com
y.vpyhc[.]com

IPs of landing pages:
103.80.134[.]40
103.80.134[.]41
103.80.134[.]42
103.80.134[.]48
103.80.134[.]49
103.80.134[.]50
103.80.134[.]51
103.80.134[.]52
103.80.134[.]53
103.80.134[.]54
134.122.137[.]14
134.122.137[.]15
134.122.137[.]16
199.167.138[.]36
199.167.138[.]38
199.167.138[.]39
199.167.138[.]40
199.167.138[.]41
199.167.138[.]43
199.167.138[.]44
199.167.138[.]45
199.167.138[.]48
199.167.138[.]49
199.167.138[.]51
199.167.138[.]52
27.124.36[.]32
27.124.36[.]34
27.124.36[.]52
27.124.39[.]241
27.124.39[.]242
27.124.39[.]243
91.204.227[.]131
91.204.227[.]132
91.204.227[.]144
91.204.227[.]145
91.204.227[.]146

Rogue DNS:
193.239.154[.]15
193.239.154[.]16
193.239.154[.]17
193.239.154[.]18
193.239.154[.]22

Hardcoded malicious accounts of vk.com to obtain live rogue DNS servers:
id728588947

Providing live rogue DNS servers:
107.148.162[.]237:26333/sever.ini

Suspicious accounts/pages of some legitimate services for obtaining C2s
http://m.vk[.]com/id668999378?act=info
http://m.vk[.]com/id669000526?act=info
http://m.vk[.]com/id669000956?act=info
http://m.vk[.]com/id674309800?act=info
http://m.vk[.]com/id674310752?act=info
http://m.vk[.]com/id730148259?act=info
http://m.vk[.]com/id730149630?act=info
http://m.vk[.]com/id761343811?act=info
http://m.vk[.]com/id761345428?act=info
http://m.vk[.]com/id761346006?act=info
https://www.youtube[.]com/channel/UCP5sKzxDLR5yhO1IB4EqeEg/about
https://docs.google[.]com/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic
https://docs.google[.]com/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasic

C&C
91.204.227[.]32
91.204.227[.]33
92.204.255[.]173
91.204.227[.]39
118.160.36[.]14
198.144.149[.]131

A look back on the year 2022 and what to expect in 2023

Every year, as part of the Kaspersky Security Bulletin, we predict which major trends will be followed in the coming year by attackers, who target financial organizations. The predictions, based on our extensive experience, help individuals and businesses improve their cybersecurity and prevent the vast range of possible risks.

As the financial threat landscape has been dramatically evolving over the past few years, with the expansion of such activities as ransomware or cryptofraud, we believe it is no longer sufficient to look at the threats to traditional financial institutions (like banks), but rather assess financial threats as a whole. The cybercriminal market has been developing extensively, with the overwhelming majority of cybercriminals pursuing one goal — financial profit, no matter the source. However, the way they do it varies from year to year, and understanding the changes in their tactics and tools can help organizations improve their security.

This year, we have decided to adjust our predictions accordingly, expanding them to encompass crimeware developments and financial cyberthreats as a whole.

This report assesses how accurately we predicted the developments in the financial threats landscape in 2022 and ponder at what to expect in 2023.

Analysis of forecasts for 2022

• Rise and consolidation of information stealers. Our telemetry shows an exponential growth in infostealers in 2021. Given the variety of offers, low costs, and effectiveness, we believe this trend will continue. Additionally, they might even be used as bulk collectors for targeted and more complex attacks.

  Yes. While we haven’t seen exponential growth in the use of stealers, their advancement and evolution has been very noticeable. In 2022, we uncovered some new malicious families actively sold on dark markets, such as Rhadamanthys, BlueFox, and Parrot, stealing sensitive information from the victims’ devices. One of the most striking new stealers has been OnionPoison. Unlike common stealers, this malware gathered data that can be used to identify the victims, such as browsing histories, social networking account IDs and Wi-Fi networks. Previously discovered stealers have not been left behind. This year we observed the updates of AcridRain and Racoon stealers, and the remarkable evolution of RedLine stealer, making it a self-spreading threat that attacks gamers via YouTube. Also of note in 2022 are campaigns impersonating well-known software brands like Notepad++. The trend remains solid, and these types of campaigns impact a large number of users, hitting the target brand’s bottom line. Moreover, the ransomware gang ransomExx also abuses open source software by recompiling it to load a malicious shellcode; Notepad++ was also used in one of their attacks.

  While there are still top-level threats that are not distributed openly, the vast majority of stealers have become more affordable and cheaper for average cybercriminals, making this threat more likely to evolve even more in the following year.

• Cryptocurrency targeted attacks. The cryptocurrency business continues to grow, and people continue to invest their money in this market because it’s a digital asset and all transactions occur online. It also offers anonymity to users. These are attractive aspects that cybercrime groups will be unable to resist. And not only cybercrime groups, but also state-sponsored groups who have already started targeting this industry. After the Bangladesh bank heist, the BlueNoroff group is still aggressively attacking the cryptocurrency business, and we anticipate this activity will continue.

  Despite these uncovered campaigns, attackers were still more likely to hunt for cryptocurrency using phishing, offering dubious cryptocurrency exchange platforms, and launching cryptojacking to illicitly mint cryptocurrency. Previously, mining was mostly a threat for general users, but today miners are stealing power from large businesses and critical infrastructures. Even big ransomware operators, for example, AstraLocker, are shutting down their operations to switch to cryptojacking.

• More cryptocurrency-related threats: fake hardware wallets, smart contract attacks, DeFi hacks, and more. In the scramble for cryptocurrency investment opportunities, we believe that cybercriminals will take advantage of fabricating and selling rogue devices with backdoors, followed by social engineering campaigns and other methods to steal victims’ financial assets.

  Yes. In 2022, we observed many other cryptocurrency-related threats potentially costing users millions of dollars. Since the start of 2022, cybercriminals have stolen $3 billion from DeFi protocols, with 125 crypto hacks in total. According to the freshest data on DeFi, every hour 15 newly deployed scams against smart contracts are detected. At this rate, 2022 will likely surpass 2021 as the biggest year for hacking on record. The lack of state-of-the-art security for smart contracts leads to attacks on these platforms and, based on how the business model works, the potential theft of a lot of money.

• Targeted ransomware — more targeted and more regional. With the international efforts to crack down on major targeted ransomware groups, we will see a rise in small, regionally derived groups focused on local The adoption of Open Banking in more countries may lead to more opportunities for cyberattacks.

  Yes. We’ve observed a rise in the number of targeted and regional ransomware attacks. One of the reasons why ransomware attacks have become more regional is the decrease in collaboration between ransomware groups. In the past, many actors would join forces to attack and encrypt as many organizations around the world as possible. But thanks to international efforts, such as No More Ransom, to crack down on their work, global attacks have become much rarer.

  Interestingly, this trend was also influenced by geopolitical conflict, which we did not anticipate last year. Many ransomware groups took sides in the conflict between Russia and Ukraine, focusing their activities on destructive attacks or limiting the range of their targets by geography. The most significant reaction of all was likely by the Conti ransomware group, who announced that it would retaliate with full capabilities against any “enemy’s” critical infrastructure if Russia became a target of cyberattacks. On the other side, Kaspersky discovered Freeud, a wiper under the guise of ransomware whose creators proclaimed support for Ukraine.

• Access broker specialists — professionalize access to compromised networks. Instead of major efforts to compromise access to a corporate or public entity, we can expect Ransomware-as-a-Service operators to seek to buy access to another cybercriminal group that already has access to the target, focusing their activity on ransomware deployment.

  Yes. Attackers have indeed resorted to buying initial access to compromised services more often than hacking it themselves. This has become a real stand-alone business in the dark web (Malware-as-a-Service, MaaS). This year we detected a malicious spam campaign targeting organizations tenfold growth in a month, spreading Emotet malware, which is used by Conti ransomware affiliates to gain initial access. Once access is obtained, the organization is placed into a pool of potential ransomware targets. This growth in the Emotet campaign suggests that the Access-as-a-Service continues to be actively used by cybercriminal groups, and the trend of hiring access broker specialists is likely to continue in 2023.

• Mobile banking Trojans on the rise. As mobile banking experienced booming adoption worldwide due to the pandemic (in Brazil it represented 51% of all transactions in 2020), we can expect more mobile banking Trojans for Android, especially RATs that can bypass security measures adopted by banks (such as OTP and MFA). Regional Android implant projects will move globally, exporting attacks to Western European countries.

  Yes. Security remains the biggest problem for users who want to make regular mobile payments. As predicted, the number of mobile banking Trojan detections increased considerably in 2022 worldwide compared to the last year, reaching more than 55,000 attacks in the second quarter of 2022 alone. With the rising number of attacks, cybercriminals have evolved new banking Trojans, targeting mobile users. In 2022, Kaspersky researchers have so far discovered more than 190 applications distributing Harly Trojan with more than 4.8 million downloads. While these apps were available in official stores and disguised as legitimate apps, the fraudsters behind them subscribed unsuspecting users to unwanted paid services.

• Rise of threat to online payment systems. Amid the pandemic, many companies went digital and moved their systems online. And the longer people stay at home because of quarantine and lockdowns, the more they rely on online markets and payment systems. However, this rapid shift is not accompanied by the appropriate security measures, and it is attracting lots of cybercriminals. This issue is particularly severe in developing countries, and the symptoms will last for a while.

  No. This year, we have not observed a lot of new fintech players that went big and which could become new targets for cybercriminals.

• With more fintech apps out there, the increasing volume of financial data is attracting cybercriminals. Thanks to online payment systems and fintech applications, large amounts of important personal information is stored on mobile. Many cybercrime groups will continue to attack personal mobile phones with evolved strategies such as deep fake technology and advanced malware to steal victims’ data.

  No. Mobile malware techniques haven’t changed much in the course of 2022.

• Remote workers using corporate computers for entertainment purposes, such as online games, continue to pose financial threats organizations. In a previous post, we wrote that users rely on corporate laptops to play video games, watch movies, and use e-learning platforms. This behavior was easy to identify because there was a boom in the Intel and AMD mobile graphic cards market in 2020-2021 compared to previous years. This trend is here to stay, and while during 2020 46% of employees had never worked remotely before, now two-thirds of them state they wouldn’t go back to the office, with the rest claiming to have a shorter office work week.

  Yes. The level of cybersecurity after the pandemic and the initial adoption of remote work by organizations en masse has become better. Nevertheless, corporate computers used for entertainment purposes remain one of the most important ways to get initial access to a company’s network. Looking for alternative sources to download an episode of a show or a newly released film, users encounter various types of malware, including Trojans, spyware and backdoors, as well as adware. According to Kaspersky statistics, 35% of users who faced threats under the guise of streaming platforms were affected by Trojans. If such malware ends up on a corporate computer, attackers could even penetrate the corporate network and search for and steal sensitive information, including both business development secrets and employees’ personal data.

• ATM and PoS malware to return with a vengeance. During the pandemic, some locations saw PoS (point of sale) and ATM transaction levels drop significantly. Lockdowns forced people to stay at home and make purchases online, and this was mirrored in PoS/ATM malware too. As restrictions are lifted, we should expect the return of known PoS/ATM malware and the appearance of new projects. Cybercriminals will regain their easy physical access to ATMs and PoS devices at the same time as customers of retailers and financial institutions.

  Yes. As predicted, with the lift of COVID-19 restrictions, attackers have stepped up their activities again in 2022. In the first eight months of the year, the number of unique devices affected by ATM/PoS malware grew by 19% as compared to the same period in 2020, and by nearly 4% compared to 2021. Kaspersky researchers have also discovered cybercriminals creating and deploying new never-seen-before tools targeting ATM and PoS devices. For instance, the Prilex threat group, famous for stealing millions of dollars from banks, has evolved substantially. Specifically, Prilex has upgraded its tools from a simple memory scraper to an advanced and complex malware that now targets modular PoS terminals and is the first malware able to clone credit card transactions, even those protected by CHIP and PIN.

  Perhaps one of the biggest shifts is PoS malware becoming a service sold on the dark web, which means it is now available to other cybercriminals, and the risk of losing money is increasing for businesses worldwide.

Forecasts for 2023

Led by gaming and other entertainment sectors, Web3 continues to gain traction and so will threats for it

With the increasing popularity of cryptocurrencies, the number of crypto scams has also increased. However, we believe that users are now much more aware of crypto and will not fall for primitive scams, such as a video featuring an Elon Musk deepfake promising huge returns in a dodgy cryptocurrency investment scheme that went viral. Cybercriminals will continue to try to steal money through fake ICOs and NFTs along with other cryptocurrency-based financial theft (like exploitation of vulnerable smart contracts), but will make them more advanced and widespread.

Malware loaders to become the hottest goods on the underground market

Many actors have their own malware, but that alone is not enough. Entire samples used to consist solely of ransomware, but the more diverse the modules in a piece of ransomware, the better it will evade detection. As a result, attackers are now paying much more attention to downloaders and droppers, which can avoid detection. This has become a major commodity in the MaaS industry, and there are even already favorites among cybercriminals on the dark web — the Matanbunchus downloader, for example. All in all, stealth execution and bypassing EDRs is what malicious loader developers are going to focus on in 2023.

More new “Red Team” penetration testing frameworks deployed by cybercriminals

At the same time as vendors create and improve penetration testing frameworks to protect companies, crimeware actors are expected to use them much more actively for illegal activities. The most remarkable example of this trend starting to spread globally is Cobalt Strike. The tool is so powerful that threat groups have added it to their arsenal, already using it in a wide variety of attacks and cyberespionage campaigns. In 2022, the news hit the headlines that another pentester toolkit dubbed Brute Ratel C4 had been hacked, and is now being distributed on hacker forums. We predict that, along with the development of new penetration tools, cybercriminals will increasingly use them for their own malicious purposes — and Brute Ratel C4 and Cobalt Strike are just the beginning of this trend.

Ransomware negotiations and payments begin to rely less on Bitcoin as a transfer of value

As sanctions continue to be issued, the markets become more regulated, and technologies improve at tracking the flow and sources of Bitcoin, cybercrooks will rotate away from this cryptocurrency toward other forms of value transfer.

Ransomware groups following less financial interest, but more destructive activity

Perhaps a surprising prediction in a report about future financial threats, yet ransomware has been one of the biggest threats in recent years, inflicting massive financial damage on organizations. As the geopolitical agenda increasingly occupies the attention not only of the public but also of cybercriminals, we expect ransomware groups to make demands for some form of political action, instead of demands for ransom money. One of such examples is Freeud, a brand-new ransomware with wiper capabilities.

• IT threat evolution in Q3 2022
• IT threat evolution in Q3 2022. Non-mobile statistics
• IT threat evolution in Q3 2022. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q3 2022:

• A total of 5,623,670 mobile malware, adware, and riskware attacks were blocked.
• Droppers (Trojan-Dropper), accounting for 26.28% of detections, were the most common threat to mobile devices.
• 438,035 malicious installation packages were detected, of which:
  • 35,060 packages were related to mobile banking Trojans,
  • 2,310 packages were mobile ransomware Trojans.

Quarterly highlights

Judging by the number of attacks on mobile devices, cybercriminal activity stabilized in Q3 2022 after a gradual drop in the previous quarters. Over the three months, Kaspersky products prevented a total of 5.6 million mobile malware, adware, and riskware attacks.

Number of attacks targeting users of Kaspersky mobile solutions, Q1 2021 — Q3 2022 (download)

The new Triada Trojan, discovered inside a modified WhatsApp build, was an interesting find. It was notable for spreading via ads inside the popular Snaptube app and through the Vidmate internal store. Once on a device, the Trojan decrypts and runs a payload, which downloads and runs further malicious modules. The modules can display ads, subscribe the user to paid services, or download and run other malicious modules. Besides that, the Trojan steals various keys from the legitimate WhatsApp, potentially hijacking the account.

The Harly Trojan subscribers were another malware family spread via legitimate channels. These are published in Google Play under the guise of authentic apps, subscribing the unknowing user to paid services once installed. We have discovered 200 malicious applications of this type starting in 2020, and a total count of installations at the time of writing this report had exceeded 5 million.

One of the most recently detected Harly-type apps in Google Play, with more than 50,000 installations.

Google Play keeps getting new banking Trojans, such as new versions of the Trojan dropper that downloads and runs Sharkbot.

Despite a general decline in the number of mobile attacks, we can see that cybercriminals are using increasingly smarter tricks to deliver malware to user devices.

Mobile threat statistics

In Q3 2022, Kaspersky detected 438,035 malicious installation packages, which is 32,351 more than in the previous quarter and down 238,155 against Q3 2021.

Number of detected malicious installation packages, Q3 2021 — Q3 2022 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q2 and Q3 2022 (download)

Threats in the Trojan-Dropper class ranked first among all threats detected in Q3, with 26.28%, exceeding the previous quarter’s figure by 22.15 percentage points. Nearly half (45.33%) of all detected threats of that type belonged to the Ingopack family. These were followed by banking Trojan droppers from Wroba (41.24%) and Hqwar families (5.98%).

AdWare, the ex-leader, moved 2.5 percentage points down the rankings to second place with a share of 22.78%. A fourth of all detected threats of that class belonged to the Aldo family (25.64%).

Third place was taken by various Trojans with a cumulative share of 16.01%, which was 4.48 percentage points lower than in the previous quarter. Half of all detected threats of that class were objects from the Boogr family (50.16%).

Top 20 mobile malware programs

Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.

First and second places went to DangerousObject.Multi.Generic (22.58%) and Trojan.AndroidOS.Generic (14.59%), respectively, which are verdicts we use for malware detected with cloud technology. Cloud technologies are used when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is essentially how the latest malware types are detected.

Trojan-Spy.AndroidOS.Agent.aas (8.51%), an evil twin of WhatsApp with a spy module built in, rose to third position. Trojan-SMS.AndroidOS.Fakeapp.d slid from second to fourth place with 6.95%. This malware is capable of sending text messages and calling predefined numbers, displaying ads and hiding its icon. Members of the Trojan.AndroidOS.GriftHorse family, which subscribe the user to premium SMS services, took fifth and sixteenth places.

Malware from the Trojan-Dropper.AndroidOS.Hqwar family, used for unpacking and running various banking Trojans, occupied sixth, fourteenth, and eighteenth places. These attacked a combined 6% of all users who encountered malware.

The verdict of DangerousObject.AndroidOS.GenericML came seventh with 2.90%. This verdict is assigned to files recognized as malicious by our machine-learning systems. Eighth place was occupied by Trojan-Dropper.AndroidOS.Agent.sl (2.46%), a dropper that unpacks and runs the banking Trojan from the Roaming Mantis campaign. Roaming Mantis mainly attacks users in Japan and France. Another banking Trojan dropper, Trojan-Dropper.AndroidOS.Agent.sl, sunk to ninth place with 2.21%.

Trojan-Downloader.AndroidOS.Necro.d, used for downloading and running other forms of malware on infected devices, jumped from sixteenth to tenth place with 1.93%. Trojan-Dropper.AndroidOS.Agent.rv, a dropper that unpacks and runs various types of malware, took eleventh place with 1.84%.

Twelfth place saw the arrival of the banking Trojan, Trojan-Banker.AndroidOS.Bian.h, with 1.71%. Trojan-Downloader.AndroidOS.Agent.kx, an adware dropper, accounted for 1.69%, climbed from twentieth to thirteenth place. Trojan.AndroidOS.Hiddad.hh, an adware Trojan that mostly attacks users in Russia, Kazakhstan, and Ukraine, was fifteenth with 1.52%.

Trojan-SMS.AndroidOS.Agent.ado, known for sending text messages to premium-rate shortcodes, remained seventeenth with 1.41%. Nineteenth place, with 1.35%, was occupied by Trojan-Dropper.AndroidOS.Triada.az, a type of malware that decrypts and runs a payload capable of displaying ads on the lock screen, opening new browser tabs, gathering device information, and dropping other malicious code.

The last in the rankings (previously thirteenth) is Trojan.AndroidOS.Soceng.f with 1,33%. It sends text messages to the user’s contacts, deletes files on the memory card, and overlays the interfaces of popular apps with its own window.

Geography of mobile threats

TOP 10 countries and territories by share of users attacked by mobile malware

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 10,000) have been excluded from the rankings.
** Unique users attacked as a percentage of all users of Kaspersky mobile security solutions in the country.

The countries with the largest shares of attacked users and the most widespread threats in these regions remained unchanged in Q3 2022.

Iran came first with a record 81.37%, still plagued by the annoying adware modules from the AdWare.AndroidOS.Notifyer and AdWare.AndroidOS.Fyben families. Yemen, where users were attacked mostly by Trojan-Spy.AndroidOS.Agent.aas, stayed at second place with 18,91%. In Saudi Arabia, which came third with 12.68%, users most commonly encountered adware from the AdWare.AndroidOS.Adlo and AdWare.AndroidOS.Fyben families.

Mobile banking Trojans

The number of detected installation packages for mobile banking Trojans dropped to 35,060. This figure represents a decrease of 20,554 from Q2 2022, but a decrease of 22,963 from Q3 2021.

Two-thirds (66.20%) of the detected banking Trojan installation packages belonged to the Trojan-Banker.AndroidOS.Bray family. These were followed by Trojan-Banker.AndroidOS.Bian with 5,46% and Trojan-Banker.AndroidOS.Fakecalls with 4,59%.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2021 — Q3 2022 (download)

Top 10 most common mobile bankers

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

The three most-attacked countries in terms of affected users remained the same as in Q2 2022.

Geography of mobile bankers

TOP 10 countries and territories by shares of users attacked by mobile banking Trojans

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 10,000) have been excluded from the rankings.
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Saudi Arabia had the largest share (1.36%) of unique users who came across mobile financial threats in Q3 2022. Trojan-Banker.AndroidOS.Bian.h accounted for more than 99% of attacks in that country. Spain, formerly the hardest-hit country, had the second largest share (1.05%), with 93.46% of attacks linked to the same malware type. Australia again had the third-largest (0.79%) share, with 98.27% of attacks there involving Trojan-Banker.AndroidOS.Gustuff.d.

Mobile ransomware Trojans

We detected 2,310 mobile Trojan ransomware installers in Q3 2022, a decrease of 1,511 from Q2 2022 and a decrease of 3,847 year on year.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q3 2021 — Q3 2022 (download)

Top 10 most common mobile ransomware

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

Geography of mobile ransomware

TOP 10 countries and territories by share of users attacked by mobile ransomware Trojans

* Excluded from the rankings are countries and territories with relatively few (under 10,000) Kaspersky mobile security users.
** Unique users attacked by ransomware Trojans as a percentage of all Kaspersky mobile security solution users in the country or territory.

Yemen (0.28%), Kazakhstan (0.15%) and Saudi Arabia (0.02%) had the largest shares of users attacked by mobile ransomware Trojans. Users in Yemen and Saudi Arabia most often encountered Trojan-Ransom.AndroidOS.Pigetrl.a, while users in Kazakhstan were attacked mainly by members of the Trojan-Ransom.AndroidOS.Rkor family.