Malware reports

IT threat evolution Q1 2023. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q1 2023:

  • 4,948,522 mobile malware, adware and riskware attacks were blocked.
  • The most common threat to mobile devices was adware: 34.8% of all detected threats.
  • 307,529 malicious installation packages were detected, of which:
    • 57,601 packages were related to mobile banking Trojans,
    • 1767 packages were mobile ransomware Trojans.

Quarterly highlights

Malware, adware and unwanted software attacks on mobile devices were down slightly year-on-year. Kaspersky mobile security systems thwarted a total of 4.9 million attacks in Q1 2023.

Number of attacks targeting users of Kaspersky mobile solutions, Q3 2021–Q1 2023 (download)

During the period in question, we detected several mobile photo editors on Google Play, which, besides their legitimate features, contained a dropper hidden inside a heavily obfuscated library. The dropper payload was designed to subscribe the user to paid services and intercept notifications.

We assigned our new find the verdict of Trojan.AndroidOS.Subscriber.aj and alerted Google Play, which then took down the malicious files. Kaspersky systems detect new files associated with this Trojan as Trojan.AndroidOS.Fleckpe.

Also in the first quarter, we came across what we designated as Trojan.AndroidOS.Bithief.f, a malicious modification of Skype that stole the victim’s cryptocurrency. The Trojan monitors the contents of the clipboard on the user’s computer and sends any crypto wallet addresses that it detects to the command-and-control server. The server responds with the hacker’s wallet address, so the malware substitutes that for the user’s address. And then inattentive users send their cryptocurrency to the wrong guys.

Mobile threat statistics

After a noticeable decrease in malicious installers in Q4 2022 due to reduced activity by Trojan-Dropper.AndroidOS.Ingopack, we observed a minor increase in new malware varieties.

Number of detected malicious installation packages, Q1 2022–Q1 2023 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q4 2022 and Q1 2023 (download)

Adware was back at the top of the rankings with 34.8%. The most widespread adware families in Q1 2023 were MobiDash (22.5%), HiddenAd (21.9%) and Adlo (12.4%).

Share of users attacked by a certain type of threat out of all attacked mobile users in Q4 2022 and Q1 2023 (download)

The share of users attacked by mobile Trojans increased in the first quarter, mostly due to the malware that we detect as Trojan.AndroidOS.Fakemoney.v and Trojan.AndroidOS.Adinstall.l. The former is a fake investment app that harvests victims’ payment details, and the latter, adware that comes pre-installed on certain devices, capable of downloading and running code (typically ads).

TOP 20 mobile malware programs

Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

Verdict %* Q4 2022 %* Q1 2023 Difference in pp Change in ranking
1 DangerousObject.Multi.Generic 16.52 13.27 -3.24
2 Trojan-Spy.AndroidOS.Agent.acq 4.29 8.60 +4.31 +5
3 Trojan.AndroidOS.Boogr.gsh 6.92 8.39 +1.47 +1
4 Trojan.AndroidOS.Fakemoney.v 1.13 7.48 +6.35 +19
5 Trojan.AndroidOS.GriftHorse.l 8.29 6.13 -2.17 -3
6 Trojan.AndroidOS.Generic 7.68 5.95 -1.73 -3
7 Trojan-Dropper.AndroidOS.Hqwar.hd 3.06 4.54 +1.49 +2
8 Trojan-Downloader.AndroidOS.Agent.mh 0.00 3.68 +3.68
9 Trojan-Spy.AndroidOS.Agent.aas 6.18 3.64 -2.53 -3
10 DangerousObject.AndroidOS.GenericML 2.37 3.46 +1.10
11 Trojan.AndroidOS.Adinstall.l 0.28 3.36 +3.08
12 Trojan-Dropper.AndroidOS.Agent.sl 3.50 2.10 -1.40 -4
13 Trojan.AndroidOS.Fakemoney.u 0.67 1.64 +0.97 +25
14 Trojan-Banker.AndroidOS.Bian.h 1.43 1.52 +0.10 +3
15 Trojan-Dropper.AndroidOS.Hqwar.gen 1.25 1.47 +0.22 +6
16 Trojan-Downloader.AndroidOS.Agent.kx 1.53 1.43 -0.10 -3
17 Trojan-SMS.AndroidOS.Fakeapp.d 6.43 1.32 -5.11 -12
18 Trojan.AndroidOS.Piom.auar 0.00 1.06 +1.06
19 Trojan-Dropper.AndroidOS.Wroba.o 1.51 1.03 -0.47 -4
20 Trojan-Dropper.AndroidOS.Hqwar.gf 0.14 0.98 +0.84

* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.

DangerousObject.Multi.Generic (13.27%), the verdict we assign to miscellaneous unrelated malware that we detect with our cloud technology, topped the rankings as usual. This was followed by Trojan-Spy.AndroidOS.Agent.acq (8.60%), a malicious modification of WhatsApp that secretly monitors notifications the user receives.

Trojan.AndroidOS.Boogr.gsh (8.39%), a collective verdict for miscellaneous malware we detect with our machine learning technology, was in third place. This verdict is analogous to DangerousObject.AndroidOS.GenericML (3.46%), but unlike it, received through analysis of a similar file in the Kaspersky infrastructure.

Next were the previously mentioned fake investment app Trojan.AndroidOS.Fakemoney.v (7.48%) and the subscription Trojan described in many past reports — Trojan.AndroidOS.GriftHorse.l (6.13%).

Regional malware

This section describes mobile malware that mostly targets those who reside in certain countries.

Verdict Country* %**
Trojan-Banker.AndroidOS.Banbra.aa Brazil 99.43
Trojan-Spy.AndroidOS.SmsThief.td Indonesia 99.08
Trojan-Banker.AndroidOS.Bray.n Japan 99.07
Trojan-Banker.AndroidOS.Banbra.ac Brazil 98.85
Trojan-Banker.AndroidOS.Agent.la Turkey 98.62
Trojan.AndroidOS.Hiddapp.da Iran 97.82
Trojan.AndroidOS.Hiddapp.bk Iran 96.95
Trojan.AndroidOS.GriftHorse.ai Kazakhstan 96.26
Trojan-Dropper.AndroidOS.Hqwar.hc Turkey 95.93
Trojan.AndroidOS.FakeGram.a Iran 95.73
Trojan-SMS.AndroidOS.Agent.adr Iran 95.07
Trojan.AndroidOS.Hiddapp.bn Iran 95.01
Trojan.AndroidOS.Piom.aiuj Iran 90.33
Trojan-Banker.AndroidOS.Cebruser.san Turkey 88.28
Trojan.AndroidOS.Hiddapp.cg Iran 88.25
Backdoor.AndroidOS.Basdoor.c Iran 86.44
Trojan-Dropper.AndroidOS.Wroba.o Japan 83.80

* Country where the malware was most active
* Unique users attacked by the malware in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same malware

Members of the Banbra malware family continued to attack users in Brazil in Q1 2023. These are banking Trojans that abuse Accessibility features to interact with other applications installed on the device.

In Indonesia, users were exposed to spreading SmsThief.td SMS spies masquerading as public services, system apps or marketplaces.

Wroba banking Trojans, which we have covered several times, and the Bray mobile malware distributed under the guise of useful apps, such as call blockers, were busy in Japan.

Turkish users found themselves targeted by several banking Trojans, including the fairly primitive Agent.la and the well-known Cebruser. The Hqwar dropper operating in Turkey is also typically used to deliver various banking malware.

Users in Iran had to deal with hidden, hard-to-remove Hiddapp programs and the FakeGram family, third-party Telegram clients that automatically add users to channels they do not indent to join.

A variant of the GriftHorse subscription Trojan was mostly active in Kazakhstan. Focusing on users in a certain country is expected behavior for this Trojan family, as phishing messages used to lure the user into subscription to a fake service have to be localized.

Mobile banking Trojans

The number of banking Trojan installers began to increase again, exceeding 57,000 in Q1 2023.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q1 2022–Q1 2023 (download)

TOP 10 mobile bankers

Verdict %* Q4 2022 %* Q1 2023 Difference in pp Change in ranking
1 Trojan-Banker.AndroidOS.Bian.h 29.90 30.81 0.91
2 Trojan-Banker.AndroidOS.Faketoken.pac 6.31 10.15 3.84
3 Trojan-Banker.AndroidOS.Agent.eq 4.59 5.51 0.92 +1
4 Trojan-Banker.AndroidOS.Agent.ep 3.57 4.40 0.84 +2
5 Trojan-Banker.AndroidOS.Svpeng.q 5.71 4.05 -1.66 -2
6 Trojan-Banker.AndroidOS.Banbra.aa 1.80 3.72 1.92 +6
7 Trojan-Banker.AndroidOS.Agent.la 0.16 3.08 2.92 +85
8 Trojan-Banker.AndroidOS.Banbra.ac 0.57 2.46 1.89 +23
9 Trojan-Banker.AndroidOS.Asacub.ce 3.46 2.17 -1.29 -1
10 Trojan-Banker.AndroidOS.Agent.cf 1.63 1.91 0.28 +5

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

Q1 2023 saw a noticeable year-on-year increase in activity by the aforementioned mobile malware Agent.la (3,08%) и Banbra (2,46%), which landed outside the TOP 10 in Q4 2022.

Mobile ransomware Trojans

The number of mobile ransomware programs remained low after dropping in 2022, apparently because the niche had ceased to be as profitable for scammers as it once had been.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q1 2022 — Q1 2023 (download)

TOP 10 mobile ransomware verdicts

Verdict %* Q4 2022 %* Q1 2023 Difference in pp Change in ranking
1 Trojan-Ransom.AndroidOS.Pigetrl.a 54.61 62.22 7.60
2 Trojan-Ransom.AndroidOS.Small.as 5.42 3.65 -1.77
3 Trojan-Ransom.AndroidOS.Rkor.dl 0.00 2.23 2.23
4 Trojan-Ransom.AndroidOS.Congur.y 1.00 1.78 0.78 +19
5 Trojan-Ransom.AndroidOS.Agent.bw 2.19 1.60 -0.59 -1
6 Trojan-Ransom.AndroidOS.Fusob.h 2.04 1.55 -0.49 +1
7 Trojan-Ransom.AndroidOS.Rkor.pac 1.19 1.50 0.32 +9
8 Trojan-Ransom.AndroidOS.Rkor.di 0.62 1.46 0.84 +30
9 Trojan-Ransom.AndroidOS.Rkor.bi 1.62 1.46 -0.16 +2
10 Trojan-Ransom.AndroidOS.Small.o 2.14 1.32 -0.82 -4

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

The distribution of mobile ransomware apps across quarters changed only insignificantly. Pigetrl (62.22%) still accounted for the lion’s share of threats, followed by Small.as (3.65%) and various modifications of Rkor.

IT threat evolution Q1 2023. Mobile statistics

Your email address will not be published. Required fields are marked *

 

Reports

Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

APT trends report Q1 2023

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

Subscribe to our weekly e-mails

The hottest research right in your inbox