The state of stalkerware in 2022 (PDF)

Main findings of 2022

The State of Stalkerware is an annual report by Kaspersky which contributes to a better understanding of how many people in the world are affected by digital stalking. Stalkerware is a commercially available software that can be discretely installed on smartphone devices, enabling perpetrators to monitor an individual’s private life without their knowledge.

Stalkerware can be downloaded and easily installed by anyone with an Internet connection and physical access to a smartphone. A perpetrator violates the victim’s privacy as they can then use the software to monitor huge volumes of personal data. Depending on the type of software, it is usually possible to check device location, text messages, social media chats, photos, browser history and more. Stalkerware works in the background, meaning that most victims will unaware that their every step and action is being monitored.

In most countries around the world, the use of stalkerware software is currently not prohibited but installing such an application on another individual’s smartphone without their consent is illegal and punishable. However, it is the perpetrator who will be held responsible, not the developer of the application.

Along with other related technologies, stalkerware is part of tech-enabled abuse and often used in abusive relationships. As this is part of a wider problem, Kaspersky is working with relevant experts and organizations in the field of domestic violence, ranging from victim support services and perpetrator programs through to research and government agencies, to share knowledge and support professionals and victims alike.

2022 data highlights

• In 2022, Kaspersky data shows that 29,312 unique individuals around the world were affected by stalkerware. Compared to the downwards trend that has been recorded in previous years, this is similar to the total number of affected users in 2021. Taking into account the developments in digital stalking software over the past few years, the data suggests there is a trend towards stabilization. More broadly, it is important to note that the data covers the affected number of Kaspersky users, with the global number of affected individuals likely to be much higher. Some affected users may use another cybersecurity solution on their devices, while some do not use any solution at all.
• In addition, the data reveals a stable proliferation of stalkerware over the 12 months of 2022. On average, 3333 users each month were newly affected by stalkerware. The stable detection rate indicates that digital stalking has become a persistent problem that warrants wider societal attention. Members from the Coalition Against Stalkerware estimate that there could be close to one million victims globally affected by stalkerware every year.
• According to the Kaspersky Security Network, stalkerware is most commonly used in Russia, Brazil, and India, but continues to be a global phenomenon affecting all countries. Regionally, the data reveals that the largest number of affected users can be found in the following countries:
  • Germany, Italy, and France (Europe);
  • Iran, Turkey, and Saudi Arabia (Middle East and Africa);
  • India, Indonesia, and Australia (Asia-Pacific);
  • Brazil, Mexico, and Ecuador (Latin America);
  • United States (North America);
  • Russian Federation, Kazakhstan and Belarus (Eastern Europe (except European Union countries), Russia and Central Asia).
• Globally, the most commonly used stalkerware app is Reptilicus with 4,065 affected users.

2022 trends observed by Kaspersky

Methodology

The data in this report has been taken from aggregated threat statistics obtained from the Kaspersky Security Network. The Kaspersky Security Network is dedicated to processing cybersecurity-related data streams from millions of volunteer participants around the world. All received data is anonymized. To calculate the statistics, the consumer line of Kaspersky’s mobile security solutions has been reviewed according to the Coalition Against Stalkerware’s detection criteria on stalkerware. This means that the affected number of users have been targeted by stalkerware only. Other types of monitoring or spyware apps that fall outside of the Coalition’s definition are not included in the report statistics.

The statistics reflect unique mobile users affected by stalkerware, which is different from the total number of detections. The number of detections can be higher as stalkerware may have been detected several times on the same device of the same unique user if they decided not to remove the app upon receiving a notification.

Finally, the statistics reflect only mobile users using Kaspersky’s IT security solutions. Some users may use another cybersecurity solution on their devices, while some do not use any solution at all.

Global detection figures: affected users

This section compares the global and regional statistics collected by Kaspersky in 2022 with statistics from previous years. In 2022, a total number of 29,312 unique users were affected by stalkerware. Graphic 1, below, shows how this number has varied from year to year since 2018.

Graphic 1 – Evolution of affected users year-on-year since 2018

Graphic 2, below, shows the number of unique affected users per month from 2021 to 2022. In 2022, the situation is almost identical to 2021, indicating that the rate of stalkerware proliferation has stabilized. On average, 3333 users were newly affected by stalkerware every month.

Graphic 2 – Unique affected users per month over the 2021-2022 period

Global and regional detection figures: geography of affected users

Stalkerware continues to be a global problem. In 2022, Kaspersky detected affected users in 176 countries.

Countries most affected by stalkerware in 2022

In 2022, Russia (8,281), Brazil (4,969), and India (1,807) were the top 3 countries with the most affected users. Those three countries remain in leading positions according to Kaspersky statistics since 2019. Compared to previous years, it is noteworthy that the number of affected users in the U.S. has dropped down the ranking and now features in fifth place with 1,295 affected users. Conversely, there has been an increase noted in Iran which has moved up to fourth place with 1,754 affected users.

Compared to 2021, however, only Iran features as a new entrant in the top 5 most affected countries. The other four countries – Russia, Brazil, India, and the U.S. – have traditionally featured at the top of the list. Looking at the other half of the top 10 most affected countries, Turkey, Germany, and Mexico have remained among the countries most affected compared to last year. New entrants into the top 10 most affected countries in 2022 are Saudi Arabia and Yemen.

Table 1 – Top 10 countries most affected by stalkerware in the world in 2022

In Europe, the total number of unique affected users in 2022 was 3,158. The three most affected countries in Europe were Germany (737), Italy (405) and France (365). Compared to 2021, all countries up to including seventh place in the list (the Netherlands) continue to feature as the most affected countries in Europe. New entrants in the list are Switzerland, Austria, and Greece.

Table 2 – Top 10 countries most affected by stalkerware in Europe in 2022

In Eastern Europe (excluding European Union countries), Russia, and Central Asia, the total number of unique affected users in 2022 was 9,406. The top three countries were Russia, Kazakhstan, and Belarus.

Table 3 – Top 10 countries most affected by stalkerware in Eastern Europe (excluding EU countries), Russia and Central Asia in 2022

In the Middle East and Africa region, the total number of affected users was 6,330, slightly higher than in 2021. While Iran with 1,754 affected users features at the top of this list in 2022, Turkey’s 755 affected users has seen the country move up to second in the region, followed closely by Saudi Arabia with 612 affected users.

Table 4 – Top 10 countries most affected by stalkerware in Middle East & Africa in 2022

In the Asia-Pacific region, the total number of affected users was 3,187. India remains far ahead of the other countries in the region, with 1,807 affected users. Indonesia occupies second place with 269 affected users, while Australia is third with 190 affected users.

Table 5 – Top 10 countries most affected by stalkerware in Asia-Pacific region in 2022

The Latin America and the Caribbean region is dominated by Brazil with 4,969 affected users. This accounts for approximately 32% of the region’s total number of affected users. Brazil is followed by Mexico and Ecuador in the list, while Colombia has moved into fourth place. A total number of 6,170 affected users were recorded in the region.

Table 6 – Top 10 countries most affected by stalkerware in Latin America in 2022

Finally, in North America, 87% of all affected users in the region are found in the United States. This is to be expected given the relative size of the population in the United Sates compared to Canada. Across the North America region, 1,585 users were affected in total.

Table 7 – Number of users affected by stalkerware in North America in 2022

Global detection figures – stalkerware applications

This section lists the stalkerware applications most commonly used to control smartphones around the world. In 2022, the most popular app was Reptilicus (4,065 affected users). This year, Kaspersky detected 182 different stalkerware apps.

Table 8 – Top 10 list of stalkerware applications in 2022

Stalkerware provides a means to gain control over a victim’s life. Their capabilities vary depending on the type of application and whether it has been paid for or obtained freely. Typically, stalkerware masquerades as legitimate anti-theft or parental control apps, when in reality they are very different – most notably due to their installation without consent and notification of the person being tracked, and their operation in stealth mode on smartphone devices,

Below are some of the most common functions that may be present in stalkerware applications:

• Hiding app icon
• Reading SMS, MMS and call logs
• Getting lists of contacts
• Tracking GPS location
• Tracking calendar events
• Reading messages from popular messenger services and social networks, such as Facebook, WhatsApp, Signal, Telegram, Viber, Instagram, Skype, Hangouts, Line, Kik, WeChat, Tinder, IMO, Gmail, Tango, SnapChat, Hike, TikTok, Kwai, Badoo, BBM, TextMe, Tumblr, Weico, Reddit etc.
• Viewing photos and pictures from phones’ image galleries
• Taking screenshots
• Taking front (selfie-mode) camera photos

Are Android OS and iOS devices equally affected by stalkerware?

Stalkerware tools are less frequent on iPhones than on Android devices because iOS is traditionally a closed system. However, perpetrators can work around this limitation on ‘jailbroken’ iPhones, but they still require direct physical access to the phone to jailbreak it. iPhone users fearing surveillance should always keep an eye on their device.

Alternatively, an abuser can offer their victim an iPhone – or any other device – with pre-installed stalkerware. There are many companies that make these services available online, allowing abusers to have these tools installed on new phones, which can then be delivered in factory packaging under the guise of a gift to the intended victim.

Together keeping up the fight against stalkerware

Stalkerware is foremost not a technical problem, but an expression of a problem within society which therefore requires action from all areas of society. Kaspersky is not only actively committed to protecting users from this threat but also maintaining a multilevel dialogue with non-profit organizations, and industry, research and public agencies around the world to work together on solutions that tackle the issue.

In 2019, Kaspersky was the first cybersecurity company in the industry to develop a new attention-grabbing alert that clearly notifies users if stalkerware is found on their device. While Kaspersky’s solutions have been flagging potentially harmful apps that are not malware – including stalkerware – for many years, the new notification alerts the user to the fact that an app has been found on their device that may be able to spy on them.

In 2022, as part of Kaspersky’s launch of a new consumer product portfolio, the Privacy Alert was expanded and now not only informs the user about the presence of stalkerware on the device, but also warns the user that if stalkerware is removed the person who installed the app will be alerted. This may lead to an escalation of the situation. Moreover, the user risks erasing important data or evidence that could be used in a prosecution.

In 2019, Kaspersky also co-founded the Coalition Against Stalkerware, an international working group against stalkerware and domestic violence that brings together private IT companies, NGOs, research institutions, and law enforcement agencies working to combat cyberstalking and help victims of online abuse. Through a consortium of more than 40 organizations, stakeholders can share expertise and work together to solve the problem of online violence. In addition, the Coalition’s website, which is available in 7 different languages, provides victims with help and guidance in case they may suspect stalkerware is present on their devices.

From 2021-2023, Kaspersky was a consortium partner of the EU project DeStalk, co-funded by the Rights, Equality, and Citizenship Program of the European Union. The five project partners that formed the consortium combined the expertise of the IT Security Community, Research, and Civil Society Organizations, and Public Authorities. As a result, the DeStalk project trained a total of 375 professionals directly working in women’s support services and perpetrator programs, and officials from public authorities on how to effectively tackle stalkerware and other digital forms of gender-based violence, as well as raising public awareness on digital violence and stalkerware.

As part of the project, Kaspersky developed an e-learning course on cyberviolence and stalkerware within its Kaspersky Automated Security Awareness Platform, a freely available online micro learning training platform which can be accessed in five different languages. To date, more than 130 professionals have completed the e-learning course with a further 80 currently participating. Although the DeStalk project has ended, the e-learning course is still available on the DeStalk project website.

In June 2022, Kaspersky launched a website dedicated to TinyCheck to disseminate further information about the tool. TinyCheck is a free, safe and open-source tool that can be used by non-profit organizations and police units to help support victims of digital stalking. In 2020, the tool was created to check devices for stalkerware and monitoring apps without making the perpetrator aware of the check. It does not require installation on a user’s device because it works independently to avoid detection by a stalker. TinyCheck scans a device’s outgoing traffic using a regular Wi-Fi connection and identifies interactions with known sources such as stalkerware-related servers. TinyCheck can also be used to check any device on any platform, including iOS, Android, or any other OS’.

Think you are a victim of stalkerware? Here are a few tips…

Whether or not you are a victim of stalkerware, here are a few tips to better protect yourself:

• Protect your phone with a strong password that you never share with your partner, friends, or colleagues.
• Change passwords for all of your accounts periodically and don’t share them with anyone.
• Only download apps from official sources, such as Google Play or the Apple App Store.
• Install a reliable IT security solution like Kaspersky for Android on devices and scan them regularly. However, in the case of potentially already installed stalkerware, this should only be done after the risk to the victim has been assessed, as the abuser may notice the use of a cybersecurity solution.

Victims of stalkerware may be victims of a larger cycle of abuse, including physical.

In some cases, the perpetrator is notified if their victim performs a device scan or removes a stalkerware app. If this happens, it can lead to an escalation of the situation and further aggression. This is why it is important to proceed with caution if you think you are being targeted by stalkerware.

• Reach out to a local support organization: to find one close to you, check the Coalition Against Stalkerware website.
• Keep an eye out for the following warning signs: these can include a fast-draining battery due to unknown or suspicious apps using up its charge, and newly installed applications with suspicious access to use and track your location, send or receive text messages and other personal activities. Also check if your “unknown sources” setting is enabled, it may be a sign that unwanted software has been installed from a third-party source. However, the above indicators are circumstantial and do not indicate the unequivocal presence of stalkerware on the device.
• Do not try to erase the stalkerware, change any settings or tamper with your phone: this may alert your potential perpetrator and lead to an escalation of the situation. You also risk erasing important data or evidence that could be used in a prosecution.

For more information about our activities on stalkerware or any other request, please write to us at: ExtR@kaspersky.com.

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Figures of the year

In 2022, Kaspersky mobile products and technology detected:

• 1,661,743 malicious installers
• 196,476 new mobile banking Trojans
• 10,543 new mobile ransomware Trojans

Trends of the year

Mobile attacks leveled off after decreasing in the second half of 2021 and remained around the same level throughout 2022.

Kaspersky mobile cyberthreat detection dynamics in 2020–2022 (download)

Cybercriminals continued to use legitimate channels to spread malware.

Similarly to 2021, we found a modified WhatsApp build with malicious code inside in 2022. It was notable for spreading via ads inside the popular Snaptube app and through the Vidmate in-app store.

The spread of malware through Google Play continued as well. In particular, we found several mobile Trojan subscribers on Google’s official Android app marketplace in 2022. These secretly signed users up for paid services. In addition to the previously known Jocker and MobOk families, we discovered a new family, named Harly and active since 2020. Harly malware programs were downloaded a total of 2.6 million times from Google Play in 2022. Also last year, fraudsters abused the marketplace to spread various scam apps, which promised welfare payments or lucrative energy investments.

Mobile banking Trojans were not far behind. Despite Europol having shut down the servers of FluBot (also known as Polph or Cabassous, the largest mobile botnet in recent years), users had to stay on guard, as Google Play still contained downloaders for other banking Trojan families, such as Sharkbot, Anatsa/Teaban, Octo/Coper, and Xenomorph, all masquerading as utilities. For instance, the Sharkbot downloader in the screenshot below imitates a file manager. This type of software is capable of requesting permission to install further packages the Trojan needs to function on the unsuspecting user’s device.

The Sharkbot banking Trojan downloader on Google Play

Exploitation of popular game titles, where malware and unwanted software mimicked a pirated version of a game or game cheats, remained a popular mobile spread vector in 2022. The most frequently imitated titles included Minecraft, Roblox, Grand Theft Auto, PUBG, and FIFA. The malware spread primarily through questionable web sites, social media groups, and other unofficial channels.

Mobile cyberthreat statistics

Installer numbers

We detected 1,661,743 malware or unwanted software installers in 2022 — 1,803,013 less than we did in 2021. The number had been declining gradually since a 2020 increase.

Number of detected malicious installation packages in 2019–2022 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type in 2021 and 2022 (download)

RiskTool-type potentially unwanted software (27.39%) topped the rankings in 2022, replacing the previous leader, adware (24.05%). That said, the share of RiskTool had decreased by 7.89 percentage points, and the share of adware, by 18.38 percentage points year-on-year.

Various Trojan-type malware was third in the rankings with 15.56%, its cumulative share increasing by 6.7 percentage points.

Geography of mobile threats

TOP 10 countries by share of users attacked by mobile malware

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security (under 10,000).
** Unique users attacked as a percentage of all Kaspersky mobile security users in the country.

China had the largest share of users who experienced a mobile malware attack: 17.70%. Of these, 16.06% got hit by SMS-abusing malware that we detected as Trojan.AndroidOS.Najin.a.

Other countries with significant shares of attacked users were Syria (15.61%) and Iran (14.53%), where the most frequently encountered mobile cyberthreat was Trojan-Spy.AndroidOS.Agent.aas, a WhatsApp modification carrying a spy module.

Distribution of attacks by type of software used

Distribution of attacks by type of software used in 2022 (download)

Similarly to previous years, 2022 saw malware used in most mobile attacks (67.78%). The shares of attacks that used Adware- and RiskWare-type applications had increased to 26.91% from 16.92% in 2021 and to 5.31% from 2.38% in 2021, respectively.

Mobile adware

The Adlo family accounted for the largest share of detected installers (22.07%) in 2022. These are useless fake apps that download ads. Adlo replaced the previous leader, the Ewind family, which had a share of 16.46%.

TOP 10 most frequently detected adware families in 2022

* The share of the adware-type family in the total number of adware installers detected.

RiskTool-type apps

The SMSreg family retained its lead by number of detected RiskTool-type apps: 36.47%. The applications in this family make payments (for example by transferring cash to other individuals or paying for mobile service subscriptions) by sending text messages without explicitly notifying the user.

TOP 10 most frequently detected RiskTool families, 2022

* The share of the RiskTool family in the total number of RiskTool installers detected.

TOP 20 most frequently detected mobile malware programs

Note that the malware rankings below exclude riskware or potentially unwanted software, such as RiskTool or adware.

* Unique users attacked by the malware as a percentage of all attacked Kaspersky mobile security users.
First and third places went to DangerousObject.Multi.Generic (18.97%) and Trojan.AndroidOS.Generic (6.70%), respectively, which are verdicts we use for malware detected with cloud technology. Cloud technology is triggered whenever the antivirus databases lack data for detecting a piece of malware, but the antivirus company’s cloud already contains information about the object. This is essentially how the latest malware types are detected.

The Trojans in second and ninth places (8.65% and 2.37%) belonged to the Trojan-SMS.AndroidOS.Fakeapp family. This type of malware is capable of sending text messages and calling preset numbers, displaying ads, and hiding its icon on the device.

WhatsApp modifications equipped with a spy module, detected as Trojan-Spy.AndroidOS.Agent.aas (6.01%) and Trojan-Spy.AndroidOS.Agent.acq (1.34%) were in fourth and twentieth positions, respectively.

Scam apps detected as Trojan.AndroidOS.Fakemoney.d (4.65%) were the fifth-largest category. These try to trick users into believing that they are filling out an application for a welfare payout.

Members of the Trojan.AndroidOS.GriftHorse family, which subscribe the user to premium SMS services, took both sixth and eleventh places (4.32% and 2%, respectively).

The banking Trojan dropper Trojan-Dropper.AndroidOS.Agent.sl (3.22%) was seventh.

The verdict of DangerousObject.AndroidOS.GenericML (2.96%) sank to eighth place. The verdict is assigned to files recognized as malicious by our machine-learning systems.

Tenth place was taken by Trojan.AndroidOS.Fakeapp.ed (2.19%). This verdict refers to a category of fraudulent apps which target users in Russia by posing as a stock-trading platform for investing in gas.

Trojan-Downloader.AndroidOS.Agent.kx (1.72%) rose to twelfth position. This type of malware is distributed as part of legitimate software, downloading advertising modules.

Trojan.AndroidOS.Soceng.f (1.67%), in thirteenth place, sends text messages to people on your contact list, deletes files on the SD card, and overlays the interfaces of popular apps with its own window.

Malware from the Trojan-Dropper.AndroidOS.Hqwar family, which unpacks and runs various banking Trojans, occupied fourteenth and nineteenth places (1.49 and 1.35%).

Trojan.AndroidOS.Fakeapp.dw was fifteenth (1.43%). The verdict applies to a variety of scam apps, such as those supposedly offering the user to earn some extra cash.

Trojan-Ransom.AndroidOS.Pigetrl.a (1.43%) took sixteenth place. Unlike classic Trojan-Ransom malware, which typically demands a ransom, it simply locks the screen and asks to enter a code. The application offers no instructions on obtaining the code, which is embedded in the program itself.

Trojan-Downloader.AndroidOS.Necro.d sank to seventeenth position (1.4%). This malware is capable of downloading, installing, and running other applications when commanded by its operators.

Trojan-SMS.AndroidOS.Agent.ado, which sends text messages to shortcodes, was eighteenth (1.36%).

Mobile banking Trojans

We detected 196,476 mobile banking Trojan installers in 2022, a year-on-year increase of 100% and the highest figure in the past six years.

The Trojan-Banker.AndroidOS.Bray family accounted for two-thirds (66.40%) of all detected banking Trojans. This family attacked mostly users in Japan. It was followed by the Trojan-Banker.AndroidOS.Fakecalls family (8.27%) and Trojan-Banker.AndroidOS.Bian (3.25%).

The number of mobile banking Trojan installers detected by Kaspersky in 2019–2022 (download)

Although the number of detected malware installers rose in 2022, mobile banking Trojan attacks had been decreasing since a 2020 rise.

The number of mobile banking Trojan attacks in 2021–2022 (download)

TOP 10 most frequently detected mobile banking Trojans

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security users attacked by banking threats.
Of all mobile banking Trojans that were active in 2022, Trojan-Banker.AndroidOS.Bian.h (28.74%) accounted for the largest share of attacked users, more than half of those in Spain.

TOP 10 countries by share of users attacked by mobile banking Trojans

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security (under 10,000).
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security users in the country.
Spain had the largest share of unique users attacked by mobile financial threats in 2022 (1.96%), with 85.90% of the affected users encountering the aforementioned Trojan-Banker.AndroidOS.Bian.h.

It was followed by Saudi Arabia (1,11%), also due to Trojan-Banker.AndroidOS.Bian.h, which affected 97.92% of users in that country.

Australia (1.09%) was third, with 98% of the users who encountered banking Trojans there attacked by Trojan-Banker.AndroidOS.Gustuff.

Mobile ransomware Trojans

We detected 10,543 mobile ransomware Trojan installers in 2022, which was 6,829 less than the 2021 figure.

The number of mobile ransomware Trojan installers detected by Kaspersky in 2019–2022 (download)

The number of mobile ransomware Trojan attacks also continued to decline, a process that started in late 2021.

The number of mobile ransomware Trojan attacks in 2021–2022 (download)

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security users attacked by ransomware Trojans.
Trojan-Ransom.AndroidOS.Pigetrl.a remained the leading ransomware Trojan family in 2022 (75.10%). It was also one of the TOP 20 most frequently detected mobile malware types. Russia accounted for as much as 92.74% of detections.

That malware family was followed by Trojan-Ransom.AndroidOS.Rkor, which blocks the screen and demands the user to pay a fine for some illegal content they had supposedly viewed. Members of this family took six out of ten places in our rankings, with as much as 65.27% attacked users located in Kazakhstan.

TOP 10 countries by share of users attacked by mobile ransomware Trojans

* Excluded from the rankings are countries with relatively few Kaspersky mobile security users (under 10,000).
** Unique users attacked by mobile ransomware Trojans as a percentage of all Kaspersky mobile security users in the country.
We observed the highest shares of users attacked by mobile ransomware Trojans in 2022 in China (0.65%), Yemen (0.49%), and Kazakhstan (0.36%).

Users in China mostly encountered Trojan-Ransom.AndroidOS.Congur.y, most users in Yemen were affected by Trojan-Ransom.AndroidOS.Pigetrl.a, and a majority of users in Kazakhstan were hit by Trojan-Ransom.AndroidOS.Rkor.br.

Conclusion

The cybercriminal activity leveled off in 2022, with attack numbers remaining steady after a decrease in 2021. That said, cybercriminals are still working on improving both malware functionality and spread vectors. Malware is increasingly spreading through legitimate channels, such as official marketplaces and ads in popular apps. This is true for both scam apps and dangerous mobile banking malware.

Potentially unwanted applications (RiskWare) accounted for a majority of newly detected threats in 2022, replacing the previous leader, adware. Most mobile cyberattacks used malware as before.

All statistics in this report are from the global cloud service Kaspersky Security Network (KSN), which receives information from components in our security solutions. The data was obtained from users who had given their consent to it being sent to KSN. Millions of Kaspersky users around the globe assist us in collecting information about malicious activity. The statistics in this report cover the period from November 2021 to October 2022, inclusive.

Figures of the year

• During the year, 15.37% of internet user computers worldwide experienced at least one Malware-class attack.
• Kaspersky solutions blocked 505,879,385 attacks launched from online resources across the globe.
• 101,612,333 unique malicious URLs triggered Web Anti-Virus components.
• Our Web Anti-Virus blocked 109,183,489 unique malicious objects.
• Ransomware attacks were defeated on the computers of 271,215 unique users.
• During the reporting period, miners attacked 1,392,398 unique users.
• Attempted infections by malware designed to steal money via online access to bank accounts were logged on the devices of 376,742 users.

Fill the form below to download the Kaspersky Security Bulletin 2022. Statistics full report (English, PDF)

• IT threat evolution in Q3 2022
• IT threat evolution in Q3 2022. Non-mobile statistics
• IT threat evolution in Q3 2022. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q3 2022:

• A total of 5,623,670 mobile malware, adware, and riskware attacks were blocked.
• Droppers (Trojan-Dropper), accounting for 26.28% of detections, were the most common threat to mobile devices.
• 438,035 malicious installation packages were detected, of which:
  • 35,060 packages were related to mobile banking Trojans,
  • 2,310 packages were mobile ransomware Trojans.

Quarterly highlights

Judging by the number of attacks on mobile devices, cybercriminal activity stabilized in Q3 2022 after a gradual drop in the previous quarters. Over the three months, Kaspersky products prevented a total of 5.6 million mobile malware, adware, and riskware attacks.

Number of attacks targeting users of Kaspersky mobile solutions, Q1 2021 — Q3 2022 (download)

The new Triada Trojan, discovered inside a modified WhatsApp build, was an interesting find. It was notable for spreading via ads inside the popular Snaptube app and through the Vidmate internal store. Once on a device, the Trojan decrypts and runs a payload, which downloads and runs further malicious modules. The modules can display ads, subscribe the user to paid services, or download and run other malicious modules. Besides that, the Trojan steals various keys from the legitimate WhatsApp, potentially hijacking the account.

The Harly Trojan subscribers were another malware family spread via legitimate channels. These are published in Google Play under the guise of authentic apps, subscribing the unknowing user to paid services once installed. We have discovered 200 malicious applications of this type starting in 2020, and a total count of installations at the time of writing this report had exceeded 5 million.

One of the most recently detected Harly-type apps in Google Play, with more than 50,000 installations.

Google Play keeps getting new banking Trojans, such as new versions of the Trojan dropper that downloads and runs Sharkbot.

Despite a general decline in the number of mobile attacks, we can see that cybercriminals are using increasingly smarter tricks to deliver malware to user devices.

Mobile threat statistics

In Q3 2022, Kaspersky detected 438,035 malicious installation packages, which is 32,351 more than in the previous quarter and down 238,155 against Q3 2021.

Number of detected malicious installation packages, Q3 2021 — Q3 2022 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q2 and Q3 2022 (download)

Threats in the Trojan-Dropper class ranked first among all threats detected in Q3, with 26.28%, exceeding the previous quarter’s figure by 22.15 percentage points. Nearly half (45.33%) of all detected threats of that type belonged to the Ingopack family. These were followed by banking Trojan droppers from Wroba (41.24%) and Hqwar families (5.98%).

AdWare, the ex-leader, moved 2.5 percentage points down the rankings to second place with a share of 22.78%. A fourth of all detected threats of that class belonged to the Aldo family (25.64%).

Third place was taken by various Trojans with a cumulative share of 16.01%, which was 4.48 percentage points lower than in the previous quarter. Half of all detected threats of that class were objects from the Boogr family (50.16%).

Top 20 mobile malware programs

Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.

First and second places went to DangerousObject.Multi.Generic (22.58%) and Trojan.AndroidOS.Generic (14.59%), respectively, which are verdicts we use for malware detected with cloud technology. Cloud technologies are used when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is essentially how the latest malware types are detected.

Trojan-Spy.AndroidOS.Agent.aas (8.51%), an evil twin of WhatsApp with a spy module built in, rose to third position. Trojan-SMS.AndroidOS.Fakeapp.d slid from second to fourth place with 6.95%. This malware is capable of sending text messages and calling predefined numbers, displaying ads and hiding its icon. Members of the Trojan.AndroidOS.GriftHorse family, which subscribe the user to premium SMS services, took fifth and sixteenth places.

Malware from the Trojan-Dropper.AndroidOS.Hqwar family, used for unpacking and running various banking Trojans, occupied sixth, fourteenth, and eighteenth places. These attacked a combined 6% of all users who encountered malware.

The verdict of DangerousObject.AndroidOS.GenericML came seventh with 2.90%. This verdict is assigned to files recognized as malicious by our machine-learning systems. Eighth place was occupied by Trojan-Dropper.AndroidOS.Agent.sl (2.46%), a dropper that unpacks and runs the banking Trojan from the Roaming Mantis campaign. Roaming Mantis mainly attacks users in Japan and France. Another banking Trojan dropper, Trojan-Dropper.AndroidOS.Agent.sl, sunk to ninth place with 2.21%.

Trojan-Downloader.AndroidOS.Necro.d, used for downloading and running other forms of malware on infected devices, jumped from sixteenth to tenth place with 1.93%. Trojan-Dropper.AndroidOS.Agent.rv, a dropper that unpacks and runs various types of malware, took eleventh place with 1.84%.

Twelfth place saw the arrival of the banking Trojan, Trojan-Banker.AndroidOS.Bian.h, with 1.71%. Trojan-Downloader.AndroidOS.Agent.kx, an adware dropper, accounted for 1.69%, climbed from twentieth to thirteenth place. Trojan.AndroidOS.Hiddad.hh, an adware Trojan that mostly attacks users in Russia, Kazakhstan, and Ukraine, was fifteenth with 1.52%.

Trojan-SMS.AndroidOS.Agent.ado, known for sending text messages to premium-rate shortcodes, remained seventeenth with 1.41%. Nineteenth place, with 1.35%, was occupied by Trojan-Dropper.AndroidOS.Triada.az, a type of malware that decrypts and runs a payload capable of displaying ads on the lock screen, opening new browser tabs, gathering device information, and dropping other malicious code.

The last in the rankings (previously thirteenth) is Trojan.AndroidOS.Soceng.f with 1,33%. It sends text messages to the user’s contacts, deletes files on the memory card, and overlays the interfaces of popular apps with its own window.

Geography of mobile threats

TOP 10 countries and territories by share of users attacked by mobile malware

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 10,000) have been excluded from the rankings.
** Unique users attacked as a percentage of all users of Kaspersky mobile security solutions in the country.

The countries with the largest shares of attacked users and the most widespread threats in these regions remained unchanged in Q3 2022.

Iran came first with a record 81.37%, still plagued by the annoying adware modules from the AdWare.AndroidOS.Notifyer and AdWare.AndroidOS.Fyben families. Yemen, where users were attacked mostly by Trojan-Spy.AndroidOS.Agent.aas, stayed at second place with 18,91%. In Saudi Arabia, which came third with 12.68%, users most commonly encountered adware from the AdWare.AndroidOS.Adlo and AdWare.AndroidOS.Fyben families.

Mobile banking Trojans

The number of detected installation packages for mobile banking Trojans dropped to 35,060. This figure represents a decrease of 20,554 from Q2 2022, but a decrease of 22,963 from Q3 2021.

Two-thirds (66.20%) of the detected banking Trojan installation packages belonged to the Trojan-Banker.AndroidOS.Bray family. These were followed by Trojan-Banker.AndroidOS.Bian with 5,46% and Trojan-Banker.AndroidOS.Fakecalls with 4,59%.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2021 — Q3 2022 (download)

Top 10 most common mobile bankers

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

The three most-attacked countries in terms of affected users remained the same as in Q2 2022.

Geography of mobile bankers

TOP 10 countries and territories by shares of users attacked by mobile banking Trojans

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 10,000) have been excluded from the rankings.
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Saudi Arabia had the largest share (1.36%) of unique users who came across mobile financial threats in Q3 2022. Trojan-Banker.AndroidOS.Bian.h accounted for more than 99% of attacks in that country. Spain, formerly the hardest-hit country, had the second largest share (1.05%), with 93.46% of attacks linked to the same malware type. Australia again had the third-largest (0.79%) share, with 98.27% of attacks there involving Trojan-Banker.AndroidOS.Gustuff.d.

Mobile ransomware Trojans

We detected 2,310 mobile Trojan ransomware installers in Q3 2022, a decrease of 1,511 from Q2 2022 and a decrease of 3,847 year on year.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q3 2021 — Q3 2022 (download)

Top 10 most common mobile ransomware

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

Geography of mobile ransomware

TOP 10 countries and territories by share of users attacked by mobile ransomware Trojans

* Excluded from the rankings are countries and territories with relatively few (under 10,000) Kaspersky mobile security users.
** Unique users attacked by ransomware Trojans as a percentage of all Kaspersky mobile security solution users in the country or territory.

Yemen (0.28%), Kazakhstan (0.15%) and Saudi Arabia (0.02%) had the largest shares of users attacked by mobile ransomware Trojans. Users in Yemen and Saudi Arabia most often encountered Trojan-Ransom.AndroidOS.Pigetrl.a, while users in Kazakhstan were attacked mainly by members of the Trojan-Ransom.AndroidOS.Rkor family.

The gaming industry went into full gear during the pandemic, as many people took up online gaming as their new hobby to escape the socially-distanced reality. Since then, the industry has never stopped growing. According to the analytical agency Newzoo, in 2022, the global gaming market will exceed $ 200 billion, with 3 billion players globally. Such an engaged, solvent and eager-to-win audience becomes a tidbit for cybercriminals, who always find ways to fool their victims. One of the most outstanding examples involves $2 million’s worth of CS:GO skins stolen from a user’s account, which means that losses can get truly grave. Besides stealing personal credentials and funds, hackers can affect the performance of gaming computers, infecting these with unsolicited miner files.

In this report, we provide the latest statistics on cyberthreats to gamers, as well as detailed information on the most widespread and dangerous types of malware that players must be aware of.

Methodology

To assess the current landscape of gaming risks, we observed the most widespread PC game-related threats and statistics on miner attacks, threats masquerading as game cheats, stealers, and analyzed several most active malware families, giving them detailed in-depth characteristics. For these purposes, we analyzed threat statistics from Kaspersky Security Network (KSN), a system for processing anonymized cyberthreat-related data shared voluntarily by Kaspersky users, for the period between January 2021 and June 2022.

To limit the research scope, we analyzed several lists of most popular games and based on this, created a list of TOP 28 games and game series available for download or about to be released on the streaming platforms Origin and Steam, as well as platform-independent titles. To make the overview more in-depth, we included both mobile and PC games. Thus, we analyzed threats related to the following titles:

1. Minecraft
2. Roblox
3. Need for Speed
4. Grand Theft Auto
5. Call of Duty
6. FIFA
7. The Sims
8. Far Cry
9. CS:GO
10. PUBG
11. Valorant
12. Resident Evil
13. Command & Conquer
14. Hitman
15. Total War
16. Cyberpunk 2077
17. Elden Ring
18. Final Fantasy
19. Halo
20. Legend of Zelda
21. League of Legends
22. Dota 2
23. Apex Legends
24. World of Warcraft
25. Gears of War
26. Tomb Raider
27. S.T.A.L.K.E.R.
28. Warhammer

We used the titles of the games as keywords and ran these against our KSN telemetry to determine the prevalence of malicious files and unwanted software related to these games, as well as the number of users attacked by these files. Also, we tracked the number of fake cheat programs for the popular games listed above, and an amount of miners that dramatically affect the performance of gamers’ computers.

Additionally, we looked at the phishing activity around gaming, specifically that related to cybersports tournaments, bookmakers, gaming marketplaces, and gaming platforms, and found numerous examples of scams that target gamers and esports fans.

Key findings

• The total number of users who encountered gaming-related malware and unwanted software from July 1, 2021 through June 30, 2022 was 384,224, with 91,984 files distributed under the guise of twenty-eight games or series of games;
• The TOP 5 PC games or game series used as bait in the attacks targeting the largest number of users from July 1, 2021 to June 30, 2022 were Minecraft, Roblox, Need for Speed, Grand Theft Auto and Call of Duty;
• The number of malicious and unwanted files related to Minecraft dropped by 36% compared to the previous year (23,239 against 36,336), and the number of affected users decreased by almost 30% year on year (131,005 against 184,887);
• The TOP 5 mobile games that served as a lure targeting the largest number of users from July 1, 2021 to June 30, 2022 were Minecraft, Roblox, Grand Theft Auto, PUBG and FIFA;
• In the first half of 2022, we observed a noticeable increase in the number of users attacked by programs that can steal secrets, with a 13% increase over the first half of 2021;
• In the first half of 2022, attackers cranked up their efforts to spread Trojan-PSW: 77% of secret-stealing malware infection cases were linked to Trojan-PSW;
• Malware and unwanted software distributed as cheat programs stand out as a particular threat to gamers’ security, especially for those who are keen on popular game series: from July 1, 2021 to June 30, 2022 we detected 3,154 unique files of this type that affected 13,689 users;
• Miners pose an increasing threat to gamers’ productivity, with Far Cry, Roblox, Minecraft, Valorant, and FIFA topping the list of games and game series that were used as a lure for cyberthreats; 1,367 unique files and 3,374 users who encountered these files from July 1, 2021 to June 30, 2022.

Top game titles by number of related threats

Over the course of last year, from July 2021 through June 2022, 91,984 files that included malware and potentially unwanted applications were distributed using the popular game titles as a lure, with 384,224 users encountering these threats globally.

Continuing the trend observed in 2021, Minecraft, the famous sandbox game that has been one of the most-played titles around the world for more than a decade, took first place among the games most often used as bait, with 23,239 files distributed using the Minecraft name affecting 131,005 users from July 2021 through June 2022. However, the number of malicious and unwanted files related to Minecraft dropped by 36% compared to the previous year (36,336), and the number of affected users decreased by almost 30% year on year (184,887).

Roblox, too, entered the TOP 3 games both by number of related malicious or unwanted files (8,903) and affected users (38,838).

Other titles that were most often used as a lure were FIFA, Far Cry, and Call of Duty. A large number of users encountered threats while searching for content related to Need for Speed, GTA, and Call of Duty. These game series, too, have been winning the hearts of players around the world for years.

The TOP 10 games by number of related unique malicious and unwanted files:

* Total number of detected files using game title, from July 1, 2021 to June, 30 2022

The TOP 10 games by number of unique users attacked using the game as a lure:

Number of unique users affected by threats related to the game, from July 1, 2021 to June, 30 2022

As the mobile gaming market continues to grow, we analyzed KSN data specifically on mobile threats. For the period from July 1, 2021 through June 30, 2022, our telemetry shows that 31,581 mobile users were exposed to game-related malware and potentially unwanted software. The number of unique malicious and unwanted files discovered within the given period is 5,976. Minecraft, Roblox, Grand Theft Auto, PUBG, and FIFA are among the games that ranked highest by number of related threats and affected users.

TOP 5 mobile games used as a lure for distribution of malware and unwanted software, by users, from July 1, 2021 through June, 30 2022

TOP 5 mobile games used as a lure for distribution of malware and unwanted software, by files, from July 1, 2021 through June, 30 2022

Cyberthreats using games as a lure

The overall landscape of threats that affect gamers has not changed much since last year. Still, downloaders (88.56%) top the list of malicious and unwanted software being spread using the names of popular games: this type of unsolicited software might not be dangerous in and of itself, but it can be used for loading other threats onto devices. Adware (4.19%) comes second: this type of software displays unwanted (and sometimes irritating) pop-up ads which can appear on a user’s computer or mobile device.

The share of various Trojans that use popular games as a lure remains solid, with Trojan-SMS, Trojan-Downloader, and Trojan-Spy among the TOP 10 threats.

TOP 10 threats distributed worldwide under the guise of popular games, July 1, 2021 through June 30, 2022

Game over: cybercriminals targeting gamers’ accounts and money

When downloading the games from untrustworthy sources, players may receive malicious software that can gather sensitive data like login information or passwords from the victim’s device; and in an attempt to download a desired game for free, find a cool mod or cheat, gamers can actually lose their accounts or even money. The research revealed an increase in attacks using malicious software that steals sensitive data from infected devices. It included such verdicts as Trojan-PSW (Password Stealing Ware) which gathers victims’ credentials, Trojan-Banker which steals payment data, and Trojan-GameThief which collects login information for gaming accounts. From July 1, 2021 through June 30, 2022, Kaspersky security solutions detected a total of 6,491 users affected by 3,705 unique malicious files of these types. In the first half of 2022, we observed a noticeable year-on-year increase in the number of users attacked: 13 percent against the first half of 2021 (2,867 vs 2,533). The number of unique files used to attack users also increased in the first half of 2022 by nearly a quarter, compared to the first half of 2021: from 1,530 to 1,868.

From July 1, 2021 through June 30, 2022, 77% of various data stealer infection cases were Trojan-PSW infections. Another 22% of infection attempts were related to Trojan-Bankers, and Trojan-GameThief files accounted for just 1% of cases.

Types of malicious software that steals sensitive data from infected devices, distributed worldwide using popular game titles as a lure, July 1, 2021 through June 30, 2022 (download)

The TOP 3 threat families, stealing data from the infected devices, by number of attacked users from July 1, 2021 through June 30, 2022:

• Trojan-PSW.MSIL.Reline/RedLine

  RedLine Stealer is a password-stealing software that cybercriminals can buy on hacker forums for a very low price. From July 1, 2021 through June 30, 2022 2,362 unique users were attacked by RedLine, spread by using popular game titles and series as a lure, which makes it the most active data-stealing malware family for the period given. Once executed on the attacked system, RedLine Stealer collects system information, including device user names, the operating system type, and information about the hardware, installed browsers, and antivirus solutions. Its main stealer functionality  involves extracting data such as passwords, cookies, card details, and autofill data from browsers, cryptocurrency wallet secrets, credentials for VPN services, etc. The stolen information is then sent to a remote C&C server controlled by the attackers, who later drain victims’ accounts.

  

  The RedLine code specifies that, depending on the configuration the malicious software can steal passwords from browsers, cryptocurrency wallet data, and VPN client passwords

• Trojan-PSW.Win32.Convagent and Trojan-PSW.Win32.Stealer

  Both of these verdicts are generic verdicts for various families of malicious software that collect, analyze, and steal data from victims’ infected devices. From July 1, 2021 through June 30, 2022, 1,126 unique users encountered Convagent and 1,024 users encountered Stealer.

Most often, players get malicious software, stealing sensitive data, on their devices when trying to download a popular game from a third-grade website instead of buying it on the official one. For example, under the guise of a number of cracked popular games, attackers spread the Swarez dropper, which we analyzed in detail in our previous gaming-related threats report. Swarez was distributed inside a ZIP archive which contained a password-protected ZIP file and a text document with a password. Launching the malware resulted in decryption and activation of a Trojan-stealer dubbed Taurus. The latter had a wide range of functions: it could steal cookies, saved passwords, autofill data for browser forms and cryptocurrency wallet data, collect system information, steal .txt files from the desktop and make screenshots.

Attackers often purposely seek to spread threats under the guise of games and game series that either have a huge permanent audience (such as Roblox, FIFA, or Minecraft) or were recently released. We found that from July 1, 2021 through June 30, 2022, the TOP 5 game titles that cybercriminals used as a lure to distribute secret-stealing software included Valorant, Roblox, FIFA, Minecraft, and Far Cry.

TOP 5 game titles used by cybercriminals to lure users into downloading malicious software, stealing secrets from infected devices, from July 1, 2021 through June 30, 2022

Risky money: how to lose instead of gaining

One of the most widespread cyberthreats gamers are exposed to is phishing, a social engineering scheme where an attacker masquerades as a legal and trustworthy entity to encourage the user to give out sensitive data, such as account credentials or financial information.

For the period from July 1^st 2021 through June 30^th 2022, Kaspersky security solutions detected 3,116,782 attacks connected to phishing activities in online games. One of the key findings in this segment was connected to the attacks aimed at gaining users’ credentials or taking over gaming accounts – especially through social network login.

For instance, we found several examples of phishing activity of this type targeting Grand Theft Auto Online gamers: the cybercriminals created a fake website that launched an in-game money generator. To use it, you have to login with your gaming account. Once the credentials are shared, the cybercrooks get access to such sensitive information as gaming account, telephone number, and even banking details.

A fraudulent money generator offered to GTA Online players

Offering easy in-game money to achieve phishers’ malicious goals was a noticeable trend in the previous reporting period and remains one. By mimicking Apex Legends, a multiplayer free-to-play hero shooter, scammers created a fake website that invited gamers to take part in a lottery to win in-game coins. To try their luck, players were asked to share their game credentials. Once the username or player ID alongside with password were entered, the account was taken over by the scammers.

The Fake Apex Legends website that invited players to take part in a giveaway of in-game coins. Once the player typed in their username and password, scammers got access to his account

This year, cybercriminals have learned to mimic the entire interfaces of the in-game stores for many popular game titles. The most notable examples include fake marketplaces launched under the names of CS:GO, PUBG and Warface, which are popular esports disciplines. To achieve better results, players need a decent arsenal of weapons and artifacts that are available in the in-game stores. The scammers created fraudulent stores by copying the appearance of the actual in-game marketplaces to fool players, with the final aim of taking over their accounts or stealing their money.

Fake CS:GO in-game stores created by cybercriminals

Scammers create fake in-game store mimicking the PUBG mobile interface. The scheme encourages users to log in using their social media credentials

Unsolicited mining: programs that ruin the gaming experience

Miners are programs that may adversely affect a computer’s productivity. Once a miner file is launched on an affected computer, it starts using the machine’s energy to mine cryptocurrency. When it comes to unsolicited miners that interfere with users’ operating systems against their will, the situation might get even worse – especially for gamers who value the computer’s productivity above all.

According to our analysis, Far Cry, a gaming series that spans 18 years and six editions, proved to be the most popular title among unsolicited miners – both in terms of affected users (1,050) and unique malicious files (510). Other games that make the perfect bait for miners include Minecraft with 406 unique files and Valorant with 93 files. Overall, from July 1^st 2021 through June 30^th 2022, we managed to detect 1,367 unique mining files which affected 3,374 users. That said, the number of users affected by miners halved in H1 2022 (1002) compared to H1 2021 (2086), which may be linked to the sharp drop in the bitcoin exchange rate. Interestingly, the number of unique miner files rose by 30% in H1 2022 (497) compared to H1 2021 (383).

Under the guise of one of the biggest novelties of 2022, cybercriminals have also distributed malware related to miners. The fantasy role-playing game Elden Ring was used as a lure by cybercriminals who spread OpenSUpdater. OpenSUpdater is a Trojan that pretends to be a cracked version of a game, and, once installed, downloads and installs various unwanted programs and miners to the victim’s device.

The OpenSUpdater campaign only targets users from certain countries, so if the user’s IP address does not satisfy the regional requirements of the distribution server, clean software will be downloaded, e.g., the 7zip archive manager. Less fortunate users will receive an installer that delivers various payloads, including legitimate software, potentially unwanted applications, and miners. Infection chain consists of two stages. At the first stage, a malicious downloader is installed. The code of this downloader is updated by threat actors several times a week by using various obfuscation and anti-emulation techniques. The main purpose of these changes is to complicate threat investigation and detection. The second stage is the installer itself.

Cheating in games, or being cheated?

Every gamer aims for the best performance and results – even when they are not competing for a precious trophy. This explains why cheating will never go out of style. However, some of the cheats can bring more harm than good.

What exactly are cheats? When we talk about cheats, we refer to the programs that help gamers create an advantage beyond the available capabilities by applying special cheat codes or installing software that allows sideways. Cybercriminals try to fool gamers by creating fake cheat programs which, instead of providing advantages, negatively affect computers’ performance or even steal player’s data.

From July 1^st 2021 through June 30^th 2022, we detected 3,154 unique files distributed as cheat programs for the most popular game titles, with a total of 13,689 users affected. The vast majority of the files mimicking cheat programs were related to Counter Strike: Global Offense (418), Roblox and Valorant (332 files for both), and Total War (284). At the same time, Need for Speed came first by number of unique users exposed to this type of threats (3,256) – this series of games has not lost in its broad popularity after several decades and generations.

Conclusion and Recommendations

The pandemic times greatly boosted the gaming industry, increasing the number of computer game fans several times over.

Despite the fact that the number of users affected by gaming-related threats has dropped, certain gaming threats are still on the rise. Over the past year, we have seen an increase in cybercriminal activity around stealers, which allow attackers to steal bank card data, credentials, and even crypto wallets data from infected devices. In the first half of 2022, we observed a noticeable increase in the number of users attacked by stealers, with a 13 percent increase over the first half of 2021.

We also analyzed which popular games were used as a lure by cybercriminals who distributed malware and unwanted software, and found that most often these were multiplayer gaming platforms, such as Minecraft and Roblox. Worryingly, the primary target audience for these games is children and teenagers, who have much less knowledge of cybersecurity due to a lack of experience. Because of this, we assume that they could become an easy prey for cybercriminals, which means we need to pay special attention to cybersecurity hygiene training for kids.

Traditionally, we have found a lot of different examples of phishing tools spread by cybercriminals to get access to gaming accounts, in-game items or money. Cybercriminals mostly created phishing pages that mimicked the appearance of the games whose users they were targeting. For example, we observed fake in-game stores for PUBG and CS:GO.

Over the years, the gaming industry has grown more and more, and we expect to see new ways of abusing users next year, e.g. by exploiting the theme of esports, which are now gaining popularity around the world. That is why it is so important to stay protected, so you do not lose your money, credentials, or gaming account, which you have built over the years.

Here is what we recommend to stay safe while gaming.

• Protect your accounts with two-factor authentication whenever possible. At least comb through account settings if you cannot.
• Use a unique, strong password for each of your accounts. Should one of your passwords get leaked, the rest of your accounts would remain safe.
• You will benefit greatly from a robust security solution that will protect you from every possible cyberthreat without interfering with your computer’s performance while you are playing.  Kaspersky Total Security plays nicely with Steam and other gaming services.
• Download your games from official stores like Steam, Apple App Store, Google Play, or Amazon Appstore only. While not 100 % safe, games from these stores undergo a screening process, which makes sure that a random app cannot be published.
• If your desired title is not available from the official store, purchase it from the official website only. Double-check the URL of the website to make sure it is authentic.
• Avoid buying the first thing that pops up. Even during Steam’s summer sale, make sure you read a few reviews before forking out the dough for a little-known title. If something is fishy, other people will have figured it out.
• Beware of phishing campaigns and unfamiliar gamers. Do not open links received by email or in a game chat unless you trust the sender. Do not open files from strangers.
• Carefully check the address of any website asking for your username and password, as it might be fake.
• Avoid downloading cracked software or any other illegal content, even if you are redirected to it from a legitimate website.
• Keep your operating system and other software up to date. Updates can help address many security issues.
• Do not visit dubious websites when these are offered in search results and do not install anything they offer.
• Use a robust security solution to protect yourself from malicious software on mobile devices, such as Kaspersky Internet Security for Android.

Whether you want to block ads, keep a to-do list or check your spelling, browser extensions allow you to do all of the above and more, improving convenience, productivity and efficiency for free, which is why they are so popular. Chrome, Safari, Mozilla — these and many other major Web browsers — have their own online stores to distribute thousands of extensions, and the most popular plug-ins there reach over 10 million users. However, extensions are not always as secure as you might think — even innocent-looking adds-on can be a real risk.

Browser add-ons are in demand among people of different ages. For example, children can add virtual pets to their browser, while adults usually prefer productivity trackers and timers

First of all, not every innocent-looking extension is, in fact, innocent. Malicious and unwanted add-ons promote themselves as useful, and often do have legitimate functions implemented along with illegitimate ones. Some of them may even impersonate a popular legitimate extension, their developers going so far as to stuff keywords so that their extension appears near the top of the browser’s extension store.

Malicious and unwanted add-ons are often distributed through official marketplaces. In 2020, Google removed 106 browser extensions from its Chrome Web Store. All of them were used to siphon off sensitive user data, such as cookies and passwords, and even take screenshots; in total, these malicious extensions were downloaded 32 million times. Victims of these attacks were not only individuals, but also businesses. Overall, more than 100 networks were abused, giving threat actors a foothold on financial service firms, oil and gas companies, the healthcare and pharmaceutical industries, government and other organizations. Another malicious Google Chrome extension that was available for download even in the official store could recognize and steal payment card details entered in web forms. Google deleted it from the Chrome Web Store, but the malware had already infected more than 400 Chrome users, putting their data at huge risk.

Sometimes the user can assess the risks by looking at what permissions an extension requests when installed from the store. If you see that an add-on is asking for far more permissions than it theoretically needs, that’s a serious cause for concern. For example, if a regular browser calculator requires access to your geolocation or browsing history, or wants to take screenshots of pages, it’s better not to download it at all.

However, analyzing extension permissions may not always help. Often the wording provided by browsers is so vague that it is impossible to tell exactly how secure an extension is. For example, basic extensions often require permission to “read and change all your data on the websites you visit.” They may really need it to function properly, but this permission potentially gives them large power.

Even if extensions have no malicious functionalities, they can still be dangerous. The danger arises from the fact that many extensions, after gaining access to “read all the data on all websites,” collect massive amounts of data from web pages users visit. To earn more money, some developers may pass it on to third parties or sell it to advertisers. The problem is that sometimes that data is not anonymized enough, so even non-malicious extensions can harm users by exposing their data to someone who is not supposed to see what websites they visit and what they do there.

A regular spell checker asks permission to “read and change all your data on all websites,” which could potentially pose a risk

Additionally, extension developers are also able to push out updates without requiring any action by the end user, which means that even a legit extension could be later turned into malware or unwanted software. For instance, when an account of the developer of a popular add-on was hijacked after a phishing attack, millions of users received adware on their devices without their knowledge. Sometimes developers sell a browser extension after it has gained a huge following. After fraudsters purchase the extension, they can update it with malicious or unwanted features, and that update will be pushed to users. In that way, over 30,000 users got adware after an installed extension, dubbed Particle, was sold to new developers and later modified to inject ads into websites.

Methodology

In this research, we observed various types of threats that mimic useful web browser extensions, and the number of users attacked by them. For this purpose, we analyzed threat statistics from Kaspersky Security Network (KSN), a system for processing anonymized cyberthreat-related data shared voluntarily by Kaspersky users, for the period between January 2020 and June 2022. Additionally, we prepared in-depth characteristics of four popular threats, hiding as browser add-ons, with examples of which applications they can mimic and what danger they hold for users.

Key findings

• Throughout the first half of this year, 1,311,557 users tried to download malicious or unwanted extensions at least once, which is more than 70 percent of the number of users affected by the same threat throughout the whole of last year.
• From January 2020 to June 2022, more than 4.3 million unique users were attacked by adware hiding in browser extensions, which is approximately 70 percent of all users affected by malicious and unwanted add-ons.
• The most common threat in the first half of 2022 was the WebSearch family of adware extensions, able to collect and analyze search queries and redirect users to affiliate links.

Browser extensions threats: in figures

Since the beginning of 2020, Kaspersky products prevented 6,057,308 users from downloading malware, adware and riskware disguised as browser extensions. Our findings show that, during the analyzed period, the number of such users peaked in 2020 and reached 3,660,236. In 2021, the number of affected users halved, and we saw 1,823,263 unique users attempting to download malicious or unwanted extensions. This year shows that in H1 1,311,557 users tried to download malicious and unwanted extensions at least once. This is more than 70 percent of the number of users affected throughout the whole of last year, despite 2022 having six months left to run.

Number of unique users affected by malicious or unwanted browser extensions (download)

Our telemetry shows that the most common threat spread under the guise of browser extensions is adware — unwanted software designed to promote affiliates rather than improve user experience. Such ads are usually based on the browser history to tap users’ interests, redirect them to affiliate pages that the adware developers earn money from or embed affiliate banners and links in web pages. From January 2020 to June 2022, we observed more than 4.3 million unique users attacked by adware hiding in browser extensions, which means approximately 70 percent of all affected users encountered this threat. Of these, more than 1 million users encountered adware in the first half of 2022.

Affiliate ads even appear on the side of the search result page — all to draw the user’s attention to it

The second most widespread threat was malware (a type of computer program designed to infect a legitimate user’s computer and inflict harm on it in multiple ways). The aim of some malicious extensions is to steal login credentials and other sensitive information. In addition to stealing cookies and data copied to the clipboard, they can function as keyloggers — monitoring software that is able to track and capture everything users type, making it a huge threat to victims’ sensitive data, such as credentials and credit card details.

From January 2020 to June 2022, we observed over 2.6 million unique users who were attacked by malware in the guise of a browser extension. This is 44 percent of all users who encountered malicious or unwanted extensions during this period.

The most common threat families in 2022 hiding as browser extensions

To provide a more detailed insight into how malicious and unwanted extensions operate, we also compiled an in-depth analysis of four threat families. We analyzed if they are distributed in a legitimate web store or in a different way, what useful extension functions they can use as a disguise, and how active they were in the first half of 2022.

WebSearch

The most common threat in the first half of 2022 was the WebSearch adware family, detected as not-a-virus:HEUR:AdWare.Script.WebSearch.gen. In the first half of 2022, 876,924 unique users encountered WebSearch. Typically, this threat mimics tools for working with documents, such as DOC to PDF converters, document mergers, etc. First of all, WebSearch extensions change the browser’s start page so that, instead of the familiar Chrome page, the user sees a minimalistic site consisting of a search engine and several links to third-party resources, such as AliExpress or Farfetch. The transition to these resources is carried out through affiliate links — this is how attackers earn money from their extensions. The more often users follow these links, the more money the extension developers make.

The browser’s new-look home page after being hit by WebSearch

Also, the extension modifies the browser’s default search engine to search.myway[.]com, which can capture user queries, collect and analyze them. Depending on what the user searched for, most relevant partner sites will be actively promoted in the search results.

WebSearch extensions track everything the user searches for, then promote these products with affiliate ads on search engines

Office workers, who often have to use PDF viewers or converters at work, may be the most frequent victims of this threat, as WebSearch mostly hides behind this functionality. Usually, the extension performs its declared useful function so that the user doesn’t uninstall it.

Examples of this family are:

Currently this extension is no longer available in the Chrome Web Store, but can still be downloaded from third-party file-sharing resources and installed manually.

DealPly-related extensions

DealPly-related extensions are adware, the first variations of which appeared back in late 2018, but remain popular with cybercriminals. These extensions are detected with the following verdicts:

• HEUR:AdWare.Script.Generic
• HEUR:AdWare.Script.Extension.gen.

Between January and June 2022, 97,515 unique Kaspersky users encountered DealPly-related add-ons.

Unlike the WebSearch family, these extensions are not installed by the user, but by the adware executable DealPly, which Kaspersky products detect as not-a-virus:AdWare.Win32.DealPly. Usually users get infected with DealPly when trying to download a loader of some hacked software from untrustworthy resources. Similar to the previous threat family, DealPly-related extensions also change the start page of the browser to place affiliate links on it.

The new start page of the browser consists mainly of links to affiliate websites

In order to intercept user requests, the default search engine is changed. All queries that users make on this search engine are analyzed by the extension ⁠— based on the keywords entered in the queries, the user is redirected to a suitable partner site.

The threat analyzes the keyword “iPhone” and, based on this, suggests a suitable offer on the partner website

To provide persistence for its extensions, DealPly creates the following branches in the Windows registry:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\bifdhahddjbdbjmiekcnmeiffabcfjgh 
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\bifdhahddjbdbjmiekcnmeiffabcfjgh 
HKEY_CURRENT_USER\Software\Google\Chrome\Extensions\bifdhahddjbdbjmiekcnmeiffabcfjgh

with the value “update_url”=”hxxp[:]//juwakaha[.]com/update“. This value provides browsers with the path to extension updates. Even if the user removes the add-on, each time the browser is launched it will download and reinstall it using this path. Note that the browser updates DealPly-related extensions, although they are installed from third-party servers, and not from the official Chrome Web Store.
We assume that the most frequent victims of this threat are those who download hacked software from dubious resources; common examples of programs that DealPly mimics are KMS activators (programs that activate hacked Windows for free) or cheatengine, used to hack computer games. In addition, DealPly can also mimic installers of various software, including proprietary software.

Examples of DealPly-related extensions are:

AddScript

AddScript is another threat family, hiding under the guise of browser extensions. The first samples of this family were seen in early 2019, and it remains active. In the first half of 2022, we observed 156,698 unique users that encountered AddScript.

Typically, extensions of this family do have useful functions. For example, they can be tools for downloading music and videos from social networks or proxy managers. However, in addition to the useful functionality, such extensions also carry out malicious activity.

AddScript malicious code

The malicious code is obfuscated. When the extension is running, it contacts a hardcoded URL to get the C&C server address. It then establishes a connection to the C&C server, receives malicious JavaScript from it, and runs it covertly. The only way the user can notice the execution of third-party instructions is by the increased consumption of processor power.

The malicious script is updated from time to time and may perform various functions. For example, it can unobtrusively run videos on the victim’s computer, so that its owners profit from the video being “viewed.” Another variant of malicious JavaScript performs cookie stuffing (also called “cookie dropping”). Traditionally, different brands promote affiliate products on their sites. When a visitor clicks the affiliate link, an affiliate cookie is saved on their device. If the user then makes a purchase on the partner’s page, the owner of the site that saved the affiliate cookie gets a commission. AddScript drops multiple affiliate cookies without the user clicking any links on any sites, in order to claim the commission for transactions that happen in the browser. Put simply, the fraudsters trick websites into thinking they have sent them traffic without actually doing so.

Examples of this family are:

Kaspersky products detect AddScript extensions with the verdict HEUR:Trojan.Script.Generic.

FB Stealer

Another malicious browser extension family is FB Stealer. It is one of the most dangerous families, because in addition to the already traditional search engine substitution, FB Stealer is able to steal user credentials from Facebook. From January to June 2022, Kaspersky security solutions detected 3,077 unique users who encountered FB Stealer.

FB Stealer is installed by the malware rather than by the user. Once added to the browser, it mimics the harmless and standard-looking Chrome extension Google Translate.

Malicious FB Stealer extension added from third-party resources. Browser warns that it has no information about this extension

The Trojan delivering FB Stealer is called NullMixer. It masquerades as a cracked software installer, and thus reaches users.

NullMixer spreads through hacked software installers

Downloading a password-protected archive with NullMixer inside

The extension files are stored in the resources section of the NullMixer executable and, during installation, are copied to the %AppData%\Local\Google\Chrome\User Data\Default\Extensions folder. The installer also modifies the Secure Preferences file, which contains Chrome settings, including information about extensions. As soon as this is done, the extension becomes active.

Similar to previous families, the extension changes the default search engine. In this case, it sets it to hxxps[:]//www.ctcodeinfo[.]com. In addition, the attackers extract Facebook session cookies — secrets stored in the browser that hold identification data allowing users to stay logged in — and send them to their own servers. Using these cookies, they are able to quickly log in to the victim’s Facebook account and hijack it by changing the login details. Once inside the account, the attackers can ask the victim’s friends for money, trying to get as much as possible before the user regains access to the account.

Attackers use script obfuscation techniques to hide malicious code

Conclusion and recommendations

Browser extensions remain one of the most common ways for cybercriminals to get money, whether by redirecting users to affiliate pages, cookie stuffing or even stealing the victim’s credentials. Hence, numerous users might wonder: is it worth downloading browser extensions at all if they carry so many threats? We believe that extensions only improve the user online experience, and some add-ons can even make devices a lot safer. That said, it’s important to keep an eye on how reputable and trustworthy the developer is, and what permissions the extension asks for. If you follow the recommendations for safe use of browser extensions, the risk of encountering the threats described above will be minimal.

To stay safe while using browser add-ons:

• Only use trusted sources to download software. Malware and unwanted applications are often distributed through third-party resources, where no one checks their security like official web stores do. These applications may install malicious or unwanted browser extensions without the user knowing about it, and perform other malicious or unwanted activity.
• Since extensions add extra functionality to browsers, they require access to various resources and permissions — you should carefully examine add-on requests before agreeing to them.
• Limit the number of extensions used at any one time and periodically review your installed extensions. Uninstall extensions that you no longer use or that you do not recognize.
• Use a robust security solution. Private Browsing in Kaspersky Internet Security, for example, prevents online monitoring and protects you from web threats.

Indicators of compromise

WebSearch extension MD5
dd7bd821cd4a88e2540a01a9f4b5e209

WebSearch extension ID
kpocjpoifmommoiiiamepombpeoaehfh
fncbkmmlcehhipmmofdhejcggdapcmon
mallpejgeafdahhflmliiahjdpgbegpk
ceopoaldcnmhechacafgagdkklcogkgd
mabloidgodmbnmnhoenmhlcjkfelomgp

DealPly installer MD5
E91538ECBED3228FF5B28EFE070CE587

DealPly-related extension MD5
38a7b26c02de9b35561806ee57d61438

DealPly-related extension ID
bifdhahddjbdbjmiekcnmeiffabcfjgh
ncjbeingokdeimlmolagjaddccfdlkbd
nahhmpbckpgdidfnmfkfgiflpjijilce
pilplloabdedfmialnfchjomjmpjcoej

AddScript extension MD5
28a18438e85aacad71423b044d0f9e3c

AddScript extension ID
hdbipekpdpggjaipompnomhccfemaljm
lfedlgnabjompjngkpddclhgcmeklana
aonedlchkbicmhepimiahfalheedjgbh
oobppndjaabcidladjeehddkgkccfcpn

NullMixer MD5
F94BF1734F34665A65A835CC04A4AD95

FBStealer extension installer MD5
5010c3b42d269cb06e5598a5b1b143a5

FBStealer extension ID
colgdlijdieibnaccfdcdbpdffofkfeb
fdempkefdmgfcogieifmnadjhohaljcb

• IT threat evolution in Q2 2022
• IT threat evolution in Q2 2022. Non-mobile statistics
• IT threat evolution in Q2 2022. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q2 2022:

• 5,520,908 mobile malware, adware and riskware attacks were blocked.
• The most common threat to mobile devices was adware: 25.28% of all threats detected.
• 405,684 malicious installation packages were detected, of which:
  • 55,614 packages were related to mobile banking Trojans;
  • 3,821 packages were mobile ransomware Trojans.

Quarterly highlights

In the second quarter of 2022, cybercriminal activity continued to decline — if the number of attacks on mobile devices is any indication.

Number of attacks targeting users of Kaspersky mobile solutions, Q1 2020 — Q2 2022 (download)

As in the previous quarter, fraudulent apps occupied seven out of twenty leading positions in the malware rankings. That said, the total number of attacks by these apps started to decrease.

Interestingly enough, some fraudulent app creators were targeting users from several countries at once. For instance, J-Lightning Application purported to help users to invest into a Polish oil refinery, a Russian energy company, a Chinese cryptocurrency exchange and an American investment fund.

On the contrary, the number of attacks by the RiskTool.AndroidOS.SpyLoan riskware family (loan apps that request access to users’ text messages, contact list and photos) more than quadrupled from the first quarter. The majority of users whose devices were found to be infected with this riskware were based in Mexico: a third of the total number of those attacked. This was followed by India and Colombia. The ten most-affected countries include Kenya, Brazil, Peru, Pakistan, Nigeria, Uganda and the Philippines.

The second quarter was also noteworthy for Europol taking down the infrastructure of the FluBot mobile botnet, also known as Polph and Cabassous. This aggressively spreading banking Trojan attacked mainly users in Europe and Australia.

Mobile threat statistics

In Q2 2022, Kaspersky detected 405,684 malicious installation packages, a reduction of 110,933 from the previous quarter and a year-on-year decline of 480,421.

Number of detected malicious installation packages, Q2 2021 — Q2 2022 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q1 and Q2 2022 (download)

Adware ranked first among all threats detected in Q2 2022 with 25.28%, exceeding the previous quarter’s figure by 8.36 percentage points. A third of all detected threats of that class were objects of the AdWare.AndroidOS.Ewind family (33.21%). This was followed by the AdWare.AndroidOS.Adlo (22.54%) and AdWare.AndroidOS.HiddenAd (8.88%) families.

The previous leader, the RiskTool riskware, moved to second place with 20.81% of all detected threats, a decline of 27.94 p.p. from the previous quarter. More than half (60.16%) of the discovered apps of that type belonged to the Robtes family.

Various Trojans came close behind with 20.49%, a rise of 5.81 p.p. on the previous quarter. The largest contribution was made by objects belonging to the Mobtes (38.75%), Boogr (21.12%) and Agent (18.98%) families.

Top 20 mobile malware programs

Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.

First and third places went to DangerousObject.Multi.Generic (21.90%) and Trojan.AndroidOS.Generic (10.55%), respectively, which are verdicts we use for malware detected with cloud technology. Cloud technology is triggered whenever the antivirus databases lack data for detecting a piece of malware, but the antivirus company’s cloud already contains information about the object. This is essentially how the latest malware types are detected.

Trojan-SMS.AndroidOS.Fakeapp.d rose from third to second place with 10.71%. This malware is capable of sending text messages and calling predefined numbers, displaying ads and hiding its icon.

Members of the Trojan.AndroidOS.GriftHorse family took fourth and sixth places with 6.07% and 3.43%, respectively. This family includes fraudulent apps that purchase paid subscriptions on the user’s behalf.

Trojan-Spy.AndroidOS.Agent.aas (5.40%), an evil twin of WhatsApp with a spy module built in, retained fifth position.

The verdict of DangerousObject.AndroidOS.GenericML (3.21%) came seventh. These verdicts are assigned to files recognized as malicious by our machine-learning systems.

Trojan-Dropper.AndroidOS.Agent.sl (2.82%), a dropper that unpacks and runs a banking Trojan on devices, remained in eighth place. Most of the attacked users were based in Russia or Germany.

Trojan.AndroidOS.Fakemoney.d slid from second to ninth place with 2.33%. Other members of the family occupied twelfth and nineteenth places in the rankings. These are fraudulent apps that offer users to fill out fake welfare applications.

Trojan.AndroidOS.Fakeapp.ed dropped to tenth place from sixth with 1.82%; this verdict covers fraudulent apps purporting to help with investing in gas utilities and mostly targeting Russian users.

Trojan.AndroidOS.Fakeapp.dw dropped from tenth place to eleventh with 1.68%. This verdict is assigned to various scammer apps, for example, those offering to make extra income.

Trojan.AndroidOS.Soceng.f (1.59%) dropped from twelfth to thirteenth place. This Trojan sends text messages to people in your contacts list, deletes files on the user’s SD card, and overlays the interfaces of popular apps with its own window.

Trojan-Ransom.AndroidOS.Pigetrl.a dropped from eleventh to fourteenth place with 1.59%. This malware locks the screen, asking to enter an unlock code. The Trojan provides no instructions on how to obtain this code, which is embedded in the body of the malware.

The verdict of Trojan.AndroidOS.Boogr.gsh occupied fifteenth place with 1.56%. Like DangerousObject.AndroidOS.GenericML, this verdict is produced by a machine learning system.

Trojan-Downloader.AndroidOS.Necro.d (1.56%), designed for downloading and running other malware on infected devices, climbed to sixteenth place from seventeenth.

Trojan-SMS.AndroidOS.Agent.ado dropped from fifteenth to seventeenth place with 1.54%. This malware sends text messages to short codes.

Trojan-Dropper.AndroidOS.Hqwar.gen, which unpacks and runs various banking Trojans on a device, kept eighteenth place with 1.54%.

Trojan-Downloader.AndroidOS.Agent.kx (1.45%), which loads adware, dropped to the bottom of the rankings.

Geography of mobile threats

Map of attempts to infect mobiles with malware, Q2 2022 (download)

TOP 10 countries and territories by share of users attacked by mobile malware

* Excluded from the rankings are countries and territories with relatively few (under 10,000) Kaspersky mobile security users.
** Unique users attacked as a percentage of all users of Kaspersky mobile security solutions in the country.

Iran remained the leader in terms of the share of infected devices in Q2 2022 with 26.91%; the most widespread threats there as before were the annoying AdWare.AndroidOS.Notifyer and AdWare.AndroidOS.Fyben families. Yemen rose to second place with 17.97%; the Trojan-Spy.AndroidOS.Agent.aas spyware was the threat most often encountered by users in that country. Saudi Arabia came third with 12.63%, the most common malware apps in the country being the AdWare.AndroidOS.Adlo and AdWare.AndroidOS.Fyben adware families.

Mobile banking Trojans

The number of detected mobile banking Trojan installation packages increased slightly compared to the previous quarter: during the reporting period, we found 55,614 of these, an increase of 1,667 on Q1 2022 and a year-on-year increase of 31,010.

Almost half (49.28%) of the detected installation packages belonged to the Trojan-Banker.AndroidOS.Bray family. The Trojan-Banker.AndroidOS.Wroba was second with 5.54%, and Trojan-Banker.AndroidOS.Fakecalls third with 4.83%.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q2 2021 — Q2 2022 (download)

Ten most common mobile bankers

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

Geography of mobile banking threats, Q2 2022 (download)

TOP 10 countries and territories by shares of users attacked by mobile banking Trojans

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 10,000) have been excluded from the ranking.
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

In Q2 2022, Spain still had the largest share of unique users attacked by mobile financial threats: 1.04%. Trojan-Banker.AndroidOS.Bian.h accounted for 89.95% of attacks on Spanish users. Turkey had the second-largest share (0.71%), with attacks on Turkish users dominated by Trojan-Banker.AndroidOS.Ermak.a (41.38%). Australia was third with 0.67%; most attacks in this country were attributed to Trojan-Banker.AndroidOS.Gustuff.d (96,55%).

Mobile ransomware Trojans

The number of mobile ransomware Trojan installation packages we detected in Q2 2022 (3,821) almost doubled from Q1 2022, increasing by 1,879; the figure represented a year-on-year increase of 198.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q2 2021 — Q2 2022 (download)

Top 10 most common mobile ransomware

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

Geography of mobile ransomware Trojans, Q2 2022 (download)

TOP 10 countries and territories by share of users attacked by mobile ransomware Trojans

* Excluded from the rankings are countries and territories with relatively few (under 10,000) Kaspersky mobile security users.
** Unique users attacked by ransomware Trojans as a percentage of all Kaspersky mobile security solution users in the country or territory.

Countries leading by number of users attacked by mobile ransomware Trojans were Yemen (0.30%), Kazakhstan (0.19%) and Azerbaijan (0.06%). Users in Yemen most often encountered Trojan-Ransom.AndroidOS.Pigetrl.a, while users in Kazakhstan and Azerbaijan were attacked mainly by members of the Trojan-Ransom.AndroidOS.Rkor family.

• IT threat evolution in Q1 2022
• IT threat evolution in Q1 2022. Non-mobile statistics
• IT threat evolution in Q1 2022. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q1 2022:

• 6,463,414 mobile malware, adware and riskware attacks were blocked.
• The largest share of all detected mobile threats accrued to RiskTool programs — 48.75%.
• 516,617 malicious installation packages were detected, of which:
  • 53,947 packages were related to mobile banking trojans,
  • and 1,942 packages were mobile ransomware trojans.

Quarterly highlights

In Q1 2022, the level of activity among cybercriminals remained roughly the same as it was at the end of 2021 when comparing the number of attacks on mobile devices. But in general, the number of attacks is still on a downward trend.

Number of attacks targeting users of Kaspersky mobile solutions, Q1 2020 — Q1 2022 (download)

What makes this quarter interesting is that many different fraudulent apps are distributed via official app stores. It’s not uncommon for apps published in the store to be accompanied by inflated ratings with fake reviews posted on the page for the app which are of course all positive. These types of apps occupy seven out of the twenty places in our malware ranking for Q1.

One of the schemes used by scammers which has been becoming more popular since last year are scam apps for receiving social benefits. The mobile apps redirect to a webpage where users are prompted to enter personal data and shown a large sum of money they’re supposedly entitled to. In order to claim their benefits however, users are told they need to pay a commission to cover the transfer cost or legal assistance. Once the money has been transferred, the app’s objective is considered achieved, and the user receives nothing in return.

Scam apps targeting Russian-speaking users

Another common scheme deployed by scammers are fraudulent trading apps which grant access to an investment platform for certain gas stocks. The app brings the user to a fake website where you can “raise your investment capital”. Needless to say, all the money invested is sent straight to the cybercriminals.

Other types of fraudulent apps begin charging a hefty weekly subscription fee a few days after the app is installed or even sign the user up for premium SMS subscriptions.

Keto diet app for meal planning which deducts money from the user’s bankcard without receiving prior consent

Other finds which stood out this quarter were various apps for taking out payday loans targeting users in Mexico and India. In our system of classification, these apps belong to a family of potentially unwanted software called RiskTool.AndroidOS.SpyLoan, which request access to user’s text messages, contacts list and photos. If a payment is late, debt collectors can begin calling people from the user’s contacts list or blackmail the user by threatening to disclose their personal information.

We observed a similar case in Brazil, where people were encouraged to install an app to take out payday loans which locks users out of their phones if they miss a payment.

Mobile threat statistics

In Q1 2022, Kaspersky detected 516,617 malicious installation packages, which is 79,448 fewer than the previous quarter and down 935,043 against Q1 2021.

Number of detected malicious installation packages, Q1 2021 — Q1 2022 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q4 2021 and Q1 2022 (download)

Almost half of all threats detected in Q1 2022 were potentially unwanted RiskTool apps (48.75%), which is a reduction of 3.21 p.p. compared to the previous quarter. Most apps detected in this category belonged to the traditionally dominant SMSreg family (61.37%).

Adware apps came second (16.92%), which also saw a decrease of 10.01 p.p. The worst offenders belonged to the Ewind family (28.89%), which were encountered more frequently than any other adware we detected. It’s followed by Adlo (19.84%) and HiddenAd (12.46%) families.

Third place was taken by various trojans whose share increased by 10.32 p.p. to 14.68%. The trojan families that had the greatest impact were Mobtes (44.35%), Piom (32.61%) and Boogr (14.32%).

Top 20 mobile malware programs

Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The malware rating for Q1 2022 featured many new arrivals, which we discussed in the quarterly-highlights section. But let’s go back to the top of the ranking. First place was defended by the traditional title-holder DangerousObject.Multi.Generic (20.45%), which is a verdict we use to describe malware detected using cloud technology. The trojan identified as Trojan.AndroidOS.Fakemoney.d (10.73%) moved up from third to second place. Other members of this family have also occupied seventh and thirteenth place in the rating. These are fraudulent apps that invite users to fill out a fake application for social benefits. The majority of users targeted in these attacks live in Russia, Kazakhstan and Ukraine.

The trojans in third and fourth place (7.82% and 5.36%) are members of the Trojan-SMS.AndroidOS.Fakeapp family. This type of malware is able to send text messages and call specified numbers, display ads and hide its icon on the device. Fifth place is taken by a trojan referred to as Trojan-Spy.AndroidOS.Agent.aas (4.93%), which is a modification of the popular WhatsApp Messenger containing a spy tool.

Trojan.AndroidOS.Fakeapp.ed (4.45%) took sixth place. This verdict refers to a category of fraudulent apps which target users in Russia by posing as a stock-trading platform for investing in gas.

Eighth place is occupied by Trojan-Dropper.AndroidOS.Agent.sl (2.94%), a dropper that installs and runs banking trojans on devices. The majority of users attacked by it were located in Russia, Germany and Turkey.

Ninth place was taken by the verdict DangerousObject.AndroidOS.GenericML (2.55%). These verdicts are assigned to files recognized as malicious by our machine-learning systems. The verdict in tenth place is Trojan.AndroidOS.Fakeapp.dw (2.40%), which is used to describe various scam apps, such as apps claiming to offer an additional source of income.

The trojan in eleventh place is Trojan-Ransom.AndroidOS.Pigetrl.a (2.14%), which locks the device’s screen and asks for a code to unlock it. The trojan doesn’t provide any instructions on how to obtain this code, and the code itself is embedded in the body of the malware.

The trojan which came twelfth was Trojan.AndroidOS.Soceng.f (2.14%), which sends text messages to people in your contacts list, deletes files on the SD card, and overlays the interfaces of popular apps with its own window. The trojan in fourteenth place is Trojan-Downloader.AndroidOS.Agent.kx (1.63%), which downloads adware.

A trojan known as Trojan-SMS.AndroidOS.Agent.ado (1.62%), which sends text messages to short premium-rate numbers is in fifteenth place. The next row down is occupied by Trojan.AndroidOS.Fakeapp.ea (1.55%), another fraudulent trading app for investing in gas.

The trojan in seventeenth place is Trojan-Downloader.AndroidOS.Necro.d (1.47%), which is used to download and run other forms of malware on an infected device. It is followed by Trojan-Dropper.AndroidOS.Hqwar.gen (1.36%), which is used to unpack and run various banking trojans on a device.

The trojan in nineteenth place is Trojan.AndroidOS.GriftHorse.l (1.26%) — another fraudulent app mentioned in the quarterly-highlight section. It subscribes users to premium text-messaging services. The next line is occupied by SMS-Flooder.AndroidOS.Dabom.c (1.19%), which has the main aim of bombarding people with spam text messages.

Geography of mobile threats

Map of attempts to infect mobiles with malware, Q1 2022 (download)

TOP 10 countries by share of users attacked by mobile malware

* Countries with relatively few users of Kaspersky mobile security solutions (under 10,000) are excluded from the ranking.
** Share of unique users attacked as a percentage of all users of Kaspersky mobile security solutions in the country.

In the rating for Q1 2022, Iran (35.25%) is still the country with the most infected devices. The most frequently encountered threat in this country was annoying adware from the Notifyer and Fyben families. China came second (26.85%), where the most frequently encountered threats were Trojan.AndroidOS.Boogr.gsh and Trojan.AndroidOS.Najin.a. Third place was taken by Yemen (21.23%), where the most widespread mobile threat was Trojan-Spy.AndroidOS.Agent.aas spyware.

Mobile banking trojans

The number of installation packages for mobile banking trojans, which dipped in the first three quarters of 2021, continued to grow: we detected 53,947 of these packages in the reporting period, which is 15,594 up on Q4 2021 and a year-on-year increase of 28,633 against Q1 2021. The increase in the number of packages is largely due to the Trojan-Banker.AndroidOS.Bray family — its share accounted for 80.89% of all mobile banking trojans detected. The second most frequently detected package was Trojan-Banker.AndroidOS.Fakecalls (8.75%), followed by Trojan-Banker.AndroidOS.Cebruser (2.52%) in third place.

Number of installation packages for mobile banking trojans detected by Kaspersky, Q1 2021 — Q1 2022 (download)

TOP 10 most common mobile bankers

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

Geography of mobile banking threats, Q1 2022 (download)

TOP 10 countries by shares of users attacked by mobile banking trojans

* Countries with relatively few users of Kaspersky mobile security solutions (under 10,000) have been excluded from the ranking.
** Unique users attacked by mobile banking trojans as a percentage of all Kaspersky mobile security solution users in the country.

Spain (1.80%) was where the most unique users were attacked by mobile financial threats in Q1 2022. The trojan behind almost three quarters of attacks (74,58%) in this country was the TOP 10 leader Trojan-Banker.AndroidOS.Bian.h. Turkey (1.07%) came second, where Trojan-Banker.AndroidOS.Bian.h (42.69%) was also encountered more frequently than any other threat. Australia (0.54%) took third place, where one trojan was more active than all the rest: Trojan-Banker.AndroidOS.Gustuff.d (95.14%).

Mobile ransomware trojans

In Q1 2022, we detected 1,942 installation packages for mobile ransomware trojans, which is 2,371 fewer than the figure recorded in the previous quarter and a year-on-year decrease of 1,654 against Q1 2021.

Number of installation packages for mobile ransomware trojans detected by Kaspersky, Q1 2021 and Q1 2022 (download)

TOP 10 most common mobile ransomware

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware trojans.

The top ransomware trojan held onto its title in the ranking for Q1 2022: Trojan-Ransom.AndroidOS.Pigetrl.a (78.77%). It’s worth noting that 94% of all attacks involving this trojan targeted Russia. The next runners-up trailing far behind the leader are two members of the Trojan-Ransom.AndroidOS.Rkor family: Rkor.br (5.68%) and Rkor.bs (1.99%).

Geography of mobile ransomware trojans, Q1 2022 (download)

Top 10 countries by share of users attacked by mobile ransomware trojans

* Countries with relatively few users of Kaspersky mobile security solutions (under 10,000) have been excluded from the ranking.
** Unique users attacked by ransomware trojans as a percentage of all Kaspersky mobile security solution users in the country.

Yemen (0.43%) tops the list of countries where the greatest number of users were attacked by mobile ransomware trojans. It’s followed by Kazakhstan (0.34%) with China (0.28%) rounding out the top three. The trojan which users in Yemen encountered most frequently was Trojan-Ransom.AndroidOS.Pigetrl.a, while users in Kazakhstan and China encountered members of the Trojan-Ransom.AndroidOS.Rkor family.

 The state of stalkerware in 2021 (PDF)

Main findings of 2021

Every year Kaspersky analyzes the use of stalkerware around the world to better understand the threat it poses. We partner with stakeholders across public and private sectors to raise awareness and find solutions to best tackle this important issue.

Stalkerware enables people to secretly spy on other people’s private lives via smart devices and is often used to facilitate psychological and physical violence against intimate partners. The software is commercially available and can access an array of personal data, including device location, browser history, text messages, social media chats, photos and more. The marketing of stalkerware is not illegal, but its use without the victim’s consent is. Perpetrators benefit from this vague legal framework that still exists in many countries. Stalkerware is a breach of privacy and a form of tech abuse. To address this complex threat in a comprehensive way that best supports victims and survivors, innovative tools from a legislative, social and technological point of view are needed.

2021 data highlights

• In 2021, Kaspersky’s data shows that 32,694 unique users were affected by stalkerware globally. This is a decrease from our 2020 numbers and a historic low since we first started gathering data on stalkerware in 2018. While this could be seen as a reason for celebration, it is not.
• Cyber-violence is on the rise, especially since the beginning of the pandemic. As people have continued to socialize less and spend more time at home, perpetrators feel more in control, possibly making them less prone to installing stalkerware to spy on their partner. In addition, abusers, unfortunately, have a wider range of means, in the form of smart devices, to spy on or stalk their victims. Non-profit organizations (NPOs) with which Kaspersky works closely have shared similar observations from working with perpetrators and victims of stakerware. It is important to remember that these numbers only include Kaspersky users: they do not take into account users who use the IT security solutions of our competitors or those who do not have any IT security solutions installed on their mobiles. Therefore, we see only the tip of the iceberg: while it is difficult to calculate the exact number of affected users in the world, members from the Coalition against Stalkerware estimate that it could be at least 30 times higher, with close to one million victims globally, each year.
• Based on data obtained from the Kaspersky Security Network, the most affected countries remain Russia, Brazil and the United States. This is in line with statistics from the past two years. At the regional level, we find the highest numbers of affected users in:
  • Germany, Italy and the UK (Europe)
  • Turkey, Egypt and Saudi Arabia (Middle East and Africa)
  • India, Indonesia and Vietnam (Asia-Pacific)
  • Brazil, Mexico and Columbia (Latin America)
  • The United States (North America)
  • The Russian Federation, Ukraine and Kazakhstan (Russia and Central Asia)
• Cerberus and Reptilicus were the most used stalkerware applications, with 5,575 and 4,417 affected users, respectively, globally.

Trends observed by Kaspersky

Methodology

The data in this report has been taken from aggregated threat statistics obtained from the Kaspersky Security Network. The Kaspersky Security Network is dedicated to processing cybersecurity-related data streams from millions of volunteer participants around the world. All received data is anonymized. To calculate our statistics, we review the consumer line of Kaspersky’s mobile security solutions applying only the Coalition Against Stalkerware’s detection criteria on stalkerware. This means that the affected number of users were targeted by stalkerware only. Other types of monitoring or spyware apps that fall outside of the Coalition’s definition are not included in our statistics.

The statistics reflect unique mobile users affected by stalkerware: this is different from the number of detections. The number of detections can be higher as we may detect stalkerware several times on the same device of the same unique user if they decided not to remove the app after receiving our notification.

Finally, the statistics reflect only mobile users using Kaspersky’s IT security solutions. Some users may use another cybersecurity solution on their devices, while some do not use any solution at all.

Global detection figures: affected users

In this section, we highlight the global and regional numbers observed by Kaspersky in 2021 and how they compare with those from previous years.

In 2021, a total of 32,694 single users were affected by stalkerware. The graphic below shows the evolution of affected users year on year since 2018.

The graphic below shows unique affected users per month over the 2019-2021 period. We can see that in 2021 the trend was more stable than in 2020, which saw a visible decrease during the months most impacted by lockdowns and quarantine measures.

Global and regional detection figures: geography of affected users

Stalkerware continues to affect people across the world: in 2021, Kaspersky detected affected users in 185 countries or territories.

As in 2020, Russia, Brazil, the United States and India are, again, the top four countries with the most identified single affected users. Interestingly, Mexico has fallen from fifth to ninth place and Algeria, Turkey and Egypt have entered the top 10. They have replaced Italy, the United Kingdom and Saudi Arabia, which are no longer in the top 10 countries most affected by stalkerware.

Table 1 – 2021’s top 10 countries affected by stalkerware – globally

In this year’s report, we provide more detailed regional statistics with numbers for Europe, Asia-Pacific, Latin America, North America, Russia and Central Asia and the Middle East and Africa.

In Europe, the total number of single affected users was 4,236 in 2021. Germany, Italy and the United Kingdom rank at the top of the list, repeating their top rankings last year. Austria has been replaced in the top 10 by Czechia.

Table 2 – 2021’s top 10 countries affected by stalkerware – Europe

In Russia and Central Asia, the total number of single affected users was 9,207. The top three countries were Russia, Ukraine and Kazakhstan.

Table 3 – Eastern Europe (excluding EU countries), Russia and Central Asia

In the Middle East and Africa region, the total number of affected users in the entire region was 6,270 with Turkey, Egypt and Saudi Arabia having the most affected users.

Table 4 – 2021’s top 10 countries affected by stalkerware – Middle East and Africa

In APAC, the total number of affected users was 4,243. India was substantially ahead of other countries with 2,105 single users affected. It was followed by Indonesia and Vietnam.

Table 5  – 2021’s top 10 countries affected by stalkerware – Asia Pacific

The Latin America and Caribbean region ranking was dominated by one country: Brazil, which represented 72.5% of the total number of affected users in the region (and accounts for roughly 32% of the region’s population). Brazil was followed by Mexico and Colombia. The entire region had 6,609 affected users.

Table 6 – 2021’s top 10 countries affected by stalkerware – Latin America

Finally, in North America, the United States accounted for 87% of all affected users in the region, which was expected given that its population is ten times larger than that of Canada. The total number of affected users in North America, excluding Mexico which has been included with the Latin America data, is 2,666.

Table 7 – 2021’s affected users by stalkerware – North America

Common functionalities of stalkerware applications

This section lists the stalkerware applications that are the most used to control mobile devices on a global level. Cerberus and Reptilicus were the most used stalkerware applications with 5,575 and 4,417 affected users, respectively, globally.

Table 8 – 2021’s top list of stalkerware applications

Stalkerware applications can give tremendous power and access to its users, depending on the applications and whether they are used in free or paying mode. Some of them are marketed as anti-theft or parental control applications, however, they are different in many ways, beginning with the fact that they work in stealth mode without the consent and knowledge of the victim.

Most of the popular applications provide common stalkerware functionality such as:

• Hiding app icon
• Reading SMS, MMS and call logs
• Getting lists of contacts
• Tracking GPS location
• Tracking calendar events
• Reading messages from popular messenger services and social networks, such as Facebook, WhatsApp, Signal, Telegram, Viber, Instagram, Skype, Hangouts, Line, Kik, WeChat, Tinder, IMO, Gmail, Tango, SnapChat, Hike, TikTok, Kwai, Badoo, BBM, TextMe, Tumblr, Weico, Reddit etc.
• Viewing photos and pictures from phones’ image galleries
• Taking screenshots
• Taking front (selfie-mode) camera photos

Are Android OS and iOS equally affected by stalkerware?

Stalkerware tools are less frequent on iPhones than Android devices because iOS is traditionally a closed system. However, perpetrators can work around this limitation on jailbroken iPhones, but they still require direct physical access to the phone to jailbreak it. iPhone users who fear surveillance should always keep an eye on their device.

Alternatively, an abuser can offer their victim an iPhone – or any other device – with pre-installed stalkerware. There are many companies that make these services available online, allowing abusers to have these tools installed on new phones, which can then be delivered in factory packaging under the guise of a gift to the intended victim.

The use of stalkerware may be decreasing, but violence is not

While we observe a decrease of 39% of affected users from our 2020 data, the fight against stalkerware and against cyber violence is far from over. The number of affected users and some of the behaviors and perceptions around the use of stalkerware are still concerning. In November 2021, Kaspersky commissioned a global survey of more than 21,000 participants in 21 countries on their attitudes towards privacy and digital stalking in intimate relationships. While the majority of respondents (70%) do not believe it is acceptable to monitor their partner without consent, a significant share of people (30%) doesn’t see any issue with it and find it acceptable under certain circumstances. Of those who think there are justifiable reasons for secret surveillance, almost two thirds would engage in the behavior if they believed their partner was being unfaithful (64%) or if it was related to their safety (63%) and half would if they believed their partner was involved in criminal activities (50%).

High-speed internet in conjunction with the rapid spread of information and communication technology (ICT) has supported cyber-violence by creating another tool for abusers to share violent and dangerous materials or engage in behaviors that affect emotional, psychological or physical damage. While these technologies have given people the ability to maintain social and emotional relationships across wide-ranging physical distances, ICT has also enabled cyber-violence – a consequence that’s far-reaching effects extend to the offline world with real-life negative impacts on its victims.

The results of our survey corroborate this, with 15% of respondents worldwide being required by their partner to install a monitoring app and 34% of those also experiencing physical and/or verbal abuse by that intimate partner.

While it is too early to make definitive conclusions on the decrease of affected users in 2021, there are two theories that could explain this trend.

Firstly, we believe that all aspects of our lives are still heavily impacted by the pandemic. Recent studies^[1] show that new behaviors are emerging across areas of life such as work, learning, home, consumption, communications and information, travel and mobility. In short, people are staying at home more (49% avoid leaving their homes and 50% are working from home partially or entirely), reducing face to face interactions (57% indicate that they are socially distancing from friends and the community) and traveling, and shopping, educating and entertaining themselves increasingly online. From an abuser’s point of view, this could result in less need to spy on their partner, who is now in their sight most of the time.

Secondly, the Internet of Things (IoT) and digitization are now everywhere in our lives. It fills our daily routines and our homes, cars and offices. While the opportunities and advantages are endless, many devices also enable tracking by third parties. Our research suggests that perpetrators might also use other means, aside from stalkerware, to track their partners, with 50% of respondents to our survey indicating that they have been tracked through phone apps, another 29% mentioning they had been traced through tracking devices, 22% through webcams and 18% through smart home devices.

Apple’s recent January 2022 publication of a safety manual for its AirTag product marks a shift in the perception of the situation.

NNEDV, the National Network to End Domestic Violence and WWP EN, the European Network for the Work with Perpetrators of Domestic Violence share with us their experience and views on these two theories and on tech abuse in general.

How measures imposed by governments during the pandemic facilitated and reinforced perpetrators’ coercive control – Berta Vall Castelló, Research and Development manager and Anna McKenzie, Communications manager at WWP EN

The European Network for the Work With Perpetrators of domestic violence (WWP EN) is a membership association of organisations directly or indirectly working with people who perpetrate violence in close relationships. The main focus of WWP EN is violence perpetrated by men against women and children. The mission of WWP EN is to improve the safety of women and their children and others at risk from violence in close relationships, through the promotion of effective work with those who perpetrate this violence, mainly men.

Coercive control is defined as “a pattern of abusive behavior designed to exercise domination and control over the other party to a relationship. It can include a range of abusive behaviors – physical, psychological, emotional or financial – the cumulative effect of which over time robs victim-survivors of their autonomy and independence as an individual” (McGorrery and McMahon, 2020). As we write in our manual “Same Violence, New Tools – How to work with violent men who use cyberviolence,” perpetrators isolate their partners and make them emotionally dependent. They use assaults, threats, intimidation, humiliation, isolation and more to create a constant sense of fear, as well as a general loss of a sense of freedom. ICT technologies are powerful tools for perpetrators exerting coercive control, especially in relationships where violence is already present offline.

A recent review on domestic violence during the COVID-19 pandemic found that the measures imposed by the government during lockdown facilitate and reinforce perpetrators’ coercive control. The authors suggested that the conditions of isolation/physical distancing imposed by the governments overlap with coercive control strategies used by perpetrators to control their partners (Pentaraki and Speake, 2020). Considering these results, it seems likely that perpetrators feel less of a “need” to use stalkerware to exert coercive control over their partners. Moreover, recent research has observed that technology-facilitated abuse often escalates during a period of separation (George and Harris 2014; Woodlock 2016). Therefore, during a lockdown situation where couples were forced to stay together at home, they are less likely to use technology-facilitated abuse.

We must remember that a decrease in the use of stalkerware does not equal a decrease in overall intimate partner violence (IPV) during the pandemic. On the contrary, Boxall, Morgan and Brown (2020) note that IPV has increased during the COVID-19 pandemic. Therefore, the results in this report indicate that stalkerware has been replaced with other tools. As Elena Gajotto, from Italian NGO Una Casa per l’Uomo, remarks: “It is so easy to monitor and track someone, for example by using their Google account, that you don’t really need to use stalkerware.” The wide variety of possible technology-facilitated abuse might have had an impact on the decrease in the use of stalkerware specifically. Letizia Baroncelli, from Italian NGO Centro Ascolto Uomini Malttratanti (CAM), agrees and adds: “I think we see less stalkerware because there are so many other forms of perpetrating digital abuse.”

However, NGOs, governments and researchers have reported a substantial increase in image-based abuse and sextortion since the start of the pandemic (Boniello, 2020; CCRI, personal communication, June 2, 2020; FBI, 2020, 2021). It seems that this type of technology-facilitated abuse has escalated, especially among teenagers and couples who do not live together. As Letizia Baroncelli notes: “Sharing personal pictures has increased a lot since the pandemic, especially among young perpetrators. They do not understand that they are committing a crime.” As Elena Gajotto adds: “Image-based abuse causes devastating harm to the women who experience it, while the men don’t even understand that they did something bad.”

Several WWP EN members have shared that the most common form of digital violence is men monitoring their partners’ digital activities, e.g. by checking emails, phones and social accounts. This is in line with observations from Daniel Antunovic, from Croatian NGO UZOR, who agrees that the ‘primitive’ forms of digital stalking are the ones he sees most often.

At WWP EN, we consider it key to focus on tech-facilitated abuse to ensure victim safety. Elena Gajotto adds: “Around half of the men share their digital violence, without realizing that this is abuse. If we don’t explicitly focus on this violence in our work with perpetrators, it doesn’t come up.” Therefore, there is a need to increase the capacity of professionals working with perpetrators and professionals working with victims of domestic violence to screen for and intervene in cases of digital violence. As Daniel Antunovic adds: “We haven’t encountered as many cases of digital violence as I expected since COVID-19. However, technology-facilitated abuse is in some ways like sexualized violence. It happens a lot, but it remains hidden.”

There is a growing rate of “smart devices” used in intimate partner violence – Toby Shulruff, Tech Safety Project Manager at NNEDV

NNEDVs Safety Net Project focuses on the intersection of technology, privacy, confidentiality, and innovation, as it relates to safety and abuse by advocating for policies, educating and training advocates and professionals in the justice system, and working with communities, agencies, and technology companies to respond to technology abuse, support survivors in their use of tech, and harness tech to improve services.

While stalkerware is a common concern, there are many other tools available for tech abuse that may appear to be stalkerware, but are not. For example, personal information available online and the everyday features of devices and accounts can be used to find a person’s location or track their activity. The complexity and connections between devices, accounts, and information on the internet can make it difficult for victims and those who work with them to assess what’s happening, and to implement an effective response. It can be terrifying and overwhelming for a survivor to realize an abuser knows multiple details about their everyday lives.

Unfortunately, there is a growing rate of “smart” devices— including home assistants, connected appliances, and security systems connected to WiFi networks and smartphones—used in intimate partner violence.

In a survey conducted by the NNEDV in December 2020 and January 2021, responses revealed an increase in every type of tech abuse during the pandemic. While phones are the technology most often misused, NNEDV’s needs assessment shows this to be the case 87% of the time, “smart” or connected devices were also identified as technologies that are increasingly misused in the context of tech abuse, seen regularly by about a third of support professionals.

As more people adopt the use of IoT devices, this will likely grow. These products are intended to increase convenience and efficiency. The manufacture of IoT devices is a rapidly emerging global market with both larger, well-established players as well as many smaller, newer companies^[2]. IoT is made possible by several overlapping trends in technology: miniaturization, increased processing capacity, increased data storage, decreased cost of manufacturing, and connectivity.

Due to a variety of factors – market pressures, the rapid emergence of the technology, and the complexity of the IoT – profound risks to security and privacy are increasingly apparent^[3]. Smart home devices in particular are being misused in the context of intimate partner violence to control, threaten, and cause harm to victims. [Researchers at the Gender + IoT project at University College London^[4] have been exploring these harms] [and proposing remedies in partnership with support professionals in the field.]

NNEDV’s recent needs assessment documented increases in tech abuse tactics throughout the pandemic. We are concerned that as we emerge from this public health crisis, abusers who have adopted these tactics or have increased their misuse of technology during this time will not have any incentive to discontinue this form of abuse. Recent research^[5] suggests support professionals should ask about all kinds of tech abuse, including stalkerware and smart home devices. There is a strong likelihood the spike in tech abuse support professionals have seen will stay with us. It’s imperative we continue to support victims, and work to prevent technology abuse.

How Kaspersky and its partners are collaborating to fight stalkerware

The threat of stalkerware is not just a technical problem: all parts of society need to be involved in resolving the issue. For the past few years, Kaspersky has been at the forefront of the stalkerware debate. We are reaching out to public and private stakeholders to better understand this issue and find common solutions. We are contributing to the development of training materials and practical tools to support non-profit organizations, corporations, institutions and individuals with developing resilience to stalkerware. We are organizing and participating in webinars and roundtables with institutions to share our voices and contribute to discussions that will shape tomorrow’s legislation.

Kaspersky is one of the co-founders and drivers of the Coalition Against Stalkerware (CAS) – an international working group dedicated to tackling stalkerware and combating domestic violence. The Coalition brings together organizations that work with victims and abusers, digital activists and cybersecurity vendors. It is a unique platform that enables all relevant stakeholders to share best practices and join forces to tackle the issue of stalkerware.

Kaspersky is also one of the partners of the DeStalk project. Funded by the European Commission, this research project aims to develop a strategy to train and support professionals working in victims support services and perpetrator programmes, officers of institutions and local governments along with other relevant groups. The consortium plans to upgrade and test existing tools for practitioners and is developing a regional pilot awareness campaign in Italy.

In 2021, we teamed up with INTERPOL and two respected non-profit organizations from the US and Australia to provide law enforcement officials with two online training sessions. These courses were attended by over 210 participants from around the world.

At the end of 2021, Kaspersky also participated in an event, “Combating violence against women in a digital age – utilising the Istanbul Convention”, organized by the Council of Europe. This event was an opportunity to discuss the recommendations of the Group of Experts on combating violence against women and domestic violence (GREVIO).

TinyCheck: a tool to support victims of domestic violence

Kaspersky’s work with the TinyCheck tool is an initiative worth highlighting. It is a free, open-source tool developed and supported by Kaspersky. Initially created to help NPOs protect victims of domestic violence and their privacy, TinyCheck facilitates the detection of stalkerware on victims’ devices and on any OS in a simple, quick and non-invasive way without making the perpetrator aware. While security solutions can also check for and alert about stalkerware, they need to be installed on the device, so there is a risk of the perpetrator also being alerted. Developments like the TinyCheck tool aim to ensure that survivors can use their devices without concerns about being surveilled.

With TinyCheck, no application needs to be installed on the device to perform the check, and the results of the check are not displayed on or transmitted to the potentially infected device. In addition, TinyCheck allows victims to check any device regardless of whether it uses iOS, Android or another OS. These features address the two major issues in the fight to protect users against stalkerware. The tool has been developed to run on a Raspberry Pi, using a regular Wi-Fi connection. TinyCheck quickly analyzes a mobile device’s outgoing traffic and identifies Indicators of Compromise (IOCs), such as interactions with known malicious sources like stalkerware-related servers. Currently, the tool uses IOCs collected not only by Kaspersky researchers but also by repositories maintained by independent security researchers (special thanks to Etienne Maynier, also known as Tek, from Echap and Cian Heasley). We hope that the community will continue this work by keeping IOCs up-to-date.

Having said that, the limitations of TinyCheck need to be understood. The tool should be used with the following warning in mind: IOCs do not provide complete real-time detection of all stalkerware apps like an IT Security solution does. Therefore, a result detecting no stalkerware does not exclude the possibility that stalkerware has been installed but not detected by TinyCheck.

In 2021, more NPOs in the field of domestic violence tested TinyCheck and provided feedback to help improve the service. Police forces and judicial bodies in several countries have also taken an interest in the tool to better support victims.

2021 has seen positive developments on the regulatory and institutional fronts

Across the world, 2021 has seen some positive developments in the fight against stalkerware from a regulatory and institutional point of view. In May 2021, the Diet, Japan’s parliament, enacted a bill to amend their stalker regulation law. Under the revised law, in addition to other stipulations, obtaining location information of people’s smartphones through apps without their authorization is now illegal.

In August 2021, the Federal Trade Commission in the United States barred one app maker from offering stalkerware. It was the first ban of its kind.

On August 17, 2021, the German Bundestag passed the “Act to Amend the Criminal Code – More Effective Combating of Stalking and Better Coverage of Cyberstalking” (translated from German). The new law entered into force on October 1, 2021, and now includes cyberstalking in their catalog of offenses. The change is because of continued technological progress and the associated increase in cyberstalking, particularly via stalking apps or stalkerware. In addition, an important part of the new law is that it classifies a case as serious if the offender “in the course of an offense, uses a computer program whose purpose is the digital spying on other persons.”

The Council of Europe has been very active on this topic in 2021. In its first recommendation on the “digital dimension” of violence against women, the Council of Europe’s Group of Experts on Action against Violence against Women and Domestic Violence (GREVIO) defines and outlines the problems of both gender-based violence against women committed online and technology-enabled attacks against women, such as legally obtainable tracking devices that enable perpetrators to stalk their victims. This was shortly followed in December 2021 by a legislative initiative report on gender-based cyberviolence that was adopted by the European Parliament. The report calls for (i) a common definition of gender-based cyberviolence and (ii) capacity building for stakeholders. It highlights stalkerware among the key methods of cyberviolence and “dismisses the notion that stalkerware applications can be considered parental control applications”. Following the general recommendations of the Council of Europe, this report, although non-binding, is another positive official document highlighting the stalkerware issue and pushing European states to adapt their legislations and actions to counter the issue. Finally, on March 8^th, 2022, the European Commission published a proposal for a Directive of the European Parliament and of the Council on combating violence against women and domestic violence. The document covers cyber violence and dedicates two articles to cyber stalking (Art 8) and cyber harassment (Art 9) that it proposes to criminalize.

Think you are a victim of stalkerware? Here are a few tips

Whether or not you are a victim of stalkerware, here are a few tips if you want to better protect yourself:

• Protect your phone with a strong password that you never share with your partner, friends or colleagues
• Change passwords for all of your accounts periodically and don’t share them with anyone
• Only download apps from official sources, such as Google Play or the Apple App Store
• Install a reliable IT security solution like Kaspersky Internet Security for Android on devices and scan them regularly. However, in the case of potentially already installed stalkerware, this should only be done after the risk to the victim has been assessed, as the abuser may notice the use of a cybersecurity solution.

Victims of stalkerware may be victims of a larger cycle of abuse, including physical. In some cases, the perpetrator is notified if their victim performs a device scan or removes a stalkerware app. If this happens, it can lead to an escalation of the situation and further aggression. This is why it is important to proceed with caution if you think you are being targeted by stalkerware.

• Reach out to a local support organization: to find one close to you, check the Coalition Against Stalkerware website.
• Keep an eye out for the following warning signs: these can include a fast-draining battery due to unknown or suspicious apps using up its charge and newly-installed applications with suspicious access to use and track your location, send or receive text messages and other personal activities. Also check if your “unknown sources” setting is enabled, it may be a sign that unwanted software has been installed from a third party source. It is important to note that the above signs are only symptoms of possible stalkerware installation, not a definitive indication.
• Do not try to erase the stalkerware, change any settings or tamper with your phone: this may alert your potential perpetrator and lead to an escalation of the situation. You also risk erasing important data or evidence that could be used in a prosecution.

^[1] https://www.pwc.com/us/en/industries/consumer-markets/library/covid-19-consumer-behavior-survey.html; https://www.mckinsey.com/~/media/mckinsey/industries/retail/our%20insights/how%20covid%2019%20is%20changing%20consumer%20behavior%20now%20and%20forever/how-covid-19-is-changing-consumer-behaviornow-and-forever.pdf;

^[2] Internet Society. (2015). The Internet of Things: An overview. https://www.internetsociety.org/wp-content/uploads/2017/08/ISOC-IoT-Overview-20151221-en.pdf or https://www.internetsociety.org/iot/

^[3] Internet Society. (2015). The Internet of Things: An overview. https://www.internetsociety.org/wp-content/uploads/2017/08/ISOC-IoT-Overview-20151221-en.pdf or https://www.internetsociety.org/iot/

^[4] Tanczer, L., Neira, I. L., Parkin, S., Patel, T., & Danezis, G. (2018). The rise of the Internet of Things and implications for technology-facilitated abuse. University College London.

^[5] Freed, D., Palmer, J., Minchala, D., Levy, K., Ristenpart, T., & Dell, N. (2017). Digital technologies and intimate partner violence: A qualitative analysis with multiple stakeholders. Proceedings of the ACM on human-computer interaction, 1(CSCW), p.1-22.

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Figures of the year

In 2021, Kaspersky mobile products and technologies detected:

• 3,464,756 malicious installation packages
• 97,661 new mobile banking Trojans
• 17,372 new mobile ransomware Trojans

Trends of the year

In 2021, we observed a downward trend in the number of attacks on mobile users. But it is too early to celebrate: attacks are becoming more sophisticated in terms of both malware functionality and vectors.

Last year saw repeat incidents of malicious code injection into popular apps through ad SDKs, as in the sensational case of CamScanner — we found malicious code inside ad libraries in the official APKPure client, as well as in a modified WhatsApp build.

Experts also continued to find malware in apps on Google Play, despite Google’s efforts to keep threats off the platform. Especially notable in 2021 were the Joker Trojan, which signs victims up to paid subscriptions, the Facestealer Trojan, which steals credentials from Facebook accounts, and various banking Trojan loaders. The most common way to sneak malware onto Google Play is for a Trojan to mimic a legitimate app already published on the site (for example, a photo editor or a VPN service) with the addition of a small piece of code to decrypt and launch a payload from the Trojan’s body or download it from the attackers’ server. Often, to complicate dynamic analysis, unpacking actions are performed through commands from the attackers’ server and in several steps: each decrypted module contains the address of the next one, plus instructions for decrypting it.

Besides apps with actual malicious functionality, there are various scamming apps on Google Play — for example, ones that imitate services where you can apply for welfare payments and redirect the user to a page asking for their data and payment of a fee.

Banking Trojans acquired new capabilities in 2021. The Fakecalls banker, which targets Korean users, drops outgoing calls to the victim’s bank and plays pre-recorded operator responses stored in the Trojan’s body. The Sova banker steals cookies, enabling attackers to access the user’s current session and personal mobile banking account without knowing the login credentials. The Vultur backdoor uses VNC (Virtual Network Computing) to record the smartphone screen; when the user opens an app that is of interest to attackers, they can monitor the on-screen events.

Another interesting find in 2021 was the first Gamethief-type mobile Trojan aimed at stealing account credentials for the mobile version of PlayerUnknown’s Battlegrounds (PUBG).

After 2020, which was full of newsbreaks and opportunities for masking malware, for example, as Covid19 trackers or video conferencing apps, the pandemic topic gradually faded in the reporting year. There were no new global cybercriminal trends. Of the few examples of exploiting a trending topic was the Joker Trojan on Google Play, which masquerades as an app with a background wallpaper in the style of Squid Game.

Speaking of mobile threats, we cannot fail to mention the high-profile investigation of the Pegasus spyware. Because protection against such programs is quite a live issue, we drew up some recommendations on how to guard against advanced spyware (or, at any rate, greatly complicate the intruder’s task).

Statistics

Number of installation package

In 2021, we detected 3,464,756 mobile malicious installation packages, down 2,218,938 from the previous year. Overall, the number of mobile malware installation packages dropped to around 2019 levels.

Number of detected malicious installation packages, 2018–2021 (download)

Number of attacks on mobile users

The number of attacks fell smoothly throughout the reporting period, reaching in H2 2021 the lowest monthly average in the past two years.

Number of attacks on mobile users, 2019–2021 (download)

Geography of mobile threats

Map of infection attempts by mobile malware, 2021 (download)

Top 10 countries by share of users attacked by mobile malware

^{* Excluded from the rating are countries with relatively few users of Kaspersky mobile technologies (under 10,000).
** Unique users attacked as a percentage of all users of Kaspersky mobile technologies in the country.}

For the fifth year in a row, Iran topped the leaderboard by share of infections: 40.22% of users there encountered mobile threats. As in the previous year, this was largely due to the active distribution of adware from the AdWare.AndroidOS.Notifyer family.

In second place is China (28.86%), where users most often crossed paths with potentially unwanted apps from the RiskTool.AndroidOS.Wapron family. Members of this family target victims’ mobile accounts, in particular by sending chargeable text messages on behalf of the victim as payment for supposedly viewing porn.

Not far behind in third place lies Saudi Arabia (27.99%), where users most often came across adware from the AdWare.AndroidOS.HiddenAd family.

Distribution of detected mobile threats by type

Distribution of new detected mobile threats by type, 2020 and 2021 (download)

As in 2020, adware (42.42%) accounted for the largest share of all detected threats in the reporting period, despite a fall of 14.83 p.p. against 2020.

Potentially unwanted RiskTool apps (35.27%) ranked second; their share increased by 13.93 p.p. after a sharp decline in 2019–2020.

In third place were Trojan threats (8.86%), whose share rose by 4.41 p.p.

Distribution of attacks by type of software used

Distribution of attacks by type of software used, 2021 (download)

In 2021, as in previous years, the largest share of attacks on mobile users belonged to malware (80.69%). At the same time, the share of adware-based attacks continued to grow: 16.92% versus 14.62% in 2020, while the share of attacks using RiskWare-class apps fell (2.38% versus 3.21%).

Mobile adware

In the reporting period, as in 2020, more than half of all detected adware (53.66%) came from the Ewind family, an aggressive form of adware that tracks user actions and resists deletion.

Top 10 adware families detected in 2021

^{* Share of the adware family packages in the total number of adware packages.}

RiskTool-class apps

In 2021, SMSreg regained its supremacy among RiskTool-class threats: 90.96% of detected apps of this type were members of this family. In absolute terms, the number of SMSreg packages more than doubled compared to 2020 to 1,111,713 apps. A characteristic feature of this family is making payments (for example, money transfers or subscriptions to mobile services) by text message without explicitly informing the user.

Top 10 RiskTool families detected in 2021

^{* Share of the RiskTool family packages in the total number of RiskTool packages.}

Top 20 mobile malware programs

Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

^{* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile technologies.}

As per tradition, first place in our Top 20 went to DangerousObject.Multi.Generic (33.69%), the verdict we use for malware detected using cloud technologies. Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is essentially how the latest malware types are detected.

Trojan-SMS.AndroidOS.Agent.ado (6.65%), which sends text messages to short premium numbers, moved up from sixth to second position. Victims of this malware are predominantly in Russia.

In third place was the verdict DangerousObject.AndroidOS.GenericML (4.92%). These verdicts are assigned to files recognized as malicious by our machine-learning systems.

Fourth position was taken by Trojan-Spy.AndroidOS.SmsThief.po (3.91%), whose main function is to monitor incoming text messages and send captured data to the cybercriminals’ server.

In fifth place was Trojan.AndroidOS.Agent.vz (3.68%), a malicious module that forms a link in the infection chain of various Trojans and is responsible for downloading other modules, in particular the above-mentioned Ewind adware.

Trojan-Downloader.AndroidOS.Necro.d (3.58%), which downloads, installs and runs other apps on command, dropped to sixth place.
Trojans from the Triada family ranked seventh, ninth and fourteenth in the ranking. These are used to download and run other malicious programs on the infected device. Users infected with Triada also frequently encounter the above-mentioned Trojan-Downloader.AndroidOS.Necro.d, as well as Trojan.AndroidOS.Whatreg.b (eighth place, 3.02%), which allows cybercriminals to link new WhatsApp accounts to victims’ phone numbers and use them at will, and also Trojan-Dropper.AndroidOS.Agent.rp (seventeenth place, 1.75%), which decrypts payloads from APK file resources before downloading and running other malware.

Tenth and eleventh places go to members of the Trojan-Dropper.AndroidOS.Hqwar family of droppers that unpack and run various banking Trojans on the victim’s device. After a rise in the number of attacks by this malware in 2020, the number of detections in the reporting period fell back to 2019 levels.

Twelfth position is taken by a member of the Trojan.AndroidOS.MobOk.ad family (2.78%), which subscribes users to paid services.
Thirteenth place belongs to Trojan.AndroidOS.Hiddad.gx (2.11%), tasked with displaying advertising banners and ensuring a permanent presence on the device by hiding the icon in the app bar.

In fifteenth place is Trojan-SMS.AndroidOS.Fakeapp.b (1.91%), which can send text messages and make calls to specified numbers, display ads and hide its icon on the device. Most users attacked by this malware were located in Russia.

Exploit.AndroidOS.Lotoor.be (1.84%), an exploit used to elevate privileges on Android devices to superuser, lies in sixteenth position. Members of this family are found bundled with other common malware such as Triada and Necro.

Eighteenth place is secured by the HackTool.AndroidOS.Wifikill.c utility (1.60%), whose task is to carry out DOS attacks on Wi-Fi networks to disconnect other users.

In nineteenth place is Trojan-Banker.AndroidOS.Agent.eq (1.58%). Hiding behind this verdict are mostly banking Trojans from the Wroba family, and more than half of attacks targeted Japan.

Trojan-Downloader.AndroidOS.Agent.kx (1.55%), which is distributed with legitimate software and downloads adware, rounds out our Top 20.

Mobile banking Trojans

In 2021, we detected 97,661 installation packages for mobile banking Trojans, which is down 59,049 from the previous year. The largest contributors to the statistics were the Trojan-Banker.AndroidOS.Agent (37.69% of all detected banking Trojans), Trojan-Banker.AndroidOS.Bray (21.08%) and Trojan-Banker.AndroidOS.Fakecalls (9.91%) families.

Number of installation packages of mobile banking Trojans detected by Kaspersky, 2018–2021 (download)

After sharp growth in the number of attacks by mobile banking Trojans starting H2 2020, we have seen a gradual decrease since the spring of 2021.

Number of attacks by mobile banking Trojans, 2020–2021 (download)

Top 10 mobile banking Trojans

^{* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile technologies that were attacked by banking threats.}

In 2021, Trojan-Banker.AndroidOS.Agent.eq (19.22%) topped the list of banking Trojans we detected, having also featured in our overall Top 20 ranking of mobile threats. In second place is the banker Anubis.t (14.93%). Third and fourth positions were claimed by bankers from the Svpeng family: Svpeng.t (8.98%) and Svpeng.q (7.58%).

Geography of mobile banking threats, 2021 (download)

Top 10 countries by shares of users attacked by mobile banking trojans

^{* Excluded from the rating are countries with relatively few users of Kaspersky mobile technologies (under 10,000).
** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky mobile technologies in the country.}

In 2021, Japan ranked first by share of unique users attacked by mobile bankers (2.18%). The above-mentioned Trojan-Banker.AndroidOS.Agent.eq made the biggest contribution: 96.12% of all attacks.

Silver belongs to Spain (1.55%), where Trojan-Banker.AndroidOS.Bian.h was most often encountered (28.97%). And bronze goes to Turkey (0.71%), where Trojan-Banker.AndroidOS.Agent.ep (32.22%) leads the way.

Mobile ransomware Trojans

In 2021, we detected 17,372 installation packages for mobile ransomware Trojans — 3,336 fewer than last year.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, 2018–2021 (download)

What is more, the number of attacks by mobile ransomware Trojans, after a sharp increase in H2 2020, remained at the same level with a slight dip by the end of 2021.

Number of attacks by mobile ransomware Trojans, 2020–2021 (download)

Top 10 mobile ransomware Trojans

^{* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile technologies that were attacked by ransomware Trojans.}

In 2021, Trojan-Ransom.AndroidOS.Pigetrl.a topped the leaderboard of ransomware Trojans with 59.39% of all users attacked by ransomware. Moreover, 91.67% of attacks by this Trojan hit users in Russia. Unlike traditional representatives of the Trojan-Ransom class, this malware does not demand a ransom, but simply locks the device screen with a prompt to enter a code. The Trojan provides no instructions on how to get this code, which is embedded in the body of the malware.

In second place by popularity among cybercriminals are members of the long familiar Trojan-Ransom.AndroidOS.Rkor family, taking seven positions in the Top 10. This malware accuses the user of viewing prohibited content and demands payment of a fine.

Geography of mobile ransomware Trojans, 2021 (download)

Top 10 countries by share of users attacked by mobile ransomware Trojans

^{* Excluded from the rating are countries with relatively few users of Kaspersky mobile technologies (under 10,000).
** Unique users attacked by mobile ransomware Trojans in the country as a percentage of all users of Kaspersky mobile technologies in the country.}

The top-placed countries by number of users attacked by mobile ransomware Trojans in 2021 were Kazakhstan (0.80%), Yemen (0.37%) and Kyrgyzstan (0.25%). Users in Kazakhstan and Kyrgyzstan most often encountered members of the Trojan-Ransom.AndroidOS.Rkor family, and in Yemen Trojan-Ransom.AndroidOS.Pigetrl.a.

Conclusion

In the reporting period, after a surge in H2 2020, cybercriminal activity gradually abated: there were no global newsbreaks or major campaigns, and the Covid-19 topic began to fade. At the same time, new players continue to emerge on the cyberthreat market as malware becomes more sophisticated; thus, the fall in the overall number of attacks is “compensated” by the greater impact of a successful attack. Most dangerous of all in this regard are banking malware and spyware.

As in 2020, adware makes up the lion’s share of newly detected mobile threats, but its lead over the previous frontrunner — potentially unwanted software — is shrinking. That said, more than 80% of attacks are still carried out using mobile malware.