These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

In Q2 2021, according to data from Kaspersky Security Network:

• 14,465,672 malware, adware and riskware attacks were prevented.
• The largest share of all detected threats accrued to RiskTool programs — 38.48%.
• 886,105 malicious installation packages were detected, of which:
• 24,604 packages were mobile banking Trojans;
• 3,623 packages were mobile ransomware Trojans.

Quarterly highlights

Android’s own security has changed dramatically since the first devices were released with Android 1.6 Donut when it became the most dominant OS on the market. The development of Google Play Protect is worth highlighting, and the rights of apps have since been severely restricted, as now they have to request all permissions from users explicitly. Moreover, the security subsystem was moved to a separate updatable component, independent of the device manufacturer. Yet there is one thing both the old 1.6 version and the latest Android 11 have in common which significantly compromises the operating system’s security: the freedom to install apps from third-party sources. It’s great in terms of OS user-friendliness — I use it myself almost every day — but it gives all sorts of cybercriminals a real “window of opportunity” from a security point of view. It’s also the reason why third-party distribution platforms for Android apps have mushroomed. These platforms offer the most diverse range of downloads, from popular apps clones to different types of malware. However, the platform is not the only danger. The client working with it can also be to blame for loading and installing apps into the system similar to the official Google Play client.

In Q2 2021, we discovered that the popular APKPure app has been infected by a malicious module. The developers implemented an unverified advertisement SDK, which downloaded Trojans to users’ devices without them knowing. In other words, a Trojan dropper found a way into the program together with the SDK. The malware’s next move depended on the Android OS version it managed to infect. Users with relatively recent versions would get off more lightly with just some annoying advertising and subscriptions, but devices running older versions were in for a plethora of threats such as the xHelper mobile Trojan.

This review will conclude with a chart depicting mobile threats detected on devices with installed Kaspersky security solutions.

Number of attacks targeting users of Kaspersky mobile solutions, Q2 2020 — Q2 2021 (download)

Mobile threats clearly are not letting up, and the number of attacks remains persistently high. The number of malware, adware and riskware attacks exceeded the 14.4 million mark in the second quarter.

Mobile threat statistics

Kaspersky detected 886,105 malicious installation packages in Q2 2021, which is 565,555 less than in the previous quarter and 359,789 less than the number detected in Q2 2020.

Number of detected malicious installation packages, Q2 2020 — Q2 2021 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q1 and Q2 2021 (download)

A third of all the threats detected in Q2 2021 accrued to RiskTool (38.48%). The percentage of these riskware attacks dramatically increased by 23.04 p.p. in light of the decline in adware attacks. The vast majority of detected apps of this type (93,52%) belong to the SMSreg family.

Adware came in second (34.10%) with 27.33 p.p. down compared to the previous quarter. The worst offenders were adware from the Ewind family (52.38% of all adware threats detected), HiddenAd (18.11%) and FakeAdBlocker (13.56%).

Various types of Trojans complete the top three (16.48%), whose share increased by 8.21 p.p. The Trojans which stood out came from the Mobtes (84.89%), Boogr (7.71%) and Plangton (1.53%) families.

Top 20 mobile malware programs

Note that the malware rankings below exclude PUAs, such as riskware or adware.

* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The DangerousObject.Multi.Generic verdict (39,94%), which we apply to all malware detected with cloud technology, is topping the list, as usual. Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is essentially how the latest malware types are detected.

The second place went to a Trojan called Trojan-Spy.AndroidOS.SmsThief.po (10.03%), the main task of which is monitoring incoming text messages and forwarding intercepted data to the cybercriminals’ server. The malware is essentially a “Russian doll” with the outer layer being a Trojan dropper and the encrypted DEX file of SmsThief.po itself buried deep within the APK distribution. This Trojan mostly targeted users in Russia.

The Top 3 was rounded out by Trojan-SMS.AndroidOS.Agent.ado (5.68%), a form of malware which sends text messages to short premium-rate numbers draining the victim’s mobile account. In order for the attack to succeed, the Trojan waits for a confirmation code (Advice of charge) from the provider and sends a response. Like the previously mentioned form of malware, Agent.ado mostly targets users in Russia.

Fourth place was taken by DangerousObject.AndroidOS.GenericML (4.29%). These verdict is assigned to files recognized as malicious by our machine-learning systems.

Fifth place went to Trojan.AndroidOS.Agent.vz (3.85%), which downloads a payload while serving as a payload for another malicious object. Cybercriminals create these types of chains to ensure malware remains on the device. Even if the victim removes one of the links in the chain, their device is bound to be reinfected by another.

Another “Russian doll” came in sixth — the Trojan-Dropper.AndroidOS.Agent.rp (3.56%). Its outer layer is a Java code, which accesses the native library to decrypt the DEX file located somewhere in the APK file. The inner layer is deployed for the second stage of the attack — the malware we detect as Trojan-Downloader.AndroidOS.Agent.ki. Our remotely collected data indicates that users with Agent.rp also encounter Trojan-Dropper.AndroidOS.Triada.ap (2.51%, 14th place in our rating), Trojan.AndroidOS.Whatreg.b (2.51%, 13th place) and Trojan-Downloader.AndroidOS.Necro.d (3.21%, 8th place). It’s quite likely that all of these Trojans detected in Q2 2021 were part of the same campaign and served as links in the same infection chain. The same applies to the other Trojans from the Trojan.AndroidOS.Triada family ranked seventh, ninth and eighteenth on our list.

Our Top 10 is completed by Trojan.AndroidOS.MobOk.ad (3.01%), the main aim of which is subscribing victims to paid mobile services. MobOk family malware attacked mobile users in Russia more often than in any other country.

Malware from the Trojan-Banker.AndroidOS.Hqwar family came in eleventh and sixteenth place in Q2. The number of known objects from this family just keeps on growing, and had reached 370,744 files by the time this report was compiled.

Twelfth place was taken by Trojan.AndroidOS.Hiddad.gx (2.77%), which aims to display banner ads, ensure a constant presence on the device and hide icons in the app bar.

Fifteenth place went to Trojan-Downloader.AndroidOS.Gapac.d (2.37%) — a Trojan which is also a link in a chain of infection and essentially serves to download other malware.

The Trojan that came in seventeenth in Q2 was Trojan-Downloader.AndroidOS.Agent.kx (1.90%). It is spread through legitimate software and serves the main task of downloading advertising apps.

The well-known banking Trojan Svpeng (1.88%), which we’ve written about on multiple occasions, came in nineteenth place.

Last on our Top 20 is the HackTool.AndroidOS.Wifikill.c, which aims to carry out Denial-of-Service (DoS) attacks on users to disconnect them from a Wi-Fi network. Hackers trick the victim into reconnecting to the same Wi-Fi network in an attempt to capture the handshake and carry out a MitM attack.

Geography of mobile threats

Map of infection attempts by mobile malware, Q2 2021 (download)

Top 10 countries by share of users attacked by mobile malware

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Share of unique users attacked as a percentage of all users of Kaspersky mobile security solutions in the country.

Iran was the most frequently targeted country in Q2 2021 based on the percentage of infected systems detected (23.79%). The most commonly encountered threat was annoying adware from AdWare.AndroidOS.Notifyer and AdWare.AndroidOS.Fyben families.

Saudi Arabia is in second place (23.09%). Users in this country most frequently encountered adware, but from the AdWare.AndroidOS.HiddenAd and AdWare.AndroidOS.FakeAdBlocker families.

China was the last to make it into the top three (18.97%), where the most common threats came from the riskware families RiskTool.AndroidOS.SmsPay and RiskTool.AndroidOS.Wapron. Both target the victim’s mobile account: the former abuses a shady SMS monetization scheme used in certain games, while the latter sends text messages purportedly as payment for porn viewings. Another Trojan that made the list of top threats in China was Trojan.AndroidOS.Najin.a.

Mobile banking Trojans

In the reporting period, we detected 24,604 installation packages for mobile banking Trojans. That’s 710 less compared to Q1 2021, and 16,801 less than a year before in Q2 2020.

The worst offenders were the creators of the Trojan family known as Trojan-Banker.AndroidOS.Agent, which accounted for 66.23% of all detected banking Trojans. Other threats which stood out were from families called Trojan-Banker.AndroidOS.Gustuff (8.19%) and Trojan-Banker.AndroidOS.Anubis (6.86%). It’s interesting that the latter is one of the most dangerous financial Trojans but one that is very rarely encountered in the wild according to our remotely collected data.

Number of mobile banking Trojan installation packages detected by Kaspersky, Q1 and Q2 2021 (download)

Ten most common mobile bankers

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

Geography of mobile banking threats, Q2 2021 (download)

Top 10 countries by shares of users attacked by mobile banking Trojans

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Japan has the largest share of unique users attacked by mobile financial threats in Q2 2021 (1.62%). The malware detected most often in this country was Trojan-Banker.AndroidOS.Agent.eq, which accounted for 99% of all mobile financial attacks there.

Spain followed by a wide margin with 0.76%. The most commonly encountered malware type there were again Trojan-Banker.AndroidOS.Regon.p (71.38%), Trojan-Banker.AndroidOS.Agent.io (19.15%) and Trojan-Banker.AndroidOS.Cebruser.d (3.75%).

The country that came in third was France (0.71%), where Trojan-Banker.AndroidOS.Agent.eq (98.75%) was also found to be widespread.

Mobile ransomware Trojans

In Q2 2021, we detected 3623 installation packages for mobile ransomware Trojans. That’s 27 more than the number recorded in the last quarter but 182 less than in Q2 2020.

Number of mobile ransomware Trojan installation packages detected by Kaspersky, Q1 and Q2 2021 (download)

Top 10 most common mobile ransomware

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

Geography of mobile ransomware Trojans, Q2 2021 (download)

Top 10 countries by share of users attacked by mobile ransomware Trojans

* Excluded from the rating are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Unique users attacked by ransomware trojans as a percentage of all Kaspersky mobile security solution users in the country.

The leader by number of users attacked by mobile ransomware Trojans were Kazakhstan (0.37%), Sweden (0.12%) and Kyrgyzstan (0.10%). That said, in Kazakhstan and Sweden users mostly encountered the Trojan-Ransom.AndroidOS.Rkor family Trojans. Apart from Rkor, Trojan-Ransom.AndroidOS.Pigetrl.a was found to be common in Kyrgyzstan.

The statistics presented here draw on detection verdicts returned by Kaspersky products as provided by users who consented to share statistical data.

Quarterly figures

According to Kaspersky Security Network, in the first quarter:

• we detected 1,451,660 mobile installation packages, of which:
• 25,314 packages were related to mobile banking Trojans,
• 3,596 packages were mobile ransomware Trojans.
• the majority (61.43%) of the discovered threats belonged to the adware category.

Quarterly highlights

While it is a year since the world entered a lockdown amid the coronavirus pandemic, our statistics suggest that the topic has only slightly decreased in relevance, if at all. There are still threats in the wild which names use the word “corona” in various combinations. For instance, adware that belongs to the AdWare.AndroidOS.Notifyer family was distributed in the first quarter under the guise of a file named ir.corona.viruss.apk, and Backdoor.AndroidOS.Ahmyth.f open-source backdoors bore the name com.coronavirus.info. Other notable names were tousanticovid.apk (actually the Hqwar dropper), and covid_19_radar.apk (AdWare.AndroidOS.Ewind.kp).

However, Q1 2021 was not only memorable for the exploitation of the pandemic theme. The emergence of the first-ever Trojan-Gamethief-category mobile Trojan might have been the most interesting event of the quarter. This type of Trojan is specific to the PC, a popular platform for game services and in-app purchases, which, unlike consoles, makes it is relatively easy to install malware. Therefore, a black market for game accounts and Trojans that work to satisfy the demand have been around for a long time. Real-money purchases are no less popular in mobile games, but we had never seen an attempt at hijacking an account in any game. However, eleven years after the first Android-specific Trojan appeared, we discovered a malicious file designated as HEUR:Trojan-Spy.AndroidOS.Agent.xy, which targets PlayerUnknown’s Battlegrounds (PUBG) accounts.

The Trojan checks for a com.tencent.ig package on the device, i.e. the mobile version of PUBG.

If successful, the Trojan locates configuration files that contain account credentials and extracts the contents of these files.

Then, the Trojan uses superuser privileges to search for credentials in the game files and the OS protected storage.

The targets are not limited to PUBG: the Trojan is after Facebook and Twitter accounts and even attempts to find out the linked Gmail credentials.

Mobile threat statistics

Kaspersky detected 1,451,660 malware installers in Q1 2021, a decrease of 655,020 from Q4 2020 but an increase of 298,998 year on year.

Number of detected malicious installation packages, Q1 2020 — Q1 2021 (download)

Distribution of detected mobile apps by type

Distribution of newly detected mobile applications across types, Q1 2021 and Q4 2020 (download)

Adware accounted for the overwhelming majority (61.43%) of all threats discovered in Q1 2021, a decrease of 12 percentage points from Q4 2020. The malicious objects we most frequently encountered came from the AdWare.AndroidOS.Ewind family (65.17% of all detected threats in the category), AdWare.AndroidOS.HiddenAd (17.82%) and AdWare.AndroidOS.FakeAdBlocker (11.07%).

These were followed by RiskTool potentially unwanted applications (PUAs), up by 2 percentage points to 15.43%. Nine out of ten apps of the type that were discovered belonged to the SMSreg family.

Non-specific Trojans came third with 8.27%, their share increasing by 5 percentage points. The largest contributors were the Agent family with 45.30%, Boogr with 29.88% and Plangton with 8.11%.

Twenty most common mobile malware programs

Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked.

First place in the rankings for Q1 as usual went to DangerousObject.Multi.Generic (32.10%), the verdict we use for malware detected with cloud technology. Cloud technology is triggered whenever the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is essentially how the latest malware types are detected.

Second and fourth places went to Trojan.AndroidOS.Boogr.gsh (12.24%) and DangerousObject.AndroidOS.GenericML (4.98%). These verdicts are assigned to files recognized as malicious by our machine-learning systems.

Members of the SMS Trojan family Agent, Agent.ado (6.43%) and Agent.acv (2.16%), occupied third and sixteenth places. In the overwhelming majority (90%) of the cases, these varieties were discovered with Russian users. These malicious programs are dangerous in that they both subscribe to paid services unbeknownst to the victim and enable cybercriminals to control the victim’s bank account via an SMS banking service.

Fifth and twentieth places were taken by members of the Trojan-Banker.AndroidOS.Hqwar family: Hqwar.cf (4.13%) and Hqwar.di (1.65%). These droppers remain steadily popular, with some 100,000 unique users attacked per quarter. As with SMS Trojans, this type of malware was most frequently (65%) detected with Russian mobile users.

Sixth place went to Trojan.AndroidOS.Agent.vz (3.5%), which downloads a payload while serving as payload for another type of malware. Cybercriminals create this type of chains to make sure that the malware remains on the device: even if the victim removes one of the links in the chain, another will ensure repeat infection.

Seventh and ninth places went to Trojan-Downloader.AndroidOS.Necro.d (3.48%) and Trojan-Downloader.AndroidOS.Helper.a (2.79%). These Trojans are part of the kind of chain described above, which will result in persistent infection and obtrusive ads being shown on the screen of the device. Other members of the same infection sequence are Trojan.AndroidOS.Triada.el (2.91%) and Trojan.AndroidOS.Triada.ef (2.26%), which occupied eighth and twelfth places, respectively. They are designed for downloading suitable exploits, which the Necro and Helper Trojans can use for gaining a foothold on the device.

Tenth place went to the quarter’s novelty, Trojan.AndroidOS.Whatreg.b (2.32%), which deserves a story of its own. The creators of that malware program did their best to reverse-engineer the WhatsApp registration protocol and the process of data exchange with the server to implement registration of new accounts on command.

Trojan code with WhatsApp server lines

The cybercriminals can use accounts thus obtained in any way they wish, e.g., for sending spam, or sell these on the black market. The latter presents a particular danger to the victim, as WhatsApp registration uses a cell number, so any illegal activity involving the account, such as distribution of prohibited content, will highlight the unsuspecting user to law enforcement. Notably, 85% of the users who had the Trojan were located in Russia.

The second score of verdicts begins with Trojan-Downloader.AndroidOS.Gapac.c (2.27%). This Trojan, like some of those mentioned above, is part of an infection chain, downloading other modules. It is more primitively designed though, with a C2 center encrypted with a basic algorithm that converts the digit equivalents of ASCII characters.

Trojan.AndroidOS.MobOk.ad (2.24%), a family capable of subscribing the user to paid services, came thirteenth. MobOk malware programs attempted to attack mobile users in Russia more frequently than in any other country.

Trojan.AndroidOS.LockScreen.ar (2.17%), in fourteenth place, has been part of the twenty most common mobile malware types for several quarters. This primitive virus locks the device screen to prevent normal use.

Trojan-Downloader.AndroidOS.Agent.ic (2.17%), another malware tool that downloads other applications when commanded by cybercriminals, occupied fifteenth place.

Seventeenth place went to the Trojan-Banker.AndroidOS.Agent.eq verdict (1.98%). It is assigned to various financial threat families, in particular, Wroba, Asacub and many other bankers.

Trojan.AndroidOS.Hiddad.fw (1.91%) was eighteenth. This type of malware is designed for taking root on the device and displaying mobile banners.

Exploit.AndroidOS.Lotoor.be (1.68%), a local exploit used for elevating privileges on the device to superuser, came nineteenth. Widespread families, such as Necro, Helper and Triada, use its services to establish themselves on the device and get access to the file system, which pushed Lotoor.be onto the list of twenty.

Geography of mobile threats

Map of infection attempts by mobile malware, Q1 2021 (download)

Ten countries with the largest shares of users attacked by mobile malware

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Share of unique users attacked as a percentage of all users of Kaspersky mobile security solutions in the country.

Iran led in terms of the share of attacked users in Q1 2021 with 25.80%. The most frequently encountered of all threats relevant to Iranians were the pestilent adware modules belonging to the AdWare.AndroidOS.Notifyer and AdWare.AndroidOS.Fyben families.

China came second with 16.39%, with Chinese users most frequently encountering RiskTool.AndroidOS.SmsPay and RiskTool.AndroidOS.Wapron PUA families. Both threat families target victim’s cell carrier accounts. The former can send short messages to make purchases inside games that use a questionable text message monetization scheme, and the latter sends text messages purportedly as payment for porn viewings.

In Saudi Arabia, which came third with 13.99%, users most commonly encountered AdWare.AndroidOS.HiddenAd and AdWare.AndroidOS.FakeAdBlocker adware.

Mobile banking Trojans

We found 25,314 mobile banking Trojan installers during the reporting period, a decrease of 8,528 from the previous quarter and a decrease of 16,801 year on year.

The largest contributors to these figures were the Trojan-Banker.AndroidOS.Agent (57.51% of all installation packages detected), Trojan-Banker.AndroidOS.Wroba (7.98%), and Trojan-Banker.AndroidOS.Gustuff (7.64%) families. Interestingly enough, the capabilities of Trojan-Banker.AndroidOS.Gustuff make it virtually the most dangerous financial Trojan, but it is not frequently seen in the wild.

Number of mobile banking Trojan installers detected by Kaspersky, Q1 2020 — Q1 2021 (download)

Ten most common mobile bankers

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

Members of the Asacub family occupied three positions out of ten among mobile bankers in Q1 2021, with the Asacub-like Trojan-Banker.AndroidOS.Agent.eq taking the lead with 22.06%.

Trojan-Banker.AndroidOS.Anubis family members, Anubis.t (11.01%) and Anubis.n (4.66%) were second and sixth, respectively. The family consists of classic mobile financial threats with a well-established set of features: access to Accessibility Services, phishing window display, two-factor authentication hacking and screenshotting. The family’s source code leaking into the public domain ensured its high popularity.

The long-familiar Trojan-Banker.AndroidOS.Svpeng.q came third with 9.67%.

Geography of mobile banking threats, Q1 2021 (download)

Ten countries with the largest shares of users attacked by mobile banking Trojans

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Japan has the largest share of unique users attacked by mobile financial threats in Q1 2021, 1.59%. In 97% of cases, users in that country encountered Trojan-Banker.AndroidOS.Agent.ep.

Turkey followed by a wide margin with 0.67%. The most commonly encountered malware types in that country were again Agent.ep (17.85%), as well as Trojan-Banker.AndroidOS.Agent.ia (15.62%) and Trojan-Banker.AndroidOS.Cebruser.pac (15.05%).

Third came Germany (0.40%), where Trojan-Banker.AndroidOS.Agent.eq was the most widespread financial threat with 93%.

Mobile ransomware Trojans

We detected 3,596 mobile Trojan ransomware installers in Q1 2021, a decrease of 1,000 from Q4 2020 and a decrease of 743 year on year.

Number of mobile ransomware installers detected by Kaspersky, Q1 2020 — Q1 2021 (download)

Ten most common mobile ransomware varieties

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

Trojan-Ransom.AndroidOS.Pigetrl.a led in the first quarter after attacking 50.67% of all users who faced the type of threat in question.

Pigetrl.a more closely resembles a nasty trick than a criminal money-making tool. Once a victim’s device is locked, the malware requests a code without providing a means of obtaining one. “No one is sending you a code!” being displayed on the screen suggests that this is as designed. In reality, the code is part of the Trojan body. In the screenshot above, it is “775”. A Pigetrl.a window will remain on the home screen after the device is unlocked, making removal difficult. This Trojan was first reported in 2018 and has not significantly changed since that time, still a toy in its creator’s hands.

The remaining places in the rankings were occupied by well-known ransomware types that are far more dangerous than Pigetrl.a. It should be mentioned, however, that both in terms of the number of attacked users and in terms of detected threats, mobile ransomware Trojans have been slowly losing ground.

Geography of mobile ransomware Trojans, Q1 2021 (download)

The ten countries with the largest shares of users attacked by mobile ransomware Trojans

* Excluded from the rating are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Unique users attacked by ransomware Trojans as a percentage of all Kaspersky mobile security solution users in the country.

In Kazakhstan, the country with the largest (0.25%) share of users attacked by ransomware, potential victims mostly encountered members of the Trojan-Ransom.AndroidOS.Rkor family.

In Kyrgyzstan, which followed with 0.17%, users were most frequently attacked by Trojan-Ransom.AndroidOS.Rkor and Trojan-Ransom.AndroidOS.Pigetrl.a.

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

The year in figures

In 2020, Kaspersky mobile products and technologies detected:

• 5,683,694 malicious installation packages,
• 156,710 new mobile banking Trojans,
• 20,708 new mobile ransomware Trojans.

Trends of the year

In their campaigns to infect mobile devices, cybercriminals always resort to social engineering tools, the most common of these passing a malicious application off as another, popular and desirable one. All they need to do is correctly identify the application, or at least, the type of applications, that are currently in demand. Therefore, attackers constantly monitor the situation in the world, collecting the most interesting topics for potential victims, and then use these for infection or cheating users out of their money. It just so happened that the year 2020 gave hackers a large number of powerful news topics, with the COVID-19 pandemic as the biggest of these.

Pandemic theme in mobile threats

The word “covid” in various combinations was typically used in the names of packages hiding spyware and banking Trojans, adware or Trojan droppers. Names we encountered included covid.apk, covidMapv8.1.7.apk, tousanticovid.apk, covidMappia_v1.0.3.apk and coviddetect.apk. These apps were placed on malicious websites, hyperlinks were distributed through spam, etc.

The mobile malware Trojan-Ransom.AndroidOS.Agent.aq often hid behind another popular term, “corona”. Here are a few names of malicious files: ir.corona.viruss.apk, coronalocker.zip, com.coronavirus.inf.apk, coronaalert.apk, corona.apk, corona-virusapps.com.zip, com.coronavirus.map.1.1.apk, coronavirus.china.

Of course, this was not limited to naming: the pandemic theme was also used in application user interfaces. For example, the GINP banking Trojan pretended to be an app that searched for COVID-19-infected individuals: the victim was coaxed into providing their bank card details under the pretext of a €0.75 fee charge.

The creators of another banking Trojan, Cebruser, simply named it “Coronavirus”, probably to echo the disturbing news coming from all over the world and to make some money along the way. As in the previous case, the attackers were after the bank card details and the owner’s personal information.

They came up with nothing new in terms of technique. So-called “web injectors”, which had been perfected for years, were used in both cases. When certain events are detected, the banking Trojan opens a window that displays a web page with a request for bank card details. The page can have any type of design: we have seen a request from a large bank in one case and a message about a search for COVID-19-infected individuals in another. The flexibility allows attackers to efficiently manipulate potential victims, adapting attacks to the situation both on a particular device and in the world at large.

We could conclude that the pandemic as a global phenomenon had a major effect on the mobile threat landscape, but to be true to facts, this is not entirely the case. If you look at the dynamics of attacks on mobile users in 2020, you will see that the average monthly number of attacks decreased by 865,000 compared to 2019. That number seems large, but it is only about 1.07% of total attacks, so we cannot call it a significant decrease.

Number of attacks on mobile users in 2019 and 2020 (download)

Besides, we have seen a decrease in attacks in the first half of 2020, which can be attributed to the confusion of the first months of the pandemic: hackers had other things to worry about. However, in the second half of the year, when the situation became calmer and more predictable despite lockdowns in a number of countries, we saw a clear increase in attacks.

In addition, our telemetry has shown significant growth in mobile financial threats in 2020. More on that later.

Adware

Last year was notable for both malware and adware, the two very close in terms of capabilities. Typically, code that runs ads was embedded in a carrier application, e.g. a mobile game or torch, as long as it was popular enough. After the application ran, it could follow one of several scenarios, depending on its creator’s greed and the advertising module’s capabilities. If the user was lucky, they saw an advertising banner at the bottom of the carrier application window, and if not, the advertising module subscribed to USER_PRESENT (device unlock) events, using a SYSTEM_ALERT_WINDOW window for displaying full-screen banners at random intervals.

Ad window (left) and carrier app definition (right)

In the latter case, the problem was not just the size of the banner, but also difficulty identifying the application that it was coming from. There were usually no technical obstacles to removing this application, and with it, the ads. We had recorded apps featuring aggressive advertising appearing in Google Play before, but 2020 proved rich in this kind of cases.

In terms of the number of attacks on mobile users, the situation around various advertising modules and applications looked more or less stable. This is probably one of the few classes of threats where the number of attacks hardly changed in 2020 as compared to the previous year.

Number of adware attacks on mobile users in 2019 and 2020 (download)

The number of unique users attacked by adware decreased slightly compared to 2019.

Users attacked by adware in 2018 through 2020 (download)

Interestingly enough, the share of adware attacks increased in relation to mobile malware in general. Whereas it was 12.85% in 2019, it reached 14.62% in 2020.

Distribution of attacks by type of software used in 2020 (download)

Adware creators are interested in obstructing the removal of their products from a mobile device. They typically work with malware developers to achieve this. An example of a partnership like that is the use of various trojan botnets: we saw a number of these cases in 2020.

The pattern is quite simple. The bot infects a mobile device and waits for a command, usually trying to avoid the victim’s attention. As soon as the owners of the botnet and their customers come to an agreement, the bot receives a command to download, install and run a payload, in this case, adware. If the victim is annoyed by the unsolicited advertising and removes the source, the bot will simply repeat the steps. In addition, trojans have been known to elevate access privileges on the device, placing adware in the system area and making the user unable to remove them without outside help.

Another example of the partnership is so-called preinstall. The manufacturer of the mobile device preloads an adware application or a component with the firmware. As a result, the device hits the shelves already infected. This is not a supply chain attack, but a premeditated step on the part of the manufacturer for which it receives extra profits. To add to that, no security solution is yet capable of reading an OS system partition to check if the device is infected. Even if detection is successful, the user is left alone with the threat, without a possibility of removing the malware quickly or easily, as Android system partitions are write protected. This vector of spreading persistent threats is likely to become increasingly popular in the absence of new effective exploits for popular Android versions.

Attacks on personal data

Almost any of the personal data stored on our smartphones can be monetized. In particular, advertisers can display targeted offerings, and attackers can access accounts with various services, such as online banking. It is thus small wonder that data is hunted: sometimes openly and sometimes illegally.

Ever since Android has introduced Accessibility Services, which provide applications with access to settings and other programs, the number of malware tools that extract confidential data from mobile devices has been on the rise. The Trojan Ghimob was one of 2020’s most exciting discoveries. It stole credentials for various financial systems including online banking applications and cryptocurrency wallets in Brazil. Ghimob used Accessibility for both extracting valuable data from application windows and interacting with the operating system. Whenever the user tried to access the Ghimob removal menu, the Trojan immediately opened the home screen to protect itself from being uninstalled.

Another exciting discovery was the Cookiethief Trojan. As the name implies, the malware targeted cookies, which store unique identifiers of web sessions and hence can be used for authorization. For example, an attacker could log in to a victim’s Facebook account and post a phishing link or spread spam. Typically, cookies on a mobile device are stored in a secure location and are inaccessible to applications, even malicious ones. To circumvent the restriction, Cookiethief tried to get root privileges on the device with the help of an exploit, before it began its malicious activities.

Apple iOS

According to various sources, the proportion of Android-powered devices in relation to all mobile devices ranges from 50% to 85% depending on the region. Apple’s iOS naturally comes second. So, what were the threats to that system in 2020? According to the Zerodium, exchange, the price of an iOS exploit chain is quite impressive, albeit lower than that for Android: $2,000,000 against $2,500,000. We are not aware of the Zerodium pricing mechanics, but the information suggests that attacks on Apple devices are a very popular commodity. Effective infection is only feasible though a drive-by download.

In 2020, our colleagues at TrendMicro detected the use of Apple WebKit exploits for remote code execution (RCE) in conjunction with Local Privilege Escalation exploits to deliver malware to an iOS device. The payload was the LightSpy Trojan whose objective was to extract personal information from a mobile device, including correspondence from instant messaging apps and browser data, take screenshots, and compile a list of nearby Wi-Fi networks. The Trojan was a modular design, with its individual components receiving updates. One of the modules discovered was a network scanner that collected information about nearby devices including their MAC addresses and manufacturer names. TrendMicro said LightSpy distribution took advantage of news portals, such as COVID-19 update sites.

Statistics

Number of installation packages

We discovered 5,683,694 mobile malicious installation packages in 2020, which was 2,100,000 more than in 2019.

Mobile malicious installation packages for Android in 2017 through 2020 (download)

The year 2020 can be said to have broken an established downward trend in the number of mobile threats discovered. There were not any special factors driving that, though.

Number of mobile users attacked

Mobile users attacked in 2019 and 2020 (download)

The number of users attacked steadily decreased over the past year. The number of users encountering mobile threats in 2020 was on the average a quarter lower than that in 2019.

Geography of mobile threats in 2020 (download)

Top 10 countries by share of users attacked by mobile malware

^{* Excluded from the rankings are countries with fewer than 25,000 active users of Kaspersky mobile security solutions in the reporting period.
** Users attacked in the country as a percentage of all users of Kaspersky Security for Mobile in the country.}

Iran (67.78%) led by number of attacked users, mainly due to an aggressive spread of the AdWare.AndroidOS.Notifyer family. An alternative Telegram client, which we detect as RiskTool.AndroidOS.FakGram.d, acted as another widespread threat. This is not malware per se, but messages sent though the app can go to unintended recipients. A frequently detected malicious program was Trojan.AndroidOS.Hiddapp.bn whose objective was to download adware to an infected device.

Algeria ranked second with 31.29%. The AdWare.AndroidOS.FakeAdBlocker and AdWare.AndroidOS.HiddenAd families were the most widespread ones in that country. Two of the most widespread malicious programs were Trojan-Dropper.AndroidOS.Agent.ok and Trojan.AndroidOS.Agent.sr.

Rounding out the “top three” was Bangladesh with 26.18%, where the FakeAdBlocker and HiddenAd adware families were also the most widespread ones.

Types of mobile threats

Distribution of new mobile threats by type in 2019 and 2020 (download)

Twelve of twenty-two types of mobile threats showed an increase in the number of detected installation packages in 2020, with the most significant growth demonstrated by adware: from 21.81% to 57.26%. In absolute terms, the number of packages more than quadrupled: 3,254,387 in 2020 against 764,265 в 2019. Unsurprisingly, the share of the former leader, RiskTool, dropped from 32.46% to 21.34%. Third place, as in 2019, was occupied by malware, such as Trojan-Dropper (4.51%) whose share also decreased markedly, by 11.58 p.p.

Adware

The vast majority (almost 65%) of adware discovered in 2020 belonged to the Ewind family. The most common member of that family was AdWare.AndroidOS.Ewind.kp, with more than 2,100,000 installation packages.

Top 10 adware families discovered in 2020

* Share of the adware family in the total number of adware packages

The Ewind family is an example of aggressive adware. Its members try to monitor the user’s activities and counteract attempts at removal. In particular, the aforementioned Ewind.kp variant displays an error message upon starting.

AdWare.AndroidOS.Ewind.kp screenshot

As soon as the user taps OK, the app window will close and its icon will be hidden from the home screen. After that, the Ewind.kp will monitor the user’s activity and display advertising windows at certain points. In addition to banners in the notification bar, the app will open promoted sites, such as online casinos, in a separate browser window.

Advertising banner (left) and open Ewind.kp browser window with a promoted website (right)

Where did the more than two million Ewind.kp packages come from? Its creators exploit the content of legitimate applications, such as icons and resource files. Resulting packages seldom do anything useful, but Ewind applications created with others’ content could fill up a fake app marketplace. They all have diverse names, icons and installation package sizes, so an unsophisticated user might not even suspect anything is amiss about the store.

The best part of it is that the AdWare.AndroidOS.Ewind.kp variant has been known since 2018, and we have never once had to adjust the process of detecting it in almost three years. Individuals who generate that many installation packages are obviously not worried about antivirus software.

RiskTool

RiskTool-class applications remained one of the three most relevant threats even without showing a significant growth in 2020. Their share declined in relation to others, but in absolute terms, the threats in that class even gained relevance. The major contributing factor was the SMSReg family, which doubled in number to 424,776 applications compared to 2019.

Top 10 RiskTool families discovered in 2020

* Share of the RiskTool family in the total number of RiskTool packages

Other threats

The number of backdoors detected almost tripled from 28,889 in 2019 to 84,495 in 2020. However, most of the detected threats notably belonged to older families whose relevance was questionable. Where did these come from? Many members of these families became publicly available, serving as test subjects: for instance, their code was obfuscated to test the antivirus engine’s detection quality. This does not make a whole lot of sense, as obfuscation is only effective against engines with very limited capabilities. More importantly, however, the legality of these activities is doubtful: lab tests on malware code are acceptable, but publication of samples is ethically questionable at the very least.

The number of detected Android exploits increased seventeenfold. LPE exploits, relevant to Android versions 4 through 7, accounted for most of the growth. As for exploits for more recent versions of that OS, they are typically device specific.

The number of Trojan-Proxy threats has increased by twelve times. This type of malware is used by hackers for establishing secure tunnels which they can then use as they see fit. A major threat to the victims is the use of their mobile devices as a mediator in criminal offenses, e.g. downloading of child pornography. This may result in law enforcement agencies taking an interest in the owner of the infected device and asking them questions they would rather avoid. For companies, a secure tunnel between an infected corporate smartphone and an unknown attacker means unauthorized third-party access to internal infrastructure, which, to put it mildly, is undesirable.

Top 20 mobile malware programs

The following malware rankings omit riskware, such as RiskTool and AdWare.

* Share of users attacked by this type of malware in total attacked users

The leaders among the twenty most widespread malicious mobile applications were unchanged from 2019, with only their shares changing slightly. The leader was DangerousObject.Multi.Generic (36.95%), the verdict we use for malware detected by using cloud technology. The verdict is applied where the antivirus databases still lack the signatures or heuristics for detection. The most recent malware is detected that way.

The Trojan.AndroidOS.Boogr.gsh verdict ranked second with 9.54%. It is assigned to files recognized as malicious by our ML-powered system. Another result of this system’s work is objects with the verdict DangerousObject.AndroidOS.GenericML (6.63%, ranking third). The verdict is assigned to files whose structure bears a strong similarity to previously known ones.

Trojan-Downloader.AndroidOS.Necro.d (4.08%) ranked fourth. Unlike other malicious programs in that family, which are installation packages, the Necro.d variant is a native ELF executable. We typically detected that Trojan in the read-only system area. It could only make its way there via another Trojan that exploited system privileges or as part of the firmware. Necro.d apparently used the latter path, as one of its capabilities is uploading KINGROOT, a package used for elevation of privileges. Necro.d’s mission is to download, install and run other apps when instructed by attackers. In addition, it provides remote access to the shell of the infected device.

The Hqwar dropper ranked fifth and eighteenth simultaneously. This malicious “phoenix” seems to be rising from the ashes, with 39,000 users showing that they were infected in 2020 compared to 28,000 in 2019. Hqwar in a nutshell:

• This is a nesting-doll malicious program that has an external dropper shell next to an obfuscated DEX executable payload.
• Its main objective is evading detection by the antivirus engine if the device has a security solution installed.
• Banking Trojans typically serve as the payload.

Number of users attacked by Hqwar droppers in 2019 and 2020 (download)

In most cases, banking Trojans unloaded by Hqwar were focused on targets in Russia, specifically, applications operated by Russian financial institutions.

Top 10 countries by number of users attacked by Hqwar

Trojan-SMS.AndroidOS.ado(4.02%) ranked sixth in the TOP 20 list of mobile malicious programs. This is a typical example of the kind of old-school text-message scams that were popular in 2011 and 2012. Their enduring relevance is a surprise. The Trojan targets Russian-speaking audiences, as Russia is a country with a mature market for buying content by sending text messages to paid phone numbers. This is a modern design, though: the Trojan uses an obfuscator as protection against reverse engineering and detection, and receives commands from external operators. Agent.ado is distributed under the guise of an app installer.

Trojan.AndroidOS.Hiddad.fi (2.64%) ranked seventh. This Trojan handles installation of adware in an infected system, but it can display ads as well.

Trojan.AndroidOS.Vz (2.60%) ranked eighth, a malicious module loaded by other Trojans including members of the Necro family. It serves as an intermediate link in the infection chain, and it is responsible for downloading further modules, for instance, Ewind adware, mentioned above.

Trojan-Downloader.AndroidOS.Helper.a (2.51%) ranked ninth. It exemplifies occasional difficulty removing mobile malware from the system. Helper is part of a chain that includes Trojans elevating their access rights on the device and writing themselves or Helper to the system area. In addition to that, the Trojans make changes to the factory reset process, leaving the user few chances to get rid of the malware without outside help. The approach is nothing new, but we saw plenty of users complaining on the Internet about the difficulty they were having removing Helper, something we had not seen before.

Trojan.AndroidOS.Handda.san (1.96%) rounds out the first ten This verdict is an umbrella for a whole group of malicious programs, which include trojans with shared capabilities: icon hiding, obtaining Device Admin rights and using packers to counteract detection.

Trojans in the Trojan-Downloader.AndroidOS.Agent family ranked eleventh and twelfth, their only objective being downloading a payload when instructed by the operators. In both cases, the payload is encrypted and traffic cannot be interpreted to indicate what exactly is being loaded onto the device.

Trojan.AndroidOS.MobOk.v (1,60%) ranked thirteenth. MobOk trojans can automatically subscribe a victim to paid services. They attempted to attack users in Russia more frequently than others in 2020.

The primitive Trojan.AndroidOS.LockScreen.ar Trojan (1,49%) ranked fourteenth. This malware was first spotted in 2017. Locking the device screen is its only mission.

Trojan.AndroidOS.Hiddapp.ch (1,46%) ranked sixteenth. We assign this verdict to any app that hides its icon in the list of apps immediately upon starting. Subsequent steps may vary, but these are typically downloading or dropping other apps, or displaying ads.

Exploit.AndroidOS.Lotoor.be (1,39%), a local exploit for elevating privileges to the superuser, ranked seventeenth. Its popularity should not be surprising, as this type of malware is capable of downloading Necro, Helper and other Trojans in our Top 20.

Trojan.AndroidOS.Necro.a (1,29%), which ranked nineteenth, is a chain of Trojans. It takes root in the system, and it sometimes proves difficult to remove, along with associated Trojans.

Rounding out our Top 20 is Trojan-Dropper.AndroidOS.Agent.rb (1,26%). It serves various groups, and objects it is used to pack include both malware and perfectly legitimate software. There are notably two variants: in the first case, the code for decrypting the payload is located in a native library loaded from the main DEX file, and in the second, the dropper code is concentrated within the body of the main DEX file.

Mobile banking trojans

We detected 156,710 installation packages for mobile banking Trojans in 2020, which is twice the previous year’s figure and comparable to 2018.

Mobile banking Trojan installation packages detected by Kaspersky in 2017 through 2020 (download)

Whereas the statistics for 2018 were seriously affected by an epidemic of the Asacub trojan, the major culprits last year were objects from the Trojan.AndroidOS.Agent family. That family’s share was just 19.06% in 2019, jumping to 72.79% in 2020.

Top 10 banking trojans discovered in 2020

* Share of the mobile banker trojan family in the total number of mobile banker trojan packages

Agent.eq was the most prolific of all Agent (72.79%) variants. The heuristics turned out to be universal, helping us detect malware belonging to Asacub, Wroba and other families.

The Korean malware Wroba, spread by its operators through smishing, in particular, by sending fake text messages from a logistics company, ranked second. Like many others of its kind, the malware shows the victim one of a number of preset phishing windows, depending on what financial app is running on the home screen.

The rest of the programs included in the rankings have been well known to researchers for a long time.  One exception might be Knobot (1.53%), a relatively new player that targets financial data. Along with phishing windows and interception of 2FA verification messages, the Trojan is equipped with several tools that are uncharacteristic of financial threats. An example of these is hijacking device PINs through exploitation of Accessibility Services. The hackers might need the PIN for manually controlling the device in real time.

Attacks by mobile banking trojans in 2019 and 2020 (download)

The surge in attacks in August 2020 is attributed to the Asacub, Agent and Rotexy families. It is through their escalating spread that the stable picture observed up until July was changed.

Top 10 families of mobile bankers

* Share of users attacked by the family of mobile bankers in total users attacked by mobile banking Trojans

Geography of mobile bankers attacks in 2020 (download)

Top 10 countries by share of users attacked by mobile bankers

* Excluded from the rankings are countries with fewer than 25,000 active users of Kaspersky mobile solutions in the reporting period.
** Unique users attacked by mobile bankers in the country as a percentage of all users of Kaspersky mobile solutions in the country.

Compared to 2019, the distribution of countries by number of users attacked by mobile bankers changed significantly. Russia (0.25%), which had ranked first for three years, dropped to seventh place. Japan (2.83%), where the aforementioned Wroba raged, ranked first. The situation was similar in Taiwan (0.87%), which ranked second in our Top 10. Third was Spain (0.77%), where the most popular bankers were Cebruser and Ginp.

Italy (0.71%) ranked fourth. The most common threats in that country were Cebruser and Knobot. In Turkey (0.60%), ranked fifth, users of Kaspersky security solutions most often encountered the Cebruser and Anubis families.

The most widespread banking trojan in Russia (0.25%) was Trojan-Banker.AndroidOS.Rotexy.e, followed by Svpeng.q and Asacub.snt.

Mobile ransomware Trojans

We found 20,708 installation packages for ransomware Trojans in 2020, a decrease of 3.5 times on the previous year.

Ransomware Trojan installation packages in 2018 through 2020 (download)

Overall, the decrease in ransomware can be associated with the assumption that attackers have been converting from ransomware to bankers or combining the features of the two. Current versions of Android prevent applications from locking the screen, so even successful ransomware infection is useless.

However, in the field of mobile ransomware, we were in for a nasty surprise.

Users attacked by mobile ransomware Trojans in 2019 and 2020 (download)

Whereas the beginning of 2020 saw a decrease in the number of users attacked by ransomware trojans, we observed a spike in September, with the indicator then returning to July’s figures.

Looking closer, we found out that Trojan-Ransom.Win32.Encoder.jya was the most widespread type of ransomware in September. As the verdict shows, the malware is not designed for the Android platform — it is an encryptor that targets files on Windows workstations. How did that end up on mobile devices? The explanation is simple: September saw Encoder.jya spread via Telegram, while the instant messaging app has both a mobile and desktop client. The attackers clearly targeted Windows users, while mobile users received the malware, one might say, accidentally, due to the mobile version of Telegram syncing downloads with the desktop client. Once in the smartphone memory, the malware was successfully detected by Kaspersky security solutions. A file containing Encoder.jya was most often named as 2-5368451284523288935.rar or AIDS NT.rar.

Geography of mobile ransomware attacks in 2020 (download)

Top 10 countries by share of users attacked by ransomware Trojans

* Excluded from the rankings are countries with fewer than 25,000 active users of Kaspersky mobile solutions in the reporting period.
** Unique users attacked by mobile ransomware in the country as a percentage of all users of Kaspersky mobile solutions in the country.

As in 2019, the United States was the country with the most attacked users (2.25%) in 2020. The most common family of mobile ransomware in the country was Svpeng. Kazakhstan (0.77%) ranked second again, Rkor being the most widespread ransomware in that country. Iran (0.35%) remained in third position in our Top 10. The most common type of mobile ransomware there was Trojan-Ransom.AndroidOS.Small.n.

Conclusion

The 2020 pandemic has affected every aspect of our lives, and the landscape of mobile threats has been no exception. We saw a decrease in the number of attacks in the first half of the year, which can be attributed to the confusion of the first months of the pandemic: the attackers had other things to worry about. They were back at it in the second half, though, and we saw an increase in attacks involving mobile bankers, such as Asacub and Wroba. Besides that, we saw stronger interest in banking data, both from criminal groups specializing in mass infections and from those who prefer to select their targets carefully. And this, too, was affected by the pandemic: the inability to visit a bank branch forced customers to switch to mobile and online banking, and banks, to consider stepping up the development of those services.

Another statistically interesting event was an increase in adware, with the Ewind family making a major contribution to this: we discovered more than 2,000,000 packages of the Ewind.kp variant alone. However, these volumes had little, if any, impact on attack statistics. Coupled with Ewind.kp developers’ reluctance to make changes to the core application code, this may indicate that they have opted for quantity over quality.

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q3:

• Kaspersky solutions blocked 1,416,295,227 attacks launched from online resources across the globe.
• 456,573,467 unique URLs were recognized as malicious by Web Anti-Virus components.
• Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 146,761 unique users.
• Ransomware attacks were defeated on the computers of 121,579 unique users.
• Our File Anti-Virus detected 87,941,334 unique malicious and potentially unwanted objects.

Financial threats

Financial threat statistics

In Q3 2020, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 146,761 users.

Number of unique users attacked by financial malware, Q3 2020 (download)

Attack geography

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country.

Geography of financial malware attacks, Q3 2020 (download)

Top 10 countries by share of attacked users

* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

First among the banker families, as in the previous quarter, is Zbot (19.7%), despite its share dropping 5.1 p.p. It is followed by Emotet (16.1%) — as we predicted, this malware renewed its activity, climbing by 9.5 p.p. as a result. Meanwhile, the share of another banker family, RTM, decreased by 11.2 p.p., falling from second position to fifth with a score of 7.4%.

Top 10 banking malware families

** Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Ransomware programs

Quarterly trends and highlights

Q3 2020 saw many high-profile ransomware attacks on organizations in various fields: education, healthcare, governance, energy, finance, IT, telecommunications and many others. Such cybercriminal activity is understandable: a successful attack on a major organization can command a ransom in the millions of dollars, which is several orders of magnitude higher than the typical sum for mass ransomware.

Campaigns of this type can be viewed as advanced persistent threats (APTs), and Kaspersky researchers detected the involvement of the Lazarus group in the distribution of one of these ransomware programs.

Distributors of these Trojans also began to cooperate with the aim of carrying out more effective and destructive attacks. At the start of the quarter, word leaked out that Maze operators had joined forces with distributors of LockBit, and later RagnarLocker, to form a ransomware cartel. The cybercriminals used shared infrastructure to publish stolen confidential data. Also observed was the pooling of expertise in countering security solutions.

Of the more heartening events, Q3 will be remembered for the arrest of one of the operators of the GandCrab ransomware. Law enforcement agencies in Belarus, Romania and the UK teamed up to catch the distributor of the malware, which had reportedly infected more than 1,000 computers.

Number of new modifications

In Q3 2020, we detected four new ransomware families and 6,720 new modifications of this malware type.

Number of new ransomware modifications, Q3 2019 – Q3 2020 (download)

Number of users attacked by ransomware Trojans

In Q3 2020, Kaspersky products and technologies protected 121,579 users against ransomware attacks.

Number of unique users attacked by ransomware Trojans, Q3 2020 (download)

Attack geography

Geography of attacks by ransomware Trojans, Q3 2020 (download)

Top 10 countries attacked by ransomware Trojans

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country.

Top 10 most common families of ransomware Trojans

* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware.

Miners

Number of new modifications

In Q3 2020, Kaspersky solutions detected 3,722 new modifications of miners.

Number of new miner modifications, Q3 2020 (download)

Number of users attacked by miners

In Q3, we detected attacks using miners on the computers of 440,041 unique users of Kaspersky products worldwide. If in the previous quarter the number of attacked users decreased, in this reporting period the situation was reversed: from July we saw a gradual rise in activity.

Number of unique users attacked by miners, Q3 2020 (download)

Attack geography

Geography of miner attacks, Q3 2020 (download)

Top 10 countries attacked by miners

* Excluded are countries with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by cybercriminals during cyberattacks

According to our statistics, vulnerabilities in the Microsoft Office suite continue to lead: in Q3, their share amounted to 71% of all identified vulnerabilities. Users worldwide are in no rush to update the package, putting their computers at risk of infection. Although our products protect against the exploitation of vulnerabilities, we strongly recommend the timely installation of patches, especially security updates.

First place in this category of vulnerabilities goes to CVE-2017-8570, which can embed a malicious script in an OLE object placed inside an Office document. Almost on a par in terms of popularity is the vulnerability CVE-2017-11882, exploits for which use a stack overflow error in the Equation Editor component. CVE-2017-0199 and CVE-2018-0802 likewise remain popular.

Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2020 (download)

The share of vulnerabilities in Internet browsers increased by 3 p.p. this quarter to 15%. One of the most-talked-about browser vulnerabilities was CVE-2020-1380 — a use-after-free error in the jscript9.dll library of the current version of the Internet Explorer 9+ scripting engine. This same vulnerability was spotted in the Operation PowerFall targeted attack.

Also in Q3, researchers discovered the critical vulnerability CVE-2020-6492 in the WebGL component of Google Chrome. Theoretically, it can be used to execute arbitrary code in the context of a program. The similar vulnerability CVE-2020-6542 was later found in the same component. Use-after-free vulnerabilities were detected in other components too: Task Scheduler (CVE-2020-6543), Media (CVE-2020-6544) and Audio (CVE-2020-6545).

In another browser, Mozilla Firefox, three critical vulnerabilities, CVE-2020-15675, CVE-2020-15674 and CVE-2020-15673, related to incorrect memory handling, were detected, also potentially leading to arbitrary code execution in the system.

In the reporting quarter, the vulnerability CVE-2020-1464, used to bypass scans on malicious files delivered to user systems, was discovered in Microsoft Windows. An error in the cryptographic code made it possible for an attacker to insert a malicious JAR archive inside a correctly signed MSI file, circumvent security mechanisms, and compromise the system. Also detected were vulnerabilities that could potentially be used to compromise a system with different levels of privileges:

• CVE-2020-1554, CVE-2020-1492, CVE-2020-1379, CVE-2020-1477 and CVE-2020-1525 in the Windows Media Foundation component;
• CVE-2020-1046, detected in the .NET platform, can be used to run malicious code with administrator privileges;
• CVE-2020-1472, a vulnerability in the code for processing Netlogon Remote Protocol requests that could allow an attacker to change any user credentials.

Among network-based attacks, those involving EternalBlue exploits and other vulnerabilities from the Shadow Brokers suite remain popular. Also common are brute-force attacks on Remote Desktop Services and Microsoft SQL Server, and via the SMB protocol. In addition, the already mentioned critical vulnerability CVE-2020-1472, also known as Zerologon, is network-based. This error allows an intruder in the corporate network to impersonate any computer and change its password in Active Directory.

Attacks on macOS

Perhaps this quarter’s most interesting find was EvilQuest, also known as Virus.OSX.ThifQseut.a. It is a self-replicating piece of ransomware, that is, a full-fledged virus. The last such malware for macOS was detected 13 years ago, since which time this class of threats has been considered irrelevant for this platform.

Top 20 threats for macOS

* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.

Among the adware modules and their Trojan downloaders in the macOS threat rating for Q3 2020 was Hoax.OSX.Amc.d. Known as Advanced Mac Cleaner, this is a typical representative of the class of programs that first intimidate the user with system errors or other issues on the computer, and then ask for money to fix them.

Threat geography

Geography of threats for macOS, Q3 2020 (download)

Top 10 countries by share of attacked users

* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 5000)
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.

Spain (6.29%) and France (6.13%) were the leaders by share of attacked users. They were followed by India (5.59%) in third place, up from fifth in the last quarter. As for detected macOS threats, the Shlayer Trojan consistently holds a leading position in countries in this Top 10 list.

IoT attacks

IoT threat statistics

In Q3 2020, the share of devices whose IP addresses were used for Telnet attacks on Kaspersky traps increased by 4.5 p.p.

Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q3 2020

However, the distribution of sessions from these same IPs in Q3 did not change significantly: the share of operations using the SSH protocol rose by 2.8 p.p.

Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2020

Nevertheless, Telnet still dominates both by number of attacks from unique IPs and in terms of further communication with the trap by the attacking party.

Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, Q3 2020 (download)

Top 10 countries by location of devices from which attacks were carried out on Kaspersky Telnet traps

* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country.

In Q3, India (19.99%) was the location of the highest number of devices that attacked Telnet traps.  China (15.46%), having ranked first in the previous quarter, moved down a notch, despite its share increasing by 2.71 p.p. Egypt (9.77%) took third place, up by 1.45 p.p.

Geography of IP addresses of devices from which attempts were made to attack Kaspersky SSH traps, Q3 2020 (download)

Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps

* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country.

In Q3, as before, China (28.56%) topped the leaderboard. Likewise, the US (14.75%) retained second place. Vietnam (3.14%), however, having taken bronze in the previous quarter, fell to ninth, ceding its Top 3 position to Germany (4.67%).

Threats loaded into traps

* Share of malware type in the total number of malicious programs downloaded to IoT devices following a successful attack.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that are sources of web-based attacks: Top 10

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q3 2020, Kaspersky solutions blocked 1,416,295,227 attacks launched from online resources located across the globe. 456,573,467 unique URLs were recognized as malicious by Web Anti-Virus.

Distribution of web attack sources by country, Q3 2020 (download)

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country we calculated the share of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data.

On average, 4.58% of Internet user computers worldwide experienced at least one Malware-class attack.

Geography of web-based malware attacks, Q3 2020 (download)

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q3 2020, our File Anti-Virus detected 87,941,334 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

Note that this rating only includes attacks by malicious programs that fall under the Malware class; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.

Geography of local infection attempts, Q3 2020 (download)

Overall, 16.40% of user computers globally faced at least one Malware-class local threat during Q3.

The figure for Russia was 18.21%.

The statistics presented here draw on detection verdicts returned by Kaspersky products and received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, the third quarter saw:

• 1,189 797 detected malicious installers, of which
  • 39,051 packages were related to mobile banking trojans;
  • 6063 packages proved to be mobile ransomware trojans.
• A total of 16,440,264 attacks on mobile devices were blocked.

Quarterly highlights

In Q3 2020, Kaspersky mobile protective solutions blocked 16,440,264 attacks on mobile devices, an increase of 2.2 million on Q2 2020.

Number of attacks on mobile devices, Q1 2019 – Q3 2020 (download)

It is too early for conclusions now – we need to wait for the year’s results – but comparing Q3 2020 with Q3 2019 reveals a substantial difference: the number of attacks dropped by more that 2.7 million. One may conclude cybercriminals have not reached last year’s volume of attacks yet.

It is worth noting that in Q3 2020, the share of users attacked by malware increased, whereas the number of users who encountered adware and grayware decreased.

Proportions of users who encountered various threat classes in the total number of attacked users, Q3 2020 (download)

In Q3 2020, the share of users who encountered adware according to our data decreased by four percentage points. Notably, the complexity of these applications is no lower than that of malware. For instance, some samples of adware detected iin Q3 2020 use the KingRoot tool for obtaining superuser privileges on the device. This bodes no good for the user: not only does the device’s overall level of security is compromised – the ads are impossible to remove with the stock tools available on the device.

The third quarter reinforced the trend for the number of mobile users encountering stalkerware to drop.

Number of devices running Kaspersky Internet Security for Android on which stalkerware was detected in 2019 – 2020 (download)

The decrease is harder to explain this time around. It was probably caused by self-isolation in Q1 and Q2. Although big cities did not fully restore their levels of activity in Q3, people increasingly began to leave their homes and hence, to interest the users of stalker applications.

Mobile threat statistics

In Q3 2020, Kaspersky solutions detected 1,189,797 malicious installation packages, 56,097 more than in the previous quarter.

Number of detected malicious installers, Q2 2019 – Q3 2020 (download)

For the first time in a year, the number of detected mobile threats dropped when compared to the previous period. This was no ordinary year, though. A lot hinges on the level of activity of cybercriminals behind the threat family, so it is too early to call this a changing trend.

Distribution of detected mobile applications across types

Distribution of newly detected mobile applications across types, Q2 and Q3 2020 (download)

The share of adware (44.82%) has declined for a second consecutive quarter, but the pace of the decline is not strong enough to declare this type of threat as losing its relevance.

The Ewind adware family (48% of all adware detected) was most common in Q3, followed by the FakeAdBlocker family with 32% and HiddenAd with 6%.

The only class of threats that displayed significant growth in Q3 2020 was grayware, i.e. RiskTool (33.54%), with its share rising by more than 13 percentage points. The greatest contributor to this was the Robtes family with 45% of the total detected grayware programs. It was followed by Skymoby and SMSreg, with 15% and 13%, respectively.

The share of trojan-clickers rose by one percentage point in Q3 2020 on account of the Simpo family with its 96% share of all clickers detected.

Twenty most common mobile malware programs

Note that the malware rankings below exclude riskware or grayware, such as RiskTool or adware.

* Unique users attacked by this malware as a percentage of all users of Kaspersky solutions who were attacked.

As usual, first place in the Q3 rankings went to DangerousObject.Multi.Generic (36.22%), the verdict we use for malware detected with cloud technology. The technology is triggered when antivirus databases do not yet contain data for detecting the malware at hand, but the anti-malware company’s cloud already contains information about the object. This is essentially how the latest malicious programs are detected.

Second and third places went to Trojan.AndroidOS.Boogr.gsh (8.26%) and DangerousObject.AndroidOS.GenericML (6,05%), respectively. These two verdicts are assigned to files recognized as malicious by our systems Powered by machine learning.

Fourth and thirteenth places went to the Agent family of SMS trojans. Around 95% of users attacked by these trojans were located in Russia, which is unusual, as we have always found the popularity of SMS trojans as a threat class to be very low, especially in Russia. The names of the detected files often allude to games and popular applications.

Fifth and seventeenth places were taken by members of the Trojan-Dropper.AndroidOS.Hqwar family. This was the most numerous family in its class in Q3 2020, with 40% of the total detected droppers. It was followed by Agent (32%) and Wapnor (22%).

Sixth and fourteenth positions in the rankings were occupied by the Trojan.AndroidOS.Hiddad malware, which displays ad banners.

Interestingly enough, our rankings of mobile threats for Q3 2020 include five different families of the Trojan-Downloader class. Two malware varieties, Trojan-Downloader.AndroidOS.Necro.d (4.10%) and Trojan-Downloader.AndroidOS.Helper.a (3.42%) belong to one infection chain, so it is little wonder their shares are so close. Both trojans are associated with spreading of aggressive adware. Two others, Trojan-Downloader.AndroidOS.Agent.hy (2.52%) and Trojan-Downloader.AndroidOS.Agent.ic (1.75%), were discovered back in 2019 and are members of one family. The final trojan, Trojan-Downloader.AndroidOS.Malota.a (1.28%), has been known since 2019 and appears unremarkable. All of the listed trojans serve the main purpose of downloading and running executable code.

Eleventh position belongs to Trojan.AndroidOS.MobOk.v (2.83%), a member of the MobOk family. This malware can auto-subscribe the target to paid services. It attempted to attack mobile users in Russia more frequently than residents of other countries.

Trojan.AndroidOS.LockScreen.ar (1.48%), in eighteenth place, is worth a separate mention. This primitive device-locking trojan was first seen in 2017. We have since repeatedly detected it with mobile users, 95% of these in Russia. The early versions of the trojan displayed an insulting political message in a mixture of Russian and poor English. Entering “0800” unlocked the device, and the trojan could then be removed with stock Android tools. LockScreen.ar carried no other malicious functions besides locking the device. However, it was accompanied by two Windows executables.

Both files are malicious, detected as Trojan-Ransom.Win32.Petr.a and Trojan-Ransom.Win32.Wanna.b, the most infamous among Windows ransomware trojans. Neither poses any threat to Android, and LockScreen.ar does not use them in any way. In other words, a mobile device infected with LockScreen.ar cannot infect a Windows workstation, so the presence of these two executables has no rational explanation.

In recent versions of LockScreen, the cybercriminals changed the lock screen design.

The unlock code changed, too, to 775. The trojan’s capabilities were unchanged, and the Windows executables were removed from the package.

Geography of mobile threats

Map of infection attempts by mobile malware, Q3 2020 (download)

Ten countries with the largest shares of users attacked by mobile malware

* Excluded from the rankings are countries with relatively few users of Kaspersky Security for Mobile (under 10,000).
** Share of unique users attacked in the country as a percentage of all users of Kaspersky Security for Mobile in the country.

The three countries where mobile threats were detected on Kaspersky users’ devices most frequently remained unchanged. Bangladesh and Algeria exchanged positions, with the former rising to second place with 17.18% and the latter dropping to third place with 16.28%. Iran retained its leadership even as it lost 12.33 percentage points: 30.29% of users in that country encountered mobile threats in Q3 2020.

The AdWare.AndroidOS.Notifyer adware was the most frequent one. Members of this family accounted for nearly ten of the most widespread threats in Iran.

Frequently encountered in Algeria was the Trojan-SMS.AndroidOS.Agent.adp trojan, which occupied third place in that country, as well as AdWare.AndroidOS.BrowserAd family malware (fourth place) and the Trojan-Spy.AndroidOS.SmsThief.oz spyware trojan (fifth place).

The most widespread adware in Bangladesh was the HiddenAd family which hides itself on the application list, and members of the AdWare.AndroidOS.Loead and AdWare.AndroidOS.BrowserAd families, which occupied fourth and fifth places, respectively, in that country.

Mobile web threats

The statistics presented here are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to providing statistical data.

In Q3 2020, we continued to assess the risks posed by web pages employed by hackers for attacking Kaspersky Security for Mobile users.

Geography of the countries with the highest risk of infection via web resources, Q3 2020 (download)

Ten countries with the highest risk of infection

* Excluded are countries with relatively few users of Kaspersky mobile products (under 10,000).
** Unique users targeted by all types of web attacks as a percentage of all unique users of Kaspersky mobile products in the country.

As in Q2 2020, residents of Ecuador (6.33%), Marocco (4.51%) and Algeria (4.27%) encountered various web-based threats most frequently during the reporting period.

Countries where mobile web threats originated

Geography of countries where mobile attacks originated, Q3 2020 (download)

Ten countries where the largest numbers of mobile attacks originated

* Share of sources in the country out of the total number of sources.

As in Q2 2020, the Netherlands was the biggest source of mobile attacks with 37.77%. It was followed by the Dominican Republic (26.3%), which pushed the United States (24.56%) to third place.

Mobile banking trojans

During the reporting period, we found 39,051 mobile banking trojan installers, only 100 fewer than in Q2 2020.

Number of mobile banking trojan installers detected by Kaspersky, Q2 2019 – Q3 2020 (download)

The biggest contributions to our statistics for Q3 2020 came from the creators of the Trojan-Banker.AndroidOS.Agent family trojans: 71.27% of all banker trojans detected. The Trojan-Banker.AndroidOS.Rotexy family (9.23%) came second, far behind the leader, and immediately followed by Trojan-Banker.AndroidOS.Wroba (4.91%).

Ten most commonly detected bankers

* Unique users attacked by mobile bankers as a percentage of all Kaspersky Security for Mobile users who faced banking threats.

Speaking of specific samples of mobile bankers, Trojan-Banker.AndroidOS.Agent.eq (11.26%) rose to first place in Q3 2020. Last quarter’s leader, Trojan-Banker.AndroidOS.Svpeng.q (11.20%), came second, followed by Trojan-Banker.AndroidOS.Rotexy.e (10.68%).

Ten most common mobile bankers

* Unique users attacked by this malware as a percentage of all Kaspersky Security for Mobile users who encountered banking threats.

It is worth noting that the Agent.eq banker has a lot in common with the Asacub trojan whose varieties occupied three out of the ten positions in our rankings.

Geography of mobile banking threats, Q3 2020 (download)

Ten countries with the largest shares of users attacked by mobile banking trojans

* Excluded from the rankings are countries with relatively few users of Kaspersky Security for Mobile (under 10,000).
** Unique users attacked by mobile banking trojans as a percentage of all Kaspersky Security for Mobile users in the country.

The geographical distribution of financial mobile threats underwent a significant change in Q3 2020. The largest share (1.89%) of detections were registered in Japan, with the prevalent malware variety, which attacked 99% of users, being Trojan-Banker.AndroidOS.Agent.eq. Taiwan (0.48%) presented the exact same situation.

Turkey, which was third with 0.33%, had a slightly different picture. The most frequently encountered malware varieties in that countries were Trojan-Banker.AndroidOS.Cebruser.pac (56.29%), followed by Trojan-Banker.AndroidOS.Anubis.q (7.75%) and Trojan-Banker.AndroidOS.Agent.ep (6.06%).

Mobile ransomware trojans

In Q3 2020, we detected 6063 installation packages of mobile ransomware trojans, a fifty-percent increase on Q2 2020.

Number of mobile ransomware installers detected by Kaspersky, Q2 2019 – Q3 2020 (download)

It appears that it is too early to write off mobile ransomware trojans just yet. This class of threats is still popular with hackers who generated a sufficiently large number of installation packages in Q3 2020.

Judging by KSN statistics, the number of users who encountered mobile ransomware increased as well.

Number of users who encountered mobile ransomware, Q2 2019 – Q3 2020 (download)

Top 10 mobile ransomware varieties

* Unique users attacked by the malware as a percentage of all Kaspersky Mobile Antivirus users attacked by ransomware trojans.

Trojan-Ransom.AndroidOS.Small.as (13.31%) retained its leadership in Q3 2020. It was followed by Trojan-Ransom.AndroidOS.Small.o (5.29%), a member of the same family.

Geography of mobile ransomware trojans, Q3 2020 (download)

The ten countries with the largest shares of users attacked by mobile ransomware trojans

 * Excluded from the rankings are countries with relatively few users of Kaspersky Security for Mobile (under 10,000).
** Unique users attacked by ransomware trojans as a percentage of all Kaspersky Security for Mobile users in the country.

Kazakhstan (0.57%) Kyrgyzstan (0.14%) and China (0.10%) saw the largest shares of users attacked by mobile ransomware trojans.

Stalkerware

This section uses statistics collected by Kaspersky Internet Security for Android.

Stalkerware was encountered less frequently in Q3 2020 than in Q3 2019. The same can be said of the entire year 2020, though. This must be another effect of the COVID-19 pandemic: users started spending much more time at home due to the restrictions, and following their family members and housemates did not require stalkerware. Those who took an interest in their coworkers’ lives had a much harder time gaining physical access to their targets’ devices amid self-isolation. Besides, the cybersecurity industry, not without our contribution, zeroed in on stalkerware, with protective solutions starting to warn users explicitly.

Number of devices running Kaspersky Internet Security for Android on which stalkerware was detected in 2019 – 2020 (download)

Developers of stalkerware have not gone anywhere. They create new designs quarter after quarter. In Q3 2020, we discovered seven hitherto-unknown stalkerware samples, which we singled out as separate families:

• AndroidOS.CallRec.a
• AndroidOS.Dromon.a
• AndroidOS.Hovermon.a
• AndroidOS.InterceptaSpy.a
• AndroidOS.Manamon.a
• AndroidOS.Spydev.a
• AndroidOS.Tesmon.a

Ten most common stalkerware varieties

* Share of unique users whose mobile devices were found to contain stalkerware as a percentage of all Kaspersky Internet Security for Android users attacked by stalkerware

Cerberus (13.38%) has topped our stalkerware rankings for a second quarter in a row. The other nine contenders are well-known spyware programs that have been in the market for a long time.

Geography of stalkerware distribution, Q3 2020 (download)

A decrease in the number of users who encountered stalkerware in Q3 2020 is typical both globally and for the three leaders.

IT threat evolution Q2 2020. Review
IT threat evolution Q2 2020. PC statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.

Quarterly figures

According to Kaspersky Security Network, the second quarter saw:

• 1,245,894 detected malicious installers, of which
  • 38,951 packages were related to mobile banking trojans
  • 3,805 packages proved to be mobile ransomware trojans
• A total of 14,204,345 attacks on mobile devices were blocked

Quarterly highlights

In summing up the results of the second quarter, we will begin with the number of attacks that targeted mobile devices. In Q2 2019, we thwarted 15,137,884 attacks, but one year later, the number decreased insignificantly, to 14,204,345.

Number of attacks on mobile devices, Q1 2019 – Q2 2020 (download)

The absence of significant changes indicates that malware developers kept up their activities in the face of the coronavirus pandemic. At the same time, this shows that we are not going through an epidemic caused by any particular family or class of mobile threats. In other words, no one reached the level of Asacub in yet another quarter, which is good news.

Nevertheless, mobile security users encountered malicious files more often than adware or potentially unwanted apps.

Share of users who encountered various threat classes, Q2 2020 (download)

The number of users whose devices were found to contain adware is almost half the number of those whose devices were infected with various classes of malware. At the same time, adware is a clear leader by number of objects detected, both in the second quarter and in previous ones. What is peculiar about adware and applications with an integrated advertising module is that they are extremely difficult for the user to identify or remove. The applications themselves naturally give no warning that they will pop up half-screen or even full-screen advertisements, and telling which application is being displayed if the user did not run it is impossible without special tools.

This kind of applications can be found in the official Google Play store, too, and to our utter regret, some developers are not making a conscious effort to remove questionable advertisements from their products.

Further good news from Q2 2020 is a decrease in the number of devices that were found to contain stalkerware. Several possible explanations exist as to the cause of the significant decline that we have seen since Q4 2019 – we shall talk about these in the appropriate section.

Mobile threat statistics

In Q2 2020, Kaspersky detected 1,245,894 malicious installers, an increase of 93,232 over the previous quarter.

Number of detected malicious installation packages, Q2 2019 – Q2 2020 (download)

Over the past few quarters, we have seen an increase in the number of detected objects. Early 2018 saw a similar situation, when a great number of trojan droppers and potentially unwanted software was discovered.

Distribution of detected mobile apps by type

Distribution of newly detected mobile apps by type, Q1 and Q2 2020 (download)

Adware topped the list with 48%, a decrease of one percentage point from the previous quarter. The Ewind adware family (60.53% of all adware detected) was most common in Q2, followed by the FakeAdBlocker family with 13.14% and Inoco with 10.17%.

RiskTool-type potentially unwanted software ranked second among all detected threat classes. Its share was 20%, which is eight percentage points smaller than in Q1 2020 and 21 p.p. smaller than in Q2 2019.

Most of the detected RiskTool variants were SMSreg (44.6% of all detected potentially unwanted software), Resharer (12.63%) and Dnotua (11.94%) families.

SMS trojans hold third place among all detected threats with 7.59%. This threat class is believed to be dying out, as a mobile carrier account is a far less tempting target for criminals than a bank account, and both can be controlled from a mobile device. Agent (33.74%), Fakeinst (26.80%) and Opfake (26.33%) were the largest of the detected families of SMS trojans. All the three families were more common with Russian users, which is typical of the entire SMS trojan threat class. Users from Iran followed, far behind the Russians. The Opfake and Fakeinst families are also the leaders in the number of detections on end-user devices, each accounting for 23% of the total number of unique users attacked by SMS trojans. The Prizmes family (21%) and the Agent family (16%) followed in third and fourth place, respectively.

The Opfake and Fakeinst families are among the oldest mobile threats known to Kaspersky. It is safe to say that their discovery in the wild is more of an echo of past large-scale distribution campaigns. This is supported by the fact that most of the malware detected no longer had functioning control centers. Since the main means of distributing these trojans are fake application websites, one can assume that during lockdown users are more likely to turn to such resources in search of free content and thus provide the malware families with a statistical boost.

Top 20 mobile malware programs

Note that this malware rating does not include potentially dangerous or unwanted programs, such as RiskTool or AdWare.

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile antivirus that were attacked.

As per tradition, first place in our Top 20 for Q2 went to the DangerousObject.Multi.Generic verdict (40.29%), which we use for malware detected using cloud technologies. Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is basically how the latest malicious programs are detected.

Second and third places were claimed by Trojan.AndroidOS.Boogr.gsh (9.02%) and DangerousObject.AndroidOS.GenericML (6.17%). These verdicts are assigned to files recognized as malicious by our machine-learning systems.

In fourth place, as in the last quarter, is Trojan-Downloader.AndroidOS.Necro.d (4.86%). This Trojan family is closely associated with various classes of Triada group of complex threats, as well as the xHelper Trojan family, whose members took the seventh and sixteenth positions in the rankings, respectively. A distinctive feature of Necro trojans, which leads to serious problems for its victims, is their ability to take root on the device by escalating access rights. Having obtained root privileges, such trojans can write themselves to the device’s read-only memory, preventing the user from removing the malware with built-in tools.

Fifth and fifteenth places in the rankings were taken by representatives of the Trojan-Dropper.AndroidOS.Hqwar family. This is the most popular dropper in the wild: if you look at the number of detected droppers from various families, you will find Hqwar in second position, immediately after the Agent generalized verdict. In Q2 2020, the share of the Hqwar family among all detected droppers increased markedly to 30.12% from 8% in Q1 2020.

TOP 3 detected droppers

The sixth position in the rankings went to Trojan.AndroidOS.Hiddad.fi (3.19%), whose capabilities include displaying advertising banners and concealing its activities.

Members of Trojan-Downloader.AndroidOS.Agent took the eighth, tenth and thirteenth positions. These trojans have the simple task of downloading modules from the C2 and running these. The downloaded modules are often adware, but we have seen trojan payloads as well.

Trojan.AndroidOS.vz (2.32%) took the ninth place. Apparently, this Trojan served as a payload for a different type of malware, with Agent.vz’s task coming down to downloading executable code as well. This suggests that the malware is only an intermediate link in the infection chain.

In the eleventh place, we find the Trojan.AndroidOS.Handda.san trojan (2.04%). This verdict covers a whole group of malware, which includes a variety of trojans united by common capabilities: hiding their icons, obtaining Device Admin rights and using packers to counteract detection.

The twelfth and fourteenth places went to members of the Trojan.AndroidOS.MobOk family. These trojans are a link in infection chains and most commonly have been detected with mobile users from Russia.

As in Q1 2020, the twenty most common threats included the bank trojan Rotexy (1.36%). It is worth noting that this is likely not the only widespread banker, as more popular Hqwar droppers often conceal financial malware.

In the eighteenth place we see Trojan-Downloader.AndroidOS.Malota.a (1.29%). We have known this trojan since October 2019. Its main task is to download executable code from the C2 to the infected device.

Geography of mobile threats

Map of mobile malware infection attempts, Q2 2020 (download)

Top 10 countries by share of users attacked by mobile malware

* Excluded from the rating are countries with relatively few users of Kaspersky mobile security solutions (under 10000).
** Unique users attacked in the country as a share of all users of Kaspersky mobile security solutions in the country.

The TOP 3 countries with the largest user shares remained unchanged in Q2: Iran (43.62%) followed by Algeria (21.97%) and Bangladesh (19.30%).

Most commonly detected in Iran were AdWare.AndroidOS.Notifyer-family adware, alternate Telegram clients (RiskTool.AndroidOS.FakGram.d, for instance, is one of the ten most commonly detected threats in Iran), and Trojan.AndroidOS.Hiddap-family trojans. The latter have a variety of tools and one common feature: the tendency to hide their icons from the app manager screen.

HiddenAd and FakeAdBlocker adware was most common in Algeria, a similar situation to Q1 2020.

In Bangladesh, the leader is HiddenAd-family adware, which conceals their carrier application. AdWare.AndroidOS.Outad.c (fifth place within the country) and AdWare.AndroidOS.Loead (sixth place) adware types were common as well.

Mobile web threats

The statistics presented here are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data.

Hackers use a variety of techniques to attract potential victims to malicious landing pages, from rogue SEO for displaying their sites in top ten results for certain search queries to redirect chains that will quickly and discreetly take the user from a legitimate site to a malicious one. We decided to calculate the countries where mobile users were most likely to encounter malicious websites while browsing the Web and where these sites are located.

Geography of the countries with the highest risk of infection via web resources, Q2 2020 (download)

Ten countries with the highest risk of infection

* Excluded are countries with relatively few Kaspersky mobile product users (under 10,000).
** Unique users targeted by all types of web attacks as a share of all unique users of Kaspersky mobile products in the country.

Countries where mobile web threats are based

Geography of countries where mobile attacks are based, Q2 2020 (download)

TOP 10 countries where the largest numbers of mobile attacks are based

* Share of mobile threat sources in the country out of the total number of such sources

The Netherlands and the United States topped the list of web threat sources in Q2 2020. The Netherlands accounted for more than half of all attacks, typically engaging advertising-related websites. The United States were the other most common source of a similar type of threats.

Mobile banking Trojans

During the reporting period, we detected 38,951 mobile banking trojan installer packages, 3,164 fewer than in Q1 2020.

TOP 10 detected bankers

The Trojan-Banker.AndroidOS.Agent family made the largest contribution to the number of packages detected: 58.7% of all discovered banking trojans. The Trojan-Banker.AndroidOS.Wroba family (8.3%) was second, far behind the leader, and immediately followed by Trojan-Banker.AndroidOS.Zitmo (8.2%).

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q2 2019 – Q2 2020 (download)

TOP 10 mobile bankers

* Unique users attacked by this malware as a share of all Kaspersky mobile security solution users attacked by banking threats.

The first and second places on our list went to mobile bankers that targeted mobile users from Russia: Trojan-Banker.AndroidOS.Rotexy.e (13.29%) and Trojan-Banker.AndroidOS.Svpeng.q (9.66%).

Various members of the Asacub family took three positions out of ten on the TOP 10 for mobile financial threats. Although this threat family is not particularly numerous, it is very popular with attackers.

The Anubis banker family gained popularity in Q2 2020, with its members occupying the sixth and eighth positions. We believe that these versions of the trojan were built from source code leaked onto the Internet.

Geography of mobile banking threats, Q2 2020 (download)

TOP 10 countries by share of users attacked by mobile banking Trojans

* Excluded from the rating are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Unique users attacked by mobile banking Trojans as a share of all users of Kaspersky mobile security solutions in the country.

Turkey had the largest share of unique users attacked by mobile financial threats in Q2 2020, 1.29%. Members of the Trojan-Banker.AndroidOS.Cebruser family were most commonly detected there.

Turkey was followed by Spain with 0.71%. The rankings of mobile financial threats in this country were as follows:

Unlike the Ginp and Cebruser mobile bankers, which we have mentioned in the past, Knobot is a relatively new player on the market for threats that target financial data. Along with phishing windows and interception of 2FA verification messages, the trojan has several tools that are uncharacteristic of financial threats. An example of these is hijacking device PINs through exploitation of Accessibility Services. The attackers probably require the PIN in case they need to control the device manually in real time.

Mobile ransomware Trojans

In Q2 2020, we detected 3,805 installation packages for mobile Trojan ransomware, which is 534 fewer than last quarter.

The number of detected objects has been decreasing from quarter to quarter. We believe that there are two main causes:

• It is much harder to extort cash from users than to steal the bank account data right away. At the same time, the device needs to be previously infected in either case, so with the costs being equal, cybercriminals will choose the path of least resistance, i.e. theft.
• A ransomware trojan is a threat the user will likely want to fight to get the device back to a functional state. The user is likely to win, too, even if by factory-resetting the device. Cybercriminals, in their turn, try to keep their malware undetected on the device as long as possible, which runs counter to the whole idea of mobile ransomware.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q2 2019 – Q2 2020 (download)

Attacks reveal a similar pattern: the number of users attacked by ransomware trojans in Q2 2020 fell threefold compared to Q2 2019.

* Unique users attacked by this malware as a share of all Kaspersky mobile antivirus users attacked by ransomware trojans.

The list TOP 10 ransomware trojans detected in Q2 2020 contains only two new species: Trojan-Ransom.AndroidOS.Agent.bq (8,46%) and Trojan-Ransom.AndroidOS.Agent.bo (5.01%). All the rest were originally developed in 2017–2019 and have been kept relevant by their creators through minor code changes.

The aforementioned Agent.bq and Agent.bo, like various other trojan classes, notably contain code that exploits Accessibility Services. In the case of these two, however, the code is used for screen locking and delete protection, literally leaving the victim no chances to remove the trojan without an external utility, such as ADB. However, ADB cannot always be used for removing the ransomware either: developer mode, which it requires, is deactivated on an overwhelming majority of devices.

Geography of mobile ransomware Trojans, Q2 2020 (download)

Top 10 countries by share of users attacked by mobile ransomware Trojans:

* Excluded from the rating are countries with relatively few Kaspersky mobile antivirus users (under 10000).
** Unique users attacked by mobile ransomware Trojans in the country as a percentage of all users of Kaspersky mobile solutions in the same country.

Kazakhstan (0.41%), Malaysia (0.10%) and the United States (0.10%) saw the largest shares of users attacked by mobile ransomware trojans.

Stalkerware

This section uses statistics collected by Kaspersky Mobile Antivirus security solution.

The past second quarter of 2020 seems not to have been the most successful one for stalkerware developers. Many of the countries were this type of spyware enjoyed popularity went on a lockdown or imposed self-isolation requirements, which resulted in stalkerware users finding themselves locked up for a long period of time with those they intended to spy on. One can assume this led to a decrease in the number of mobile devices on which we detected stalkerware. At the same time, we discovered ten previously unknown families of stalker software in Q2 2020:

1. AndroidOS.Andropol.a
2. AndroidOS.AndTrace.a
3. AndroidOS.Basmon.a
4. AndroidOS.Flashlog.a
5. AndroidOS.Floatspy.a
6. AndroidOS.FoneSpy.a
7. AndroidOS.GmSpy.a
8. AndroidOS.Spytm.a
9. AndroidOS.UniqSpy.a
10. AndroidOS.Xnspy.a

It would hence be incorrect to assume that developers have lost interest in creating this type of programs. We will continue to monitor new samples, as none of the families listed above were popular enough in Q2 2020 to get on the list of the ten most common stalkerware types.

TOP 10 stalkerware

The rankings include long-standing, widely used commercial stalkerware families, among others, MonitorMinor, which we wrote about in the first quarter of this year.

Geography of stalkerware distribution, Q2 2020 (download)

Russia had the largest number of users whose devices were found to contain stalkerware in Q2 2020. It was followed closely by Brazil. India came third, having half of Russia’s number of users that had encountered stalkerware.

Both Russia and Brazil notably showed an encouraging trend, with the number of devices containing stalkerware dropping significantly in the second quarter.

Number of devices with stalkerware in Russia, Q1 2019 – Q2 2020 (download)

Number of devices with stalkerware in Brazil, Q1 2019 – Q2 2020 (download)

As for India, its statistics remained relatively unchanged in the second quarter of the year.

Number of devices with stalkerware in India, Q1 2019 – Q2 2020 (download)

IT threat evolution Q2 2020. Review
IT threat evolution Q2 2020. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q2:

• Kaspersky solutions blocked 899,744,810 attacks launched from online resources in 191 countries across the globe.
• As many as 286,229,445 unique URLs triggered Web Anti-Virus components.
• Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 181,725 unique users.
• Ransomware attacks were defeated on the computers of 154,720 unique users.
• Our File Anti-Virus detected 80,993,511 unique malware and potentially unwanted objects.

Financial threats

Financial threat statistics

In Q2 2020, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 181,725 users.

Number of unique users attacked by financial malware, Q2 2020 (download)

Geography of attacks

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.

Geography of financial malware attacks, Q2 2020 (download)

Top 10 countries by share of attacked users

* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users of Kaspersky products whose computers were targeted by financial malware as a share of all unique users of Kaspersky products in the country.

Among the banking Trojan families, the share of Backdoor.Win32.Emotet decreased markedly from 21.3% to 6.6%. This botnet’s activity decreased at the end of Q1 2020, but the results only became clear in the second quarter. However, as we prepared this report, we noticed that Emotet was gradually recovering.

Top 10 banking malware families

** Unique users attacked by this malware family as a percentage of all users attacked by financial malware.

Ransomware programs

Quarterly trend highlights

The attackers behind the Shade ransomware announced that they had ceased to distribute the Trojan. In addition, they published keys to decrypt files affected by all of its versions. The number of keys that had been accumulated over the years exceeded 750,000, and we updated our ShadeDecryptor utility to help Shade victims to regain access to their data.

Ransomware written in Go began surfacing more often than before. Examples of recently discovered Trojans include Sorena, Smaug, Hydra, Satan/M0rphine, etc. What is this: hackers showing an interest in new technology, ease of development or an attempt at making researchers’ work harder? No one knows for sure.

Number of new modifications

We detected five new ransomware families and 4,406 new modifications of these malware programs in Q2 2020.

Number of new ransomware modifications detected, Q2 2019 – Q1 2020 (download)

Number of users attacked by ransomware Trojans

Kaspersky products and technologies protected 154,720 users from ransomware attacks in Q2 2020.

Number of unique users attacked by ransomware Trojans, Q2 2020 (download)

Geography of attacks

Geography of attacks by ransomware Trojans, Q2 2020 (download)

Top 10 countries attacked by ransomware Trojans

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by Trojan encryptors as a share of all unique users of Kaspersky products in the country.

Top 10 most common families of ransomware Trojans

* Unique Kaspersky users attacked by the specified family of ransomware Trojans as a percentage of all users attacked by ransomware Trojans.

Miners

Number of new modifications

Kaspersky solutions detected 3,672 new miner modifications in Q2 2020, which is several dozen times fewer than in the previous quarter.

Number of new miner modifications, Q2 2020 (download)

The difference can be explained by thousands of modifications of one miner family, which were detected in the first quarter. In the quarter under review, that miner’s activity dwindled, which is reflected in the statistics.

Number of users attacked by miners

We detected miner attacks on the computers of 440,095 unique Kaspersky users worldwide in Q2 2020. This type of threats shows a clear downward trend.

Number of unique users attacked by miners, Q2 2020 (download)

Geography of attacks

Geography of miner attacks, Q2 2020 (download)

Top 10 countries attacked by miners

* Excluded are countries with relatively few Kaspersky product users (under 50,000).
** Unique users whose computers were attacked by miners as a share of all unique users of Kaspersky products in the country.

Vulnerable applications used by cybercriminals during cyberattacks

Exploit distribution statistics for Q2 2020, as before, show that vulnerabilities in the Microsoft Office suite are the most common ones. However, their share decreased to 72% in the last quarter. The same vulnerabilities we had seen before still topped the list. CVE-2017-8570, which allows inserting a malicious script into an OLE object placed inside an Office document, was the most commonly exploited vulnerability. It was followed by the Q1 favorite, CVE-2017-11882. This vulnerability exploits a stack overflow error in the Equation Editor component of the Office suite. CVE-2017-8570, a vulnerability similar to CVE-2017-0199, came third. The remaining positions on the TOP 5 list were occupied by CVE-2018-0802 and CVE-2017-8759.

The second category (exploits for popular browsers) accounted for about 12% in Q2, its share increasing slightly when compared to the previous period. During the reporting period, cybercriminals attacked Firefox using the CVE-2020-6819 vulnerability, which allows malicious code to be executed when an HTTP header is parsed incorrectly. Exploits that use the vulnerabilities in the ReadableStream interface, such as CVE-2020-6820, have been observed as well. No major vulnerability exploited to spread malware was observed during the reporting period for any of the other popular browsers: Google Chrome, Microsoft Edge, or Internet Explorer. However, fixes for a number of vulnerabilities that could potentially have been used for creating exploits, but were detected by researchers in time, were announced to software manufacturers.

Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2020 (download)

The first quarter set a trend for researching font and other graphic primitives subsystems in Windows. In Q2, two vulnerabilities were discovered in Windows Codecs Library, assigned CVE-2020-1425 and CVE-2020-1457 codes. Both were fixed, and neither is known to have been exploited in the wild. Another interesting vulnerability fixed in the last quarter is CVE-2020-1300. It allows for remote execution of code due to incorrect processing of Cabinet files, for example, if the user is trying to run a malicious CAB file pretending to be a printer driver. Notably, the CVE-2020-1299 vulnerability allowed the attacker to execute arbitrary code with the user’s privileges by generating a specially formatted LNK file.

The trend for brute-forcing of Remote Desktop Services, Microsoft SQL Services and SMB access passwords persisted in Q2 2020. No full-on network attacks that exploited new vulnerabilities in network exchange protocols were detected. However, software developers did discover and fix several vulnerabilities in popular network services. Among the most interesting ones were CVE-2020-1301 for SMBv1, which allowed the attacker to execute code remotely on a target system. CVE-2020-0796 (SmbGhost), a popular SMBv3 vulnerability among researchers, received unexpected follow-up in the form of an exploit that allowed compromising the system without interacting with the user. The same protocol version was found to contain an error, designated as CVE-2020-1206 and known as the SMBleed vulnerability, which allowed the attacker to get a portion of the Windows kernel memory. The researchers even published several exploit versions that used a bundle of SMBleed and SMBGhost to execute the code with system privileges. In that mode, the attacker can install any software and access any information on the computer.

Attacks on Apple macOS

In Q2 2020, we discovered new versions of previously known threats and one new backdoor, which received the verdict of Backdoor.OSX.Lador.a. The malware is notable for being written in Go, a language gaining popularity as a means to create malware aimed at the macOS platform. If you compare the size of the Lador file with any backdoor created in Objective C, the difference will be very significant: the size of a Lador file is 5.5 megabytes, i.e. many times larger. And all this for the sake of remote access to the infected machine and execution of arbitrary code downloaded from the control center.

Top 20 threats for macOS

* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS that were attacked.

The rankings of the most common threats for the macOS platform has not changed much compared to the previous quarter and is still largely made up of adware. As in Q1 2020, Shlayer (12.07%) was the most common Trojan. That malware loads adware from the Pirrit, Bnodlero and Cimpli families, which populate our TOP 20.

The Lador.a backdoor, which we mentioned above, entered the rankings along with adware.

Finally, in Q2 2020, a group of potentially unwanted programs collectively detected as HistGrabber.b joined the rankings. The main purpose of such software is to unpack archives, but HistGrabber.b also quietly uploaded the user’s browsing history to the developer’s servers. This is nothing new: all applications that steal browsing history have long been withdrawn from the App Store, and servers that could receive the data, disabled. Nevertheless, we deem it necessary to inform users of any such software discovered on their devices.

Threat geography

Threat geography for the macOS platform, Q2 2020 (download)

TOP 10 countries

* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for MacOS (under 5,000).
** Unique users attacked in the country as a percentage of all users of Kaspersky security solutions for MacOS in the same country.

The most common threats in all the countries on the list without exception bundled various adware with the Shlayer Trojan.

IoT attacks

IoT threat statistics

Q2 2020 saw no dramatic change in cybercriminal activity targeting IoT devices: attackers most frequently ran Telnet login and password brute-force campaigns.

Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2020

Further communication with IoT devices that pretended to be infected (and actually traps), was much more often conducted via Telnet.

Distribution of cybercriminals’ working sessions with Kaspersky traps, Q2 2020

Geography of IP addresses of device from which attacks on Kaspersky Telnet traps originated, Q2 2020 (download)

TOP 10 countries by location of devices from which Telnet-based attacks were carried out on Kaspersky traps

* Share of devices from which attacks were carried out in the country out of the total number of devices

The three countries with the most devices that launched attacks on Kaspersky Telnet traps remained virtually unchanged. China (12.75%) was first, while Brazil (11.88%) and Egypt (8.32%) swapped positions.

Geography of IP addresses of device from which attacks on Kaspersky SSH traps originated, Q2 2020 (download)

TOP 10 countries by location of devices from which SSH-based attacks were carried out on Kaspersky traps

* Share of devices from which attacks were carried out in the country out of the total number of devices

As with Telnet, the three countries where the most attacks on SSH traps originated remained unchanged from Q1 2020: China (22.12%), U.S. (10.91%) and Vietnam (8.20%).

Threats loaded into traps

* Share of the malware type in the total amount of malware downloaded to IoT devices following a successful attack.

As in the first quarter, the NyaDrop Trojan led by the number of loads onto traps. The Mirai Trojan family retained its relevance in Q2 2020, occupying half of our IoT threat rankings.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that are sources of web-based attacks: TOP 10

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C2 centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q2 2020, Kaspersky solutions defeated 899,744,810 attacks launched from online resources located in 191 countries across the globe. A total of 286,229,445 unique URLs were recognized as malicious by Web Anti-Virus components.

Distribution of web-based attack sources by country, Q2 2020 (download)

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country we calculated the share of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious objects that fall under the Malware class; it does not include Web Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a share of all unique Kaspersky users in the country.

These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data.

On average, 5.73% of Internet user computers worldwide experienced at least one Malware-class attack.

Geography of malicious web-based attacks, Q2 2020 (download)

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to computers (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs included in complex installers, encrypted files, etc.).

In Q2 2020, our File Anti-Virus detected 80,993,511 malware and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

Note that the rating includes only Malware-class attacks; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a share of all unique users of Kaspersky products in the country.

Geography of local infection attempts, Q2 2020 (download)

Overall, 17.05% of user computers globally faced at least one Malware-class local threat during Q2 2020.

These statistics are based on detection verdicts for Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network,

• Kaspersky solutions blocked 726,536,269 attacks launched from online resources in 203 countries across the globe.
• A total of 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components.
• Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 249,748 unique users.
• Ransomware attacks were defeated on the computers of 178,922 unique users.
• Our File Anti-Virus detected 164,653,290 unique malicious and potentially unwanted objects.
• Kaspersky products for mobile devices detected:
  • 1,152,662 malicious installation packages
  • 42,115 installation packages for mobile banking trojans
  • 4339 installation packages for mobile ransomware trojans

Mobile threats

Quarter events

Q1 2020 will be remembered primarily for the coronavirus pandemic and cybercriminals’ exploitation of the topic. In particular, the creators of a new modification of the Ginp banking trojan renamed their malware Coronavirus Finder and then began offering it for €0.75 disguised as an app supposedly capable of detecting nearby people infected with COVID-19. Thus, the cybercriminals tried not only to scam users by exploiting hot topics, but to gain access to their bank card details. And, because the trojan remains on the device after stealing this data, the cybercriminals could intercept text messages containing two-factor authorization codes and use the stolen data without the victim’s knowledge.

Another interesting find this quarter was Cookiethief, a trojan designed to steal cookies from mobile browsers and the Facebook app. In the event of a successful attack, the malware provided its handler with access to the victim’s account, including the ability to perform various actions in their name, such as liking, reposting, etc. To prevent the service from spotting any abnormal activity in the hijacked profile, the trojan contains a proxy module through which the attackers issue commands.

The third piece of malware that caught our attention this reporting quarter was trojan-Dropper.AndroidOS.Shopper.a. It is designed to help cybercriminals to leave fake reviews and drive up ratings on Google Play. The attackers’ goals here are obvious: to increase the changes of their apps getting published and recommended, and to lull the vigilance of potential victims. Note that to rate apps and write reviews, the trojan uses Accessibility Services to gain full control over the other app: in this case, the official Google Play client.

Mobile threat statistics

In Q1 2020, Kaspersky’s mobile products and technologies detected 1,152,662 malicious installation packages, or 171,669 more than in the previous quarter.

Number of malicious installation packages detected, Q1 2019 – Q1 2020 (download)

Starting in Q2 2019, we have seen a steady rise in the number of mobile threats detected. Although it is too early to sound the alarm (2019 saw the lowest number of new threats in recent years), the trend is concerning.

Distribution of detected mobile apps by type

Distribution of newly detected mobile programs by type, Q1 2020 and Q4 2019 (download)

Of all the threats detected in Q1, half were unwanted adware apps (49.9%), their share having increased by 19 p.p. compared to the previous quarter. Most often, we detected members of the HiddenAd and Ewind families, with a combined slice of 40% of all detected adware threats, as well as the FakeAdBlocker family (12%).

Potentially unwanted RiskTool apps (28.24%) took second place; the share of this type of threat remained almost unchanged. The Smsreg (49% of all detected threats of this class), Agent (17%) and Dnotua (11%) families were the biggest contributors. Note that in Q1, the number of detected members of the Smsreg family increased by more than 50 percent.

In third place were Trojan-Dropper-type threats (9.72%). Although their share decreased by 7.63 p.p. against the previous quarter, droppers remain one of the most common classes of mobile threats. Ingopack emerged as Q1’s leading family with a massive 71% of all Trojan-Dropper threats, followed by Waponor (12%) and Hqwar (8%) far behind.

It is worth noting that mobile droppers are most often used for installing financial malware, although some financial threats can spread without their help. The share of these self-sufficient threats is quite substantial: in particular, the share of Trojan-Banker in Q1 increased by 2.1 p.p. to 3.65%.

Top 20 mobile malware programs

Note that this malware rankings do not include potentially dangerous or unwanted programs such as RiskTool or adware.

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products that were attacked.

First place in our Top 20 as ever went to DangerousObject.Multi.Generic (44.89%), the verdict we use for malware detected using cloud technology. They are triggered when the antivirus databases still lack the data for detecting a malicious program, but the Kaspersky Security Network cloud already contains information about the object. This is basically how the latest malware is detected.

Second and third places were claimed by Trojan.AndroidOS.Boogr.gsh (9.09%) and DangerousObject.AndroidOS.GenericML (7,08%) respectively. These verdicts are assigned to files that are recognized as malicious by our machine-learning systems.

In fourth (Trojan-Downloader.AndroidOS.Necro.d, 4.52%) and tenth (Trojan-Downloader.AndroidOS.Necro.b, 1.94%) places are members of the Necro family, whose main task is to download and install modules from cybercriminal servers. Eighth-placed Trojan-Dropper.AndroidOS.Necro.z (2.30%) acts in a similar way, extracting from itself only those modules that it needs. As for Trojan.AndroidOS.Necro.a, which took ninth place (2.19%), cybercriminals assigned it a different task: the trojan follows advertising links and clicks banner ads in the victim’s name.

Trojan.AndroidOS.Hiddapp.ch (2.73%) claimed fifth spot. As soon as it runs, the malware hides its icon on the list of apps and continues to operate in the background. The trojan’s payload can be other trojan programs or adware apps.

Sixth place went to Trojan-Downloader.AndroidOS.Helper.a (2.45%), which is what Trojan-Downloader.AndroidOS.Necro usually delivers. Helper.a is tasked with downloading arbitrary code from the cybercriminals’ server and running it.

The verdict Trojan.AndroidOS.Handda.san (2.31%) in seventh place is a group of diverse trojans that hide their icons, gain Device Admin rights on the device, and use packers to evade detection.

Trojan-Banker.AndroidOS.Rotexy.e (1.43%) and Trojan-Dropper.AndroidOS.Penguin.e (1.42%) warrant a special mention. The former is the only banking trojan in the top 20 this past quarter. The Rotexy family is all of six years old, and its members have the functionality to steal bank card details and intercept two-factor payment authorization messages. In turn, the first member of the Penguin dropper family was only detected last July and had gained significant popularity by Q1 2020.

Geography of mobile threats

Map of infection attempts by mobile malware, Q1 2020 (download)

Top 10 countries by share of users attacked by mobile threats

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000).
** Unique users attacked as a percentage of all users of Kaspersky mobile products in the country.

In Q1 2020, the leader by share of attacked users was Iran (39.56%). Inhabitants of this country most frequently encountered adware apps from the Notifyer family, as well as Telegram clone apps. In second place was Algeria (21.44%), where adware apps were also distributed, but this time it was the HiddenAd and FakeAdBlocker families. Third place was taken by Bangladesh (18.58%), where half of the top 10 mobile threats consisted of adware in the HiddenAd family.

Mobile banking trojans

During the reporting period, we detected 42,115 installation packages of mobile banking trojans. This is the highest value in the past 18 months, and more than 2.5 times higher than in Q4 2019. The largest contributions to the statistics came from the Trojan-Banker.AndroidOS.Agent (42.79% of all installation packages detected), Trojan-Banker.AndroidOS.Wroba (16.61%), and Trojan-Banker.AndroidOS.Svpeng (13.66%) families.

Number of installation packages of mobile banking trojans detected by Kaspersky, Q1 2019 – Q1 2020 (download)

Top 10 mobile banking trojans

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products who were attacked by banking threats.

First and second places in our top 10 were claimed by trojans targeted at Russian-speaking mobile users: Trojan-Banker.AndroidOS.Rotexy.e (13.11%) and Trojan-Banker.AndroidOS.Svpeng.q (10.25%).

Third, fourth, eighth, and ninth positions in the top 10 mobile banking threats went to members of the Asacub family. The cybercriminals behind this trojan stopped creating new samples, but its distribution channels were still active in Q1.

Geography of mobile banking threats, Q1 2020 (download)

Top 10 countries by share of users attacked by mobile banking trojans

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000).
** Unique users attacked by mobile banking trojans as a percentage of all users of Kaspersky mobile products in the country.

In Q1 2020, Japan (0.57%) had the largest share of users attacked by mobile bankers; the vast majority of cases involved Trojan-Banker.AndroidOS.Agent.eq.

In second place came Spain (0.48%), where in more than half of all cases, we detected malware from the Trojan-Banker.AndroidOS.Cebruser family, and another quarter of detections were members of the Trojan-Banker.AndroidOS.Ginp family.

Third place belonged to Italy (0.26%), where, as in Spain, the Trojan-Banker.AndroidOS.Cebruser family was the most widespread with almost two-thirds of detections.

It is worth saying a bit more about the Cebruser family. Its creators were among the first to exploit the coronavirus topic to spread the malware.

When it runs, the trojan immediately gets down to business: it requests access to Accessibility Services to obtain Device Admin permissions, and then tries to get hold of card details.

The malware is distributed under the Malware-as-a-Service model; its set of functions is standard for such threats, but with one interesting detail — the use of a step-counter for activation so as to bypass dynamic analysis tools (sandbox). Cebruser targets the mobile apps of banks in various countries and popular non-financial apps; its main weapons are phishing windows and interception of two-factor authorization. In addition, the malware can block the screen using a ransomware tool and intercept keystrokes on the virtual keyboard.

Mobile ransomware trojans

In Q2 2020, we detected 4,339 installation packages of mobile trojan ransomware, 1,067 fewer than in the previous quarter.

Number of installation packages of mobile ransomware trojans detected by Kaspersky, Q1 2019 – Q1 2020 (download)

Top 10 mobile ransomware trojans

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products who were attacked by ransomware trojans.

Over the past few quarters, the number of ransomware trojans detected has been gradually decreasing; all the same, we continue to detect quite a few infection attempts by this class of threats. The main contributors to the statistics were the Svpeng, Congur, and Small ransomware families.

Geography of mobile ransomware trojans, Q1 2020 (download)

Top 10 countries by share of users attacked by mobile ransomware trojans:

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000).
** Unique users attacked by mobile ransomware trojans as a percentage of all users of Kaspersky mobile products in the country.

The leaders by number of users attacked by mobile ransomware trojans are Syria (0.28%), the United States (0.26%) and Kazakhstan (0.25%)

Attacks on Apple macOS

In Q1 2020, we detected not only new versions of common threats, but one new backdoor family, whose first member was Backdoor.OSX.Capip.a. The malware’s operating principle is simple: it calls the C&C for a shell script, which it then downloads and executes.

Top 20 threats to macOS

* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked

The top 20 threats for macOS did not undergo any major changes in Q1 2020. The adware trojan Shlayer.a (19.27%) still tops the leaderboard, followed by objects that Shlayer itself loads into the infected system, in particular, numerous adware apps from the Pirrit family.

Interestingly, the unwanted program Hoax.OSX.SuperClean.gen landed in 12th place on the list. Like other Hoax-type programs, it is distributed under the guise of a system cleanup app, and immediately after installation, scares the user with problems purportedly found in the system, such as gigabytes of trash on the hard drive.

Threat geography

* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 5,000)
** Unique users who encountered macOS threats as a percentage of all users of Kaspersky security solutions for macOS in the country.

The leading countries, as in previous quarters, were Spain (7.14%), France (6.94%) and Italy (5.94%). The main contributors to the number of detections in these countries were the familiar Shlayer trojan and adware apps from the Pirrit family.

IoT attacks

IoT threat statistics

In Q1 2020, the share of IP addresses from which attempts were made to attack Kaspersky telnet traps increased significantly. Their share amounted to 81.1% of all IP addresses from which attacks were carried out, while SSH traps accounted for slightly less than 19%.

Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2020

It was a similar situation with control sessions: attackers often controlled infected traps via telnet.

Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2020

Telnet-based attacks

Geography of device IP addresses where attacks at Kaspersky telnet traps originated, Q1 2020 (download)

Top 10 countries by location of devices from which attacks were carried out on Kaspersky telnet traps.

 
For several quarters in a row, the leading country by number of attacking bots has been China: in Q1 2020 its share stood at 13.04%. As before, it is followed by Egypt (11.65%) and Brazil (11.33%).

SSH-based attacks

Geography of device IP addresses where attacks at Kaspersky SSH traps originated, Q1 2020 (download)

Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps.

In Q1 2020, China (14.87%), Vietnam (11.58%) and the US (7.03%) made up the top three countries by number of unique IPs from which attacks on SSH traps originated.

Threats loaded into honeypots

* Share of malware type in the total amount of malware downloaded to IoT devices following a successful attack.

In Q1 2020, attackers most often downloaded the minimalistic trojan loader NyaDrop (64.35%), whose executable file does not exceed 500 KB. Threats from the Mirai family traditionally dominated: its members claimed four places in our top 10. These malicious programs will continue to rule the world of IoT threats for a long time to come, at least until the appearance of a more advanced (and publicly available) DDoS bot.

Financial threats

Financial threat statistics

In Q1 2020, Kaspersky solutions blocked attempts to launch one or several types of malware designed to steal money from bank accounts on the computers of 249,748 users.

Number of unique users attacked by financial malware, Q1 2020 (download)

Attack geography

To assess and compare the risk of being infected by banking trojans and ATM/POS malware in various countries, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.

Geography of banking malware attacks, Q1 2020 (download)

Top 10 countries by share of attacked users

* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

Top 10 banking malware families

** Unique users attacked by this malware family as a percentage of all users attacked by financial malware.

Ransomware programs

Quarterly highlights

Ransomware attacks on organizations, as well as on city and municipal networks, did not ease off. Given how lucrative they are for cybercriminals, there is no reason why this trend of several years should cease.

More and more ransomware is starting to supplement encryption with data theft. To date, this tactic has been adopted by distributors of ransomware families, including Maze, REvil/Sodinokibi, DoppelPaymer and JSWorm/Nemty/Nefilim. If the victim refuses to pay the ransom for decryption (because, say, the data was recovered from a backup copy), the attackers threaten to put the stolen confidential information in the public domain. Such threats are sometimes empty, but not always: the authors of several ransomware programs have set up websites that do indeed publish the data of victim organizations.

Number of new modifications

In Q1 2020, we detected five new ransomware families and 5,225 new modifications of these malware programs.

Number of new ransomware modifications detected, Q1 2019 – Q1 2020 (download)

Number of users attacked by ransomware trojans

In Q1 2020, Kaspersky products and technologies protected 178,922 users from ransomware attacks.

Number of unique users attacked by ransomware trojans, Q1 2020 (download)

Attack geography

Geography of attacks by ransomware trojans, Q1 2020 (download)

Top 10 countries attacked by ransomware trojans

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware trojans as a percentage of all unique users of Kaspersky products in the country.

Top 10 most common families of ransomware trojans

* Unique Kaspersky users attacked by the specified family of ransomware trojans as a percentage of all users attacked by ransomware trojans.

Miners

Number of new modifications

In Q1 2020, Kaspersky solutions detected 192,036 new miner modifications.

Number of new miner modifications, Q1 2020 (download)

Number of users attacked by miners

In Q1, we detected attacks using miners on the computers of 518,857 unique users of Kaspersky Lab products worldwide.

Number of unique users attacked by miners, Q1 2020 (download)

Attack geography

Geography of miner attacks, Q1 2020 (download)

Top 10 countries attacked by miners

* Excluded are countries with relatively few users of Kaspersky products (under 50,000).
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by cybercriminals during cyberattacks

We already noted that Microsoft Office vulnerabilities are the most common ones. Q1 2020 was no exception: the share of exploits for these vulnerabilities grew to 74.83%. The most popular vulnerability in Microsoft Office was CVE-2017-11882, which is related to a stack overflow error in the Equation Editor component. Hard on its heels was CVE-2017-8570, which is used to embed a malicious script in an OLE object inside an Office document. Several other vulnerabilities, such as CVE-2018-0802 and CVE-2017-8759, were also popular with attackers. In the absence of security updates for Microsoft Office, these vulnerabilities are successfully exploited and the user’s system becomes infected.

In second place were exploits for vulnerabilities in Internet browsers (11.06%). In Q1, cybercriminals attacked a whole host of browsers, including Microsoft Internet Explorer, Google Chrome, and Mozilla Firefox. What’s more, some of the vulnerabilities were used in APT attacks, such as CVE-2020-0674, which is associated with the incorrect handling of objects in memory in an outdated version of the JScript scripting engine in Internet Explorer, leading to code execution. Another example is the previously identified CVE-2019-17026, a data type mismatch vulnerability in Mozilla Firefox’s JIT compiler, which also leads to remote code execution. In the event of a successful attack, both browser exploits cause a malware infection. The researchers also detected a targeted attack against Google Chrome exploiting the RCE vulnerability CVE-2020-6418 in the JavaScript engine; in addition, the dangerous RCE vulnerability CVE-2020-0767 was detected in a component of the ChakraCore scripting engine used by Microsoft Edge. Although modern browsers have their own protection mechanisms, cybercriminals are forever finding ways around them, very often using chains of exploits to do so. Therefore, it is vital to keep the operating system and software up to date at all times.

Distribution of exploits used in attacks by type of application attacked, Q1 2020 (download)

This quarter, a wide range of critical vulnerabilities were detected in operating systems and their components.

• CVE-2020-0601 is a vulnerability that exploits an error in the core cryptographic library of Windows, in a certificate validation algorithm that uses elliptic curves. This vulnerability enables the use of fake certificates that the system recognizes as legitimate.
• CVE-2020-0729 is a vulnerability in processing LNK files in Windows, which allows remote code execution if the user opens a malicious shortcut.
• CVE-2020-0688 is the result of a default configuration error in Microsoft Exchange Server, whereby the same cryptographic keys are used to sign and encrypt serialized ASP.NET ViewState data, enabling attackers to execute their own code on the server side with system rights.

Various network attacks on system services and network protocols were as popular as ever with attackers. We continue to detect attempts at exploiting vulnerabilities in the SMB protocol using EternalBlue, EternalRomance and similar sets of exploits. In Q1 2020, the new vulnerability CVE-2020-0796 (SMBGhost) was detected in the SMBv3 network protocol, leading to remote code execution, in which regard the attacker does not even need to know the username/password combination (since the error occurs before the authentication stage); however, it is present only in Windows 10. In Remote Desktop Gateway there were found two critical vulnerabilities (CVE-2020-0609 and CVE-2020-0610) enabling an unauthorized user to execute remote code in the target system. In addition, there were more frequent attempts to brute-force passwords to Remote Desktop Services and Microsoft SQL Server via the SMB protocol as well.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that are sources of web-based attacks: Top 10

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q1 2020, Kaspersky solutions defeated 726,536,269 attacks launched from online resources located in 203 countries worldwide. As many as 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components.

Distribution of web-based attack sources by country, Q1 2020 (download)

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to providing statistical data.

On average, 6.56% of Internet user’ computers worldwide experienced at least one Malware-class attack.

Geography of malicious web-based attacks, Q1 2020 (download)

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to computers (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q1 2020, our File Anti-Virus registered 164,653,290 malicious and potentially unwanted objects. 

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal-computer infection in different countries.

Note that this rating only includes attacks by malicious programs that fall under the Malware class; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked as a percentage of all unique users of Kaspersky products in the country.

Geography of local infection attempts, Q1 2020 (download)

Overall, 19.16% of user computers globally faced at least one Malware-class local threat during Q1.

Updated March 17th, 2020

The other day, our Android traps ensnared an interesting specimen of commercial software that is positioned as a parental control app, but may also be used to secretly monitor family members or colleagues – or, in other words, for stalking. Such apps are often called stalkerware. On closer inspection, we found that this app outstrips all existing software of its class in terms of functionality. Let’s take a look one step at a time.

Modern stalkerware

What is the usual functionality of stalkerware? The most basic thing is to transmit the victim’s current geolocation. There are many such “stalkers”, since various special web resources are used to display coordinates, and they only contain a few lines of code.

Often, their creators use geofencing technology, whereby a notification about the victim’s movements is sent only if they go beyond (or enter) a particular area. In some cases, functions to intercept SMS and call data (spyware that’s able to log them is much less common) are added to the geolocation transmission.

But today, SMS are used mainly for receiving one-time passwords and not much else — their niche has been captured almost entirely by messengers, which these days even facilitate business negotiations. Moreover, they claim to be an alternative to “traditional” voice communication. So any software with tracking/spying functionality worth its salt must be able to intercept data from messengers. The sample we found (assigned the verdict Monitor.AndroidOS.MonitorMinor.c) is a rare piece of monitoring software that could be used for stalking purposes that can do this.

MonitorMinor features

In a “clean” Android operating system, direct communication between apps is prevented by the sandbox, so stalkerware cannot simply turn up and gain access to, say, WhatsApp messages. This access model is called DAC (Discretionary Access Control). When an app is installed on the system, a new account and app directory are created, the latter being accessible only to this account. For example, WhatsApp stores the user’s chat history in the file /data/data/com.whatsapp/databases/msgstore.db, which only the user and WhatsApp itself have access to. Other messengers work in a similar way.

The situation changes if a SuperUser-type app (SU utility) is installed, which grants root access to the system. Exactly how they get on the device — installed at the factory, by a user, or even by malware — is not so important. The main point is that they cause one of the system’s key security mechanisms to cease to exist (in fact, all security systems cease to exist, but it is DAC that we are interested in right now).

It is the presence of this utility that the creators of MonitorMinor are perhaps counting on. By escalating privileges (running the SU utility), it gains full access to data in the following apps:

• LINE: Free Calls & Messages
• Gmail
• Zalo – Video Call
• Instagram
• Facebook
• Kik
• Hangouts
• Viber
• Hike News & Content
• Skype
• Snapchat
• JusTalk
• BOTIM

In other words, all the most popular modern communication tools.

Intercepting the device unlock code

MonitorMinor’s functionality is not limited to intercepting data from social networking apps and messengers: using root privileges, it extracts the file /data/system/gesture.key from the device, which contains the hash sum for the screen unlock pattern or the password. This lets the MonitorMinor operator unlock the device, when it’s nearby or when the operator will have physical access to the device the next time. This is the first time we have registered such a function in all our experience of monitoring mobile platform threats.

Persistence

When MonitorMinor acquires root access, it remounts the system partition from read-only to read/write mode, then copies itself to it, deletes itself from the user partition, and remounts it back to read-only mode. After this “castling” move, the application cannot be removed using regular OS tools. Sure, the option to escalate privileges is not available on all devices, and without root one might assume that the software would be less effective. But not if it’s MonitorMinor.

MonitorMinor features without root

Android is a very user-friendly operating system. It is especially friendly to users with disabilities: with the Accessibility Services API, the phone can read aloud incoming messages and any other text in app windows. What’s more, with the help of Accessibility Services, it is possible to obtain in real time the structure of the app window currently displayed on the smartphone screen: input fields, buttons, their names, etc.

It is this API that the stalkerware uses to intercept events in the above-listed apps. Put simply, even without root, MonitorMinor is able to operate effectively on all devices with Accessibility Services (which means most of them).

A keylogger function is also implemented in this app through this same API. That is, MonitorMinor’s reach is not limited to social networks and messengers: everything entered by the victim is automatically sent to the MonitorMinor servers. The app also monitors the clipboard and forwards the contents. The app also allows its owner to:

• Control the device using SMS commands
• View real-time video from the device’s cameras
• Record sound from the device’s microphone
• View browsing history in Chrome
• View usage statistics for certain apps
• View the contents of the device’s internal storage
• View the contacts list
• View the system log

Propagation

According to KSN statistics, India currently has the largest share of installations of this application (14.71%). In addition, a Gmail account with an Indian name is stitched into the body of MonitorMinor, which hints at its country of origin. That said, we also discovered control panels in Turkish and English.

The second country in terms of usage is Mexico (11.76%), followed by Germany, Saudi Arabia, and the UK (5.88%), separated by only a few thousandths of one percent.

Map of users attacked by MonitorMinor (all attacks), November – December 2019

Conclusion

MonitorMinor is superior to other tracking apps that can be used for stalking purposes in many aspects. It implements all kinds of tracking features, some of which are unique and is almost impossible to detect on the victim’s device. If the device has root access, its operator has even more options available. For example, they can retrospectively view what the victim has been doing on social networks. Note too that the Monitor.AndroidOS.MonitorMinor.c is obfuscated, which means that its creators may be aware of the existence of anti-stalkerware tools and try to counter them.

Yet we should note that the License agreement available on the website, from which the application is distributed, clearly states that users of the application are not allowed to use it for silent monitoring of another person without written consent. Moreover, the authors of the agreement warn that in some countries such actions may be subject to investigation by law enforcement agencies. So, formally, it is hard to deny that the developers of this application took steps to provide information about the potential consequences of unlawful usage of the app.

On the other hand, we can’t see how this information can help potential targets of stalkers that would decide to use this app. It is very intrusive and is able to exist on the target’s device without being visible to its owner, and it can silently harvest practically every bit of the target’s personal communications. Due to the powerful characteristics of this app, we decided to draw attention to it and inform those who defend people from stalkerware of the potential threat it poses. This is not just another parental control application.

The market has plenty of Parental Control solutions that do their job properly without providing the “Parent” with a super set of instruments to track their “kids'” personal life. We are not in the position to teach other developers how to create parental control applications, however, it is our job to let our clients and other parties know when there is something out there that could be used to significantly impede on their privacy.

IOCs

ECAC763FEFF38144E2834C43DE813216

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.

Figures of the year

In 2019, Kaspersky mobile products and technologies detected:

• 3,503,952 malicious installation packages.
• 69,777 new mobile banking Trojans.
• 68,362 new mobile ransomware Trojans.

Trends of the year

In summing up 2019, two trends in particular stick out:

• Attacks on users’ personal data became more frequent.
• Detections of Trojans on the most popular application marketplaces became more frequent.

This report discusses each in more detail below, with examples and statistics.

Attacks on personal data: stalkerware

Over the past year, the number of attacks on the personal data of mobile device users increased by half: from 40,386 unique users in 2018 to 67,500 in 2019. This is not about classic spyware or Trojans, but so-called stalkerware.

Number of unique users attacked by stalkerware in 2018–2019

Stalkerware can be divided into two major categories:

• Trackers.
• Full-fledged tracking apps.

The creators of trackers generally focus on two main features: tracking victims’ coordinates and intercepting text messages. Until recently, many such apps, mostly free, were available on the official Google Play marketplace. After Google Play changed its policy in late 2018, most of them were removed from the store, and most developers pulled support for their products. However, such trackers can still be found on their developers’ and third-party sites.

If such an app gets onto a device, messages and data about the user’s location become accessible to third parties. These third parties are not necessarily only those tracking the user: the client-server interaction of some services ignores even the minimum security requirements, allowing anyone to gain access to the accumulated data.

The situation of full-fledged stalkerware is somewhat different: there are no such apps on Google Play, but they are actively supported by developers. These tend to be commercial solutions with extensive spying capabilities. They can harvest almost any data on a compromised device: photos (both entire archives and individual pictures, for example, taken at a certain location), phone calls, texts, location information, screen taps (keylogging), and so on.

Screenshot from the site of a stalkerware app developer showing the capabilities of the software

Many apps exploit root privileges to extract messaging history from protected storage in social networking and instant messaging applications. If it cannot gain the required access, the stalkerware can take screenshots, log screen taps and even extract the text of incoming and outgoing messages from the windows of popular services using the Accessibility feature. One example is the commercial spyware app Monitor Minor.

Screenshot from the site of a stalkerware app developer showing the software’s ability to intercept data from social networks and messengers

The developers of the commercial spyware FinSpy went one step further by adding a feature to intercept correspondence in secure messengers, such as Signal, Threema and others. To ensure interception, the app independently obtains root privileges by exploiting the vulnerability CVE-2016-5195, aka “Dirty Cow”. The expectation is that the victim is using an old device with an outdated operating system kernel in which the exploit can escalate privileges to root.

It is worth noting that the user base of messaging apps includes hundreds of millions. Classic calls and texts are being used less and less, and communication — be it text messages or voice/video calls — is gradually moving to instant messaging applications. Hence the rising interest in data stored in such apps.

Attacks on personal data: advertising apps

In 2019, we observed a significant increase in the number of adware threats, one purpose being to harvest personal data on mobile devices.

The statistics show that the number of users attacked by adware in 2019 is roughly unchanged from 2018.

Number of users attacked by adware in 2018 and 2019

At the same time, the number of detected adware installation packages almost doubled from 2018.

Number of detected adware installation packages in 2018 and 2019

These indicators typically correlate, but not in the case of adware. This can be explained by several factors:

• Adware installation packages are generated automatically and spread literally everywhere, but for some reason do not reach the target audience. It is possible that they get detected immediately after being generated and cannot propagate further.
• Often, such apps contain nothing useful — just an adware module; so the victim immediately deletes them, assuming that they allow removing themselves.

Nevertheless, it is the second successive year that adware has appeared in our Top 3 detected threats. KSN statistics confirm it to be one of the most common types of threats: four places in our Top 10 mobile threats by number of users attacked in 2019 are reserved for adware-class apps, with one member of the family, HiddenAd, taking the third.

^{*Share of all users attacked by this type of malware in the total number of users attacked.}

In 2019, mobile adware developers not only generated tens of thousands of packages, but also technically enhanced their products, in particular through the addition of techniques to bypass operating system restrictions.

For example, Android imposes certain restrictions on background operation of applications for battery-saving reasons. This negatively impacts the operation of various threats, including adware apps that like to lurk in the background and wait for, say, a new banner to arrive from C&C. The introduction of such restrictions made it impossible for apps to show ads outside the context of their own window, thus starving most adware of oxygen.

The creators of the KeepMusic adware family found a smart workaround. To bypass the restrictions, their software does not request permissions like, for example, malware does. Instead, the program starts looping an MP3 file that plays silence. The operating system decides that the music player is running, and does not terminate the KeepMusic background process. As a result, the adware can request a banner from the server and display it any time.

Attacks on personal data: exploiting access to Accessibility

The year 2019 saw the appearance of the first specimen of mobile financial malware (Trojan-Banker.AndroidOS.Gustuff.a), featuring enhanced autonomy. Until then, two methods had been used to steal money from bank accounts:

• Via SMS banking on the victim end. This is an autonomous theft technique that requires only information about the transfer recipient. This data the bot can either store in its body or receive as a command from C&C. The Trojan infects the device and sends a text with a transfer request to a special bank phone number. The bank then automatically transfers the funds to the recipient from the device owner’s account. Due to the increase in such theft, limits on mobile transfers have been tightened, so this attack vector has been relegated to backup.
• By stealing online banking credentials. This has been the dominant method in recent years. Cybercriminals display a phishing window on the victim’s device that mimics the bank’s login page and reels in the victim’s credentials. In this case, the cybercriminals need to carry out the transaction themselves, using the app on their own mobile device or a browser. It is possible that the bank’s anti-fraud systems can detect the abnormal activity and block it, leaving the attackers empty-handed even if the victim’s device is infected.

In 2019, cybercriminals mastered a third method: stealing by manipulating banking apps. First, the victim is persuaded to run the app and sign in, for example, using a fake push notification supposedly from the bank. Tapping the notification does indeed open the banking app, which the attackers, using Accessibility, gain full control over, enabling them to fill out forms, tap buttons, etc. Moreover, the bot operator does not need to do anything, because the malware performs all actions required. Such transactions are trusted by banks, and the maximum transfer amount can exceed the limits of SMS banking by an order of magnitude. As a result, the cybercriminals can clean out the account in one go.

Stealing funds from bank accounts is just one malicious use of Accessibility. In effect, any malware with these permissions can control all on-screen processes, while any Android app is basically a visual representation of buttons, data entry forms, information display, and so on. Even if developers implement their own control elements, such as a slider that needs to be moved at a certain speed, this too can be done using Accessibility commands. Thus, cybercriminals have tremendous leeway to create what are perhaps the most dangerous classes of mobile malware: spyware, banking Trojans and ransomware Trojans.

The misuse of the Accessibility features poses a serious threat to users’ personal data. Where previously cybercriminals had to overlay phishing windows and request a bunch of permissions in order to steal personal information, now victims themselves output all necessary data to the screen or enter it in forms, where it can be easily gleaned. And if the malware needs more, it can open the Settings section by itself, tap a few buttons, and obtain the necessary permissions.

Mobile Trojans on popular marketplaces: Google Play

Slipping malware into the main Android app store delivers much better results than social engineering victims into installing apps from third-party sources. In addition, this approach enables attackers to:

• Bypass SafetyNet, Android’s built-in antivirus protection. If a user downloads an app from Google Play, the likelihood that it will be installed without additional requests — for example, to disable the built-in protection under an imaginary pretext — is very high. The only thing that can protect the user from infection in that situation is a third-party security solution.
• Overcome psychological barriers. Official app stores enjoy far greater trust than third-party “markets,” and act as store windows of sorts that can be used for distributing software much more efficiently.
• Target victims without unnecessary spending. Google Play can be used to host fakes that visually mimic, say, popular banking apps. This was the distribution vector used in a spate of attacks on mobile users in Brazil: we detected numerous malicious programs on Google Play under the guise of mobile apps for Brazilian banks.

In addition to malicious doppelgangers, cybercriminals deployed several other tricks to maximize device infection rates:

• The case of CamScanner showed that an app’s legitimate behavior can be supplemented with malicious functions by updating its code for handling advertising. This could be described as the most sophisticated attack vector, since its success depends on a large number of factors, including the user base of the host app, the developer’s trust in third-party advertising code and the type of malicious activity.
• Another example demonstrates that attackers sometimes upload to Google Play fairly well-behaved apps from popular user categories. In this case, it was photo editors.
• The most depressing case involves a Trojan from the Joker family, of which we have found many samples on Google Play, and still are. Deploying the tactic of mass posting, cybercriminals uploaded apps under all kinds of guises: from wallpaper-changing tools and security solutions to popular games. In some cases, the Trojan scored hundreds of thousands of downloads. No other attack vector can reach this kind of audience within such a short space of time.

The good news is that Google and the antivirus industry have teamed up to fight threats on the site. This approach should prevent most malware from penetrating the official Google app store.

Statistics

In 2019, we discovered 3,503,952 mobile malicious installation packages, which is 1,817,190 less than in the previous year. We have not detected so few mobile threats since 2015.

Number of mobile malicious installation packages for Android in 2015–2019

For three consecutive years, we have seen an overall decline in the number of mobile threats distributed as installation packages. The picture largely depends on specific cybercriminal campaigns: some have become less active, others have completely ceased, and new players have yet to gain momentum.

The situation is similar with the number of attacks using mobile threats: whereas in 2018 we observed a total of 116.5 million attacks, in 2019 the figure was down to 80 million.

Number of attacks defeated by Kaspersky mobile solutions in 2018–2019

The figures were back to the year before, before the start of the Asacub banking Trojan epidemic.

Since the number of attacks correlates with the number of users attacked, we observed a similar picture for this indicator.

Number of users attacked by mobile malware in 2018–2019

Geography of attacked users in 2019

Top 10 countries by share of users attacked by mobile malware:

^{*Excluded from the rankings are countries with fewer than 25,000 active users of Kaspersky mobile security solutions in the reporting period.
**Unique users attacked in the country as a percentage of all users of Kaspersky mobile security solutions in the country.}

In 2019, Iran (60.64%) again topped the list for the third year in a row. The most common threats in that country come from adware and potentially unwanted software: Trojan.AndroidOS.Hiddapp.bn, AdWare.AndroidOS.Agent.fa, and RiskTool.AndroidOS.Dnotua.yfe.

Pakistan (44.43%) climbed from seventh to second place, mainly on the back of a rise in the number of users attacked by adware. The largest contribution was made by members of the AdWare.AndroidOS.HiddenAd family. A similar picture can be seen in Bangladesh (43.17%), whose share has grown due to the same adware families.

Types of mobile threats

Distribution of new mobile threats by type in 2018 and 2019

In 2019, the share of RiskTool-class threats decreased by 20 p.p. (32.46%). We believe the main reason to be the sharp drop in the generation of threats from the SMSreg family. A characteristic feature of this family is payments via SMS: for example, money transfers or subscriptions to mobile services. Moreover, the user is not explicitly informed of the payment or money being charged to their mobile account. Whereas in 2018, we picked up 1,970,742 SMSreg installation packages, the number decreased by an order of magnitude to 193,043 in 2019. At the same time, far from declining, the number of packages of other members of this class of threats increased noticeably.

^{*Share of packages of this family in the total number of riskware-class packages detected in 2019.}

Skymobi and Paccy dropped out of the Top 10 families of potentially unwanted software; the number of installation packages of these families detected in 2019 decreased tenfold. Their creators likely minimized or even ceased their development and distribution. However, a new player appeared: the Resharer family (4.62%), which ranked sixth. This family is noted for its self-propagation through posting information about itself on various sites and mailing it to the victim’s contacts.

Adware demonstrated the most impressive growth, up by 14 p.p. The main source of this growth was HiddenAd (26.81%); the number of installation packages of this family increased by two orders of magnitude against 2018.

^{*Share of packages of this family in the total number of adware-class packages detected in 2019.}

Significant growth also came from the MobiDash (20.45%) and Ewind (16.34%) families. Meanwhile, the Agent family (15.27%), which held a leading position in 2018, dropped to fourth place.

Compared to 2018, the number of mobile Trojans detected decreased sharply. A downward trend has been observed for two consecutive years now, yet droppers remain one of the most numerous malware classes. The Hqwar family showed the most notable decrease: down from 141,000 packages in 2018 to 22,000 in 2019. At the same time, 2019 saw the debut of the Ingopack family: we detected 115,654 samples of this dropper.

Meanwhile, the share of Trojan-class threats rose by 6 p.p., with the two most numerous malware families of this class being Boogr and Hiddapp. The Boogr family contains various Trojans that have been detected using machine-learning (ML) technology. A feature of the Hiddapp family is that it hides its icon in the list of installed apps while continuing to run in the background.

The share of mobile ransomware Trojans slightly increased. The Top 3 families of this class of threats remained the same as in 2018: Svpeng, Congur, and Fusob — in that order.

Top 20 mobile malware programs

The following malware rankings omit potentially unwanted software, such as RiskTool and AdWare.

^{*Share of users attacked by this type of malware out of all attacked users}

As we wrap up the year 2019, first place in our Top 20 mobile malware, as in previous years, goes to the verdict DangerousObject.Multi.Generic (49.15%), which we use for malware detected with cloud technology. The verdict is applied where the antivirus databases still have no signatures or heuristics for malware detection. This way, the most recent malware is uncovered.

In second place came the verdict Trojan.AndroidOS.Boogr.gsh (10.95%). This verdict is assigned to files recognized as malicious by our ML-based system. Another result of this system’s work is objects with the verdict DangerousObject.AndroidOS.GenericML (5.08%, fourth place in the rating). This verdict is assigned to files whose structure is identical to that of malicious files.

Third, sixth, and sixteenth places were taken by members of the Hiddapp family. We assign this verdict to any app that hides its icon in the list of apps immediately after starting. Subsequent actions of such apps may be anything from downloading or dropping other apps to displaying ads.

Fifth and thirteenth places went to members of the Necro family of droppers and loaders. In both threat classes, Necro members did not make it into the Top 10 by number of detected files. Even the weakened Hwar family of droppers strongly outperformed Necro by number of generated objects. That said, users often encountered Necro members due to the family’s penetration of Google Play.

Seventh and tenth places went to the Asacub family of banking Trojans. Whereas at the start of the year, the Trojan’s operators were still actively spreading the malware, starting in March 2019, we noticed a drop in this family’s activity.

Number of unique users attacked by the Asacub mobile banking Trojan in 2019

Eighth and fourteenth places were reserved for droppers in the Hqwar family. Their activity dropped significantly from 80,000 attacked users in 2018 to 28,000 in 2019. However, we continue to register infection attempts by this family, and do not rule out its return to the top.

Number of unique users attacked by the Hqwar mobile dropper in 2019

In ninth position is another dropper, this time from the Lezok family: Trojan-Dropper.AndroidOS.Lezok.p (1.76%). A notable difference between this Trojan and Hqwar is that the malware penetrates the device before it arrives at the store. This is evidenced by KSN statistics showing that the Trojan was most often detected in the system directory under the names PhoneServer, GeocodeService, and similar.

When the device is turned on, Lezok dumps its payload into the system; it does so even if the victim deletes the dumped files using regular OS tools or resets the device to the factory settings. The trick is that the Trojan forms part of the factory firmware and can reload (restore) the deleted files.

The final Trojan worthy of attention is Trojan-Downloader.AndroidOS.Helper.a (1.56%), which finished eleventh in the rankings. Despite claims to the contrary, it can be removed. However, the infected system contains another Trojan that installs a helper app, which cannot be removed that easily. According to KSN statistics, members of the Trojan-Downloader.AndroidOS.Triada and Trojan.AndroidOS.Dvmap families can act as delivery vehicles for the helper. After the victim removes the helper, a member of one of these two families loads and reinstalls it.

Mobile banking Trojans

In 2019, we detected 69,777 installation packages for mobile banking Trojans, which is half last year’s figure. However, the share of banking Trojans out of all detected threats grew slightly as a consequence of the declining activity of other classes and families of mobile malware.

Number of installation packages of mobile banking Trojans detected by Kaspersky in 2019

The number of detected installation packages for banking Trojans as well as the number of attacks were influenced by the campaign to distribute the Asacub Trojan, whose activity has plummeted starting in April 2019.

Number of attacks by mobile banking Trojans in 2018–2019

It is worth noting that the average number of attacks over the year was approximately 270,000 per month.

Top 10 countries by share of users attacked by banking Trojans

^{*Share of users attacked by mobile bankers out of all attacked users}

Russia (0.72%) has headed our Top 10 for three consecutive years: many different Trojan families are focused on stealing credentials from Russian banking apps. These Trojans operate in other countries as well. Thus, Asacub is the number one threat in Tajikistan, Ukraine, and Armenia, while the Svpeng family of Trojans is active in Russia and the US.

In South Africa (0.66%), the most common Trojan was Trojan-Banker.AndroidOS.Agent.dx, accounting for 95% of all users attacked by banking threats.

The most widespread Trojan in Australia (0.59%) was Trojan-Banker.AndroidOS.Agent.eq (77% of all users attacked by banking threats).

In Spain (0.29%), banking malware from the Cebruser and Trojan-Banker.AndroidOS.Agent.ep families are popular with cybercriminals (49% and 22% of all users attacked by banking threats, respectively).

Top 10 families of mobile bankers in 2019

^{*Share of users attacked by this family of mobile bankers out of all users attacked by mobile banking Trojans}

Mobile ransomware Trojans

In 2019, we detected 68,362 installation packages for ransomware Trojans, which is 8,186 more than in the previous year. However, we observed a decline in the generation of new ransomware packages throughout 2019. The minimum was recorded in December.

Number of new installation packages for mobile banking Trojans in Q1–Q4 2019

A similar picture is seen for attacked users. Whereas in early 2019, the number of attacked users peaked at 12,004, by the end of the year, the figure had decreased 2.6 times.

Number of users attacked by mobile ransomware Trojans in 2018–2019

Countries by share of users attacked by mobile ransomware in 2019

Top 10 countries by share of users attacked by ransomware Trojans

^{*Excluded from the rating are countries with fewer than 25,000 active users of Kaspersky mobile solutions in the reporting period.
**Unique users attacked by mobile ransomware in the country as a percentage of all users of Kaspersky mobile solutions in the country.}

For the third year in a row, first place by share of users attacked by mobile ransomware went to the US (2.03%). Same as last year, the Svpeng ransomware family was the most commonly encountered in the country. It was also the most widespread in Iran (0.37%).

The situation in Kazakhstan (0.56%) was unchanged: the country still ranks second, and the most prevalent threat there remains the Rkor family.

Conclusion

The year 2019 saw the appearance of several highly sophisticated mobile banking threats, in particular, malware that can interfere with the normal operation of banking apps. The danger they pose cannot be overstated, because they cause direct losses to the victim. It is highly likely that this trend will continue into 2020, and we will see more such high-tech banking Trojans.

Also in 2019, attacks involving the use of mobile stalkerware became more frequent, the purpose being to monitor and collect information about the victim. In terms of sophistication, stalkerware is keeping pace with its malware cousins. It is quite likely that 2020 will see an increase in the number of such threats, with a corresponding rise in the number of attacked users.

Judging by our statistics, adware is gaining ever more popularity among cybercriminals. In all likelihood, going forward we will encounter new members of this class of threats, with the worst-case scenario involving adware modules pre-installed on victims’ devices.