* We excluded those countries in which the number of users of Kaspersky Lab’s mobile security products over the reporting period was less than 25,000. Top 10 countries attacked by mobile malware (by percentage of users attacked): Geography of mobile threats by number of attacked users, 2017 It’s worth noting that these actions appear quite normal to the user: the targeted apps are designed to make payments and are therefore likely to request this sort of data. The Trojan overlays the apps’ interfaces with its own phishing window where a user is asked to enter their bank card details.
We discovered a modification of the FakeToken mobile banker that attacked not only financial apps but also apps for booking taxis, hotels, tickets, etc. Mobile bankers were also actively evolving throughout the whole of 2017, offering new ways to steal money. The dynamic development of mobile banking Trojans They can even intercept and delete SMSs sent by mobile operators containing information about the service costs. However, this doesn’t stop the Trojans – they are able to click these pages as well. Part of the JS file used by to click a buttonĪ page with WAP billing usually redirects to a mobile operator page where the user confirms they agree to pay for the services. To do this, the Trojans used a special JS file, downloaded from the criminals’ servers.
Moreover, we discovered additional modules for ‘standard’ Ztorg family Trojans that could not only send paid text messages but also steal money from a user’s account by clicking on sites with WAP subscriptions. Two of them, detected by Kaspersky Lab products as, were downloaded from the Google Play Store tens of thousands of times. In particular, we discovered the Ztorg family using a new money-making scheme that involved sending paid text messages.
Of course, during the year, the attackers tried to modify or change the capabilities of their Trojans in order to preserve and increase profits. Moreover, they’re still difficult to remove thanks to a variety of system features, such as device administrator capabilities. There are some that continue to flood devices with ads, downloading and initializing installation of various apps, only now without exploiting vulnerabilities to obtain super-user rights. Ztorg family Trojans were distributed via the Google Play Store and actively advertisedīut the decline in popularity doesn’t mean the developers have completely given up on these Trojans. It was also distributed via the Google Play Store and has been downloaded more than 50,000 times.
This Trojan uses root rights to inject its malicious code into the system runtime libraries. One of them had even been installed more than a million times (according to store statistics).Īnother example is. It’s worth noting that this Trojan was also distributed via the Google Play Store – we found almost 100 apps there infected by various Ztorg modifications. In some cases – Ztorg, for example – even resetting the device to factory settings won’t get rid of the malware. It installs modules in system folders, thus protecting them from removal. Rooting malware usually tries to gain super-user rights by exploiting system vulnerabilities that allow it to do almost anything. In some cases, the aggressive display of pop-up ads and delays in executing user commands can render a device unusable.
Their main goal is to show victims as many ads as possible and to silently install and launch the apps that are advertised. These Trojans are difficult to detect, boast an array of capabilities, and have been very popular among cybercriminals.
Trends of the year Rooting malware: no surrenderįor the last few years, rooting malware has been the biggest threat to Android users. 5,730,916 malicious installation packages.In 2017, Kaspersky Lab detected the following: