Kaspersky - MOBILE MALWARE EVOLUTION 2016

1. MOBILE MALWARE
2. EVOLUTION 2016
3. 1
4. Contents
5. The year in figures .........................................................................................................................................2
6. Trends of the year..........................................................................................................................................2
7. Malicious programs using super-user rights .............................................................................................3
8. Cybercriminals continue their use of Google Play.....................................................................................4
9. Bypassing Android’s protection mechanisms............................................................................................6
10. Mobile ransomware...................................................................................................................................7
11. A glance into the Dark Web. Contribution from INTERPOL’s Global Complex for Innovation. .....................8
12. Marketplaces.................................................................................................................................................8
13. Vendor shops, forums and social media .......................................................................................................9
14. Statistics.......................................................................................................................................................10
15. Geography of mobile threats...................................................................................................................11
16. Types of mobile malware ........................................................................................................................13
17. Top 20 malicious mobile programs .........................................................................................................14
18. Mobile banking Trojans ...........................................................................................................................16
19. Mobile Trojan-Ransom ............................................................................................................................18
20. Conclusion....................................................................................................................................................21
21. 2
22. The year in figures
23. In 2016, Kaspersky Lab detected the following:
24. • 8,526,221 malicious installation packages
25. • 128,886 mobile banking Trojans
26. • 261,214 mobile ransomware Trojans
27. Trends of the year
28. • Growth in the popularity of malicious programs using super-user rights, primarily advertising
29. Trojans.
30. • Distribution of malware via Google Play and advertising services.
31. • Emergence of new ways to bypass Android protection mechanisms.
32. • Growth in the volume of mobile ransomware.
33. • Active development of mobile banking Trojans.
34. 3
35. Malicious programs using super-user rights
36. The year’s most prevalent trend was Trojans gaining super-user privileges. To get these privileges, they
37. use a variety of vulnerabilities that are usually patched in the newer versions of Android. Unfortunately,
38. most user devices do not receive the latest system updates, making them vulnerable.
39. Root privileges provide these Trojans with almost unlimited possibilities, allowing them to secretly
40. install other advertising applications, as well as display ads on the infected device, often making it
41. impossible to use the smartphone. In addition to aggressive advertising and the installation of thirdparty
42. software, these Trojans can even buy apps on Google Play.
43. This malware simultaneously installs its modules in the system directory, which makes the treatment of
44. the infected device very difficult. Some advertising Trojans are even able to infect the recovery image,
45. making it impossible to solve the problem by restoring to factory settings.
46. In addition to the secret installation of advertising apps, these Trojans can also install malware. We have
47. registered installations of the modular trojan Backdoor.AndroidOS.Triada, which modified the Zygote
48. processes. This allowed it to remain in the system and alter text messages sent by other apps, making it
49. possible to steal money from the owner of the infected device. With super-user rights the Trojan can do
50. almost anything, including substitute the URL in the browser.
51. Representatives of this class of malicious software have been repeatedly found in the official Google
52. Play app store, for example, masquerading as a guide for Pokemon GO. This particular app was
53. downloaded over half a million times and was detected as Trojan.AndroidOS.Ztorg.ad.
54. Trojan.AndroidOS.Ztorg.ad imitating a guide for Pokemon GO
55. 4
56. Cybercriminals continue their use of Google Play
57. In Google Play in October and November, we detected about 50 new applications infected by
58. Trojan.AndroidOS.Ztorg.am, the new modification of Trojan.AndroidOS.Ztorg.ad. According to
59. installation statistics, many of them were installed more than 100,000 times.
60. Trojan.AndroidOS.Ztorg.ad imitating a video player
61. Google Play was used to spread Trojans capable of stealing login credentials. One of them was TrojanSpy.AndroidOS.Instealy.a
62. which stole logins and passwords for Instagram accounts. Another was TrojanPSW.AndroidOS.MyVk.a:
63. it was repeatedly published in Google Play and targeted user data from the
64. social networking site VKontakte.
65. Yet another example is Trojan-Ransom.AndroidOS.Pletor.d, distributed by cybercriminals under the
66. guise of an app for cleaning operating systems. Usually, representatives of the TrojanRansom.AndroidOS.Pletor
67. family encrypt files on the victim device, but the detected modification only
68. blocked the gadget and demanded a ransom to unblock it.
69. 5
70. Trojan-Ransom.AndroidOS.Pletor.d imitating a system cleaner
71. 6
72. Bypassing Android’s protection mechanisms
73. Cybercriminals are constantly looking for ways to bypass Android’s new protection mechanisms. For
74. instance, in early 2016, we found that some modifications of the Tiny SMS Trojan were able to use their
75. own window to overlay a system message warning users about sending a text message to a premium
76. rate number. As the owner of the smartphone cannot see the original text, they are unaware of what
77. they are agreeing to, and send the message to the number specified by the attacker.
78. A similar method was used by Trojan-Banker.AndroidOS.Asacub to get administrator rights on the
79. device. The Trojan hides the system request from the user, cheating the latter into granting it extra
80. privileges. In addition, Asacub asks for the right to be the default SMS application, which allows it to
81. steal messages even in newer versions of Android.
82. The authors of Trojan-Banker.AndroidOS.Gugi went even further. This malicious program is able to
83. bypass two new Android 6 security mechanisms using only social engineering techniques. Without
84. exploiting system vulnerabilities, Gugi bypasses the request for Android’s permission to display its
85. window on top of other applications as well as the dynamic permission requirement for potentially
86. dangerous actions.
87. 7
88. Mobile ransomware
89. While the very first mobile encryptor Trojan really did encrypt user data on a device and demand money
90. to decrypt them, current ransomware simply displays the ransom demand on top of other windows
91. (including system windows), thus making it impossible to use the device.
92. The same principle was used by the most popular mobile ransom program in 2016 – TrojanRansom.AndroidOS.Fusob.
93. Interestingly, this Trojan attacks users in Germany, the US and the UK, but
94. avoids users from the CIS and some neighboring countries (once executed, it runs a check of the device
95. language, after which it may stop working). The cybercriminals behind the Trojan usually demand
96. between $100 and $200 to unblock a device. The ransom has to be paid using codes from pre-paid
97. iTunes cards.
98. Yet another way to block devices is to use the Trojan-Ransom.AndroidOS.Congur family, which is
99. popular in China. These Trojans change the PIN code for the gadget, or enable this safety function by
100. setting their own PIN. To do this, the ransom program has to get administrator rights. The victim is told
101. to contact the attackers via the QQ messenger to unblock the device.
102. Mobile banking Trojans continued to evolve through the year. Many of them gained tools to bypass the
103. new Android security mechanisms and were able to continue stealing user information from the most
104. recent versions of the OS. Also, the developers of mobile banking Trojans added more and more new
105. features to their creations. For example, the Marcher family redirected users from financial to phishing
106. sites over a period of several months.
107. In addition, many mobile banking Trojans include functionality for extorting money: upon receiving a
108. command from a server, they can block the operation of a device with a ransom-demand window. We
109. discovered that one modification of Trojan-Banker.AndroidOS.Faketoken could not only overlay the
110. system interface but also encrypt user data.
111. It is also worth noting that the cybercriminals behind malicious programs for Android did not forget
112. about one of the hottest topics of 2016 – IoT devices. In particular, we discovered the ‘attack-the-router’
113. Trojan Switcher which targets the Wi-Fi network an infected device is connected to. If the Trojan
114. manages to guess the password to the router, it changes the DNS settings, implementing a DNShijacking
115. attack.
116. 8
117. A glance into the Dark Web. Contribution from INTERPOL’s Global Complex for
118. Innovation.
119. The Dark Web provides a means for criminal actors to communicate and engage in commercial
120. transactions, like buying and selling various products and services, including mobile malware kits.
121. Vendors and buyers increasingly take advantage of the multiple security and business-oriented
122. mechanisms put in place on Tor (The Onion Router) cryptomarkets, such as the use of cryptocurrencies,
123. third-party administration services (escrow), multisignature transactions, encryption,
124. reputation/feedback tracking and others. INTERPOL has looked into major Dark Web platforms and
125. found that mobile malware is offered for sale as software packages (e.g. remote access trojans - RATs);
126. individual solutions; sophisticated tools, like those developed by professional firms; or, on a smaller
127. scale, as part of a ‘Bot as a Service’ model. Mobile malware is also a ‘subject of interest’ on vendor
128. shops, forums and social media.
129. Marketplaces
130. A number of mobile malware products and services are offered for sale on Dark Web marketplaces.
131. Mobile malware is often advertised as part of a package, which can include, for instance, remote access
132. trojans (RATs), phishing pages, or ‘hacking’ software bundles which consist of forensic and passwordbreaking
133. tools. Individual/one piece tools are also offered for sale. For example, DroidJack was offered
134. by different vendors on four major marketplaces. This popular Android RAT is sold openly on the
135. Clearnet for a high price, but on the Dark Web the price is much lower.
136. Both variants (package and individual) sometimes come with ‘how-to’ guides which explain the methods
137. for hacking popular operating systems, such as Android and iOS. More sophisticated tools are also
138. advertised on the Dark Web, such as Galileo, a remote control system developed by the Italian IT
139. company Hacking Team in order to access remotely and then exploit devices that run Android, iOS,
140. BlackBerry, Windows or OS X. Another example is the source code for Acecard. This malware is known
141. for adding overlay screens on top of mobile banking applications and then forwarding the user’s login
142. credentials to a remote attacker. It can also access SMS, from which potentially useful two-factor
143. authentication codes can be obtained by fraudsters.
144. 9
145. The Android bot rent service (BaaS, or Bot as a Service) is also available for purchase. The bot can be
146. used to gather financial information from Android phones and comes with many features and
147. documentation, available in both Russian and English. More features and specifications can be
148. developed on request. This service can cost up to USD 2,500 per month or USD 650 per week.
149. Mobile phishing products for obtaining financial information, tools that can control phones through
150. Bluetooth or change their IMEI (International Mobile Equipment Identity), and various Android RATs
151. that focus on intercepting text messages, call logs and locations, and accessing the device’s camera, are
152. also displayed on Dark Web marketplaces.
153. Vendor shops, forums and social media
154. Vendor shops are standalone platforms created by a single or group of vendors who have built up a
155. customer base on a marketplace and then decided to start their own business. Generally, these shops
156. do not have forums and merely advertise one specific type of illicit item, such as drugs or stolen
157. personal information, but they also sell mobile malware (DroidJack). Tutorials are sometimes attached
158. to mobile malware products, and information on which tools are fit for purpose and how to install and
159. utilize them can also be found in forum threads and on social media. Furthermore, a Tor hidden service
160. focused on hacking news was found to contain information on how to set up Dendroid (Figure 1) mobile
161. malware. This RAT, which is capable of intercepting SMS messages, downloading pictures and opening a
162. dialogue box to phish passwords, dates from 2014 but was still offered in 2016 as part of several
163. advertisements (packages) on different marketplaces.
164. Due to its robust anonymity, OPSEC techniques, low prices and client-oriented strategy, the Dark Web
165. remains an attractive medium for conducting illicit businesses and activities, and one where specific
166. crime areas may arise or grow in the future. The development of innovative technical solutions (in close
167. cooperation with academia, research institutes and private industry), international cooperation and
168. capacity building are fundamental pillars in the fight against the use of Dark Web by criminals.
169. Figure 1
170. 10
171. Statistics
172. In 2016, the number of malicious installation packages grew considerably, amounting to 8,526,221 –
173. three times more than the previous year. As a comparison, from 2004 to 2013 we detected over
174. 10,000,000 malicious installation packages; in 2014 the figure was nearly 2.5 million.
175. From the beginning of January till the end of December 2016, Kaspersky Lab registered nearly 40 million
176. attacks by malicious mobile software and protected 4,018,234 unique users of Android-based devices
177. (vs 2.6 million in 2015).
178. The number of attacks blocked by Kaspersky Lab solutions, 2016
179. The number of users protected by Kaspersky Lab solutions, 2016
180. 11
181. Geography of mobile threats
182. Attacks by malicious mobile software were recorded in more than 230 countries and territories.
183. The geography of mobile threats by number of attacked users, 2016
184. TOP 10 countries by the percentage of users attacked by mobile malware
185. Country* %**
186. 1 Bangladesh 50.09%
187. 2 Iran 46.87%
188. 3 Nepal 43.21%
189. 4 China 41.85%
190. 5 Indonesia 40.36%
191. 6 Algeria 36.62%
192. 7 Nigeria 35.61%
193. 8 Philippines 34.97%
194. 9 India 34.18%
195. 10 Uzbekistan 31.96%
196. * We excluded those countries in which the number of users of Kaspersky Lab mobile security
197. products over the reported period was less than 25,000.
198. ** The percentage of attacked unique users as a percentage of all users of Kaspersky Lab’s mobile
199. security products in the country.
200. 12
201. China, which topped this rating in 2015, continued to lead the way in the first half of 2016 but dropped
202. to fourth overall for the year, being replaced by Bangladesh, which led similar ratings throughout 2016.
203. More than half of all users of Kaspersky Lab mobile security products in Bangladesh encountered mobile
204. malware.
205. The most widespread mobile malware targeting users in Bangladesh in 2016 were representatives of
206. advertising Trojans belonging to the Ztorg and Iop families, as well as advertising programs of the
207. Sprovider family. This malware, as well as representatives of the AdWare.AndroidOS.Ewind and
208. AdWare.AndroidOS.Sprovider families were most frequently found on user devices in all the countries in
209. the Top 10, except China and Uzbekistan.
210. In China, a significant proportion of the attacks involved the Backdoor.AndroidOS.Fakengry.h and
211. Backdoor.AndroidOS.GinMaster.a families as well as representatives of RiskTool.AndroidOS.
212. Most of the attacks on users in Uzbekistan were carried out by Trojan-SMS.AndroidOS.Podec.a and
213. Trojan-FakeAV.AndroidOS.Mazig.b. Representatives of the advertising Trojans Iop and Ztorg, as well as
214. the advertising programs of the Sprovider family were also quite popular in the country.
215. 13
216. Types of mobile malware
217. Starting this year, we calculate the distribution of mobile software by type, based on the number of
218. detected installation packages, rather than modifications.
219. Distribution of new mobile malware by type in 2015 and 2016
220. Over the reporting period, the number of new RiskTool files detected grew significantly – from 29% in
221. 2015 to 43% in 2016. At the same time, the share of new AdWare files fell – 13% vs 21% in the previous
222. year.
223. For the second year running, the percentage of detected SMS Trojan installation packages continued to
224. decline – from 24% to 11%, which was the most notable fall. Despite this, we cannot say that the SMS
225. Trojan threat is no longer relevant; in 2016, we detected nearly 700,000 new installation packages.
226. The most considerable growth was shown by Trojan-Ransom: the share of this type of malware among
227. all installation packages detected in 2016 increased almost 6.5 times to 4%. This growth was caused by
228. the active distribution of two families of mobile ransomware – Trojan-Ransom.AndroidOS.Fusob and
229. Trojan-Ransom.AndroidOS.Congur.
230. 14
231. Top 20 malicious mobile programs
232. Please note that the ranking of malicious programs below does not include potentially unwanted
233. programs such as RiskTool or AdWare (advertising programs).
234. Detection %*
235. 1 DangerousObject.Multi.Generic 67.93%
236. 2 Backdoor.AndroidOS.Ztorg.c 6.58%
237. 3 Trojan-Banker.AndroidOS.Svpeng.q 5.42%
238. 4 Trojan.AndroidOS.Iop.c 5.25%
239. 5 Backdoor.AndroidOS.Ztorg.a 4.83%
240. 6 Trojan.AndroidOS.Agent.gm 3.44%
241. 7 Trojan.AndroidOS.Ztorg.t 3.21%
242. 8 Trojan.AndroidOS.Hiddad.v 3.13%
243. 9 Trojan.AndroidOS.Ztorg.a 3.11%
244. 10 Trojan.AndroidOS.Boogr.gsh 2.51%
245. 11 Trojan.AndroidOS.Muetan.b 2.40%
246. 12 Trojan-Ransom.AndroidOS.Fusob.pac 2.38%
247. 13 Trojan-Ransom.AndroidOS.Fusob.h 2.35%
248. 14 Trojan.AndroidOS.Sivu.c 2.26%
249. 15 Trojan.AndroidOS.Ztorg.ag 2.23%
250. 16 Trojan.AndroidOS.Ztorg.aa 2.16%
251. 17 Trojan.AndroidOS.Hiddad.an 2.12%
252. 18 Trojan.AndroidOS.Ztorg.i 1.95%
253. 19 Trojan-Dropper.AndroidOS.Agent.cv 1.85%
254. 20 Trojan-Dropper.AndroidOS.Triada.d 1.78%
255. * Percentage of users attacked by the malware in question, relative to all users attacked.
256. First place in the Top 20 is occupied by DangerousObject.Multi.Generic (67.93%), used in malicious
257. programs detected by cloud technologies. Cloud technologies work when the antivirus database
258. contains neither the signatures nor heuristics to detect a malicious program. This is basically how the
259. very latest malware is detected.
260. In second place was Backdoor.AndroidOS.Ztorg.c, the advertising Trojan using super-user rights to
261. secretly install various applications. Noticeably, the 2016 rating included 16 advertising Trojans
262. (highlighted in blue in the table), which is four more than in 2015.
263. The most popular mobile banking Trojan in 2016 was Trojan-Banker.AndroidOS.Svpeng.q in third place.
264. The Trojan became so widespread after being distributing via the AdSense advertising network. Due to a
265. vulnerability in the Chrome browser, the user was not required to take any action to download the
266. Trojan on the device. It should be noted that more than half of the users attacked by mobile banking
267. Trojans in 2016 encountered representatives of the Svpeng family. They use phishing windows to steal
268. credit card data and also attack SMS banking systems.
269. 15
270. Representatives of the Fusob family – Trojan-Ransom.AndroidOS.Fusob.pac and TrojanRansom.AndroidOS.Fusob.h
271. – claimed 12th and 13th respectively. These Trojans block a device by
272. displaying their own window and demanding a ransom to remove it.
273. 16
274. Mobile banking Trojans
275. In 2016, we detected 128,886 installation packages of mobile banking Trojans, which is 1.6 times more
276. than in 2015.
277. Number of installation packages of mobile banking Trojans detected by Kaspersky Lab solutions in
278. 2016
279. In 2016, 305,543 users in 164 countries were attacked by mobile banking Trojans vs 56,194 users in 137
280. countries the previous year.
281. Geography of mobile banking threats in 2016 (number of users attacked)
282. 17
283. Top 10 countries by the percentage of users attacked by mobile banking Trojans relative to
284. all attacked users
285. Country* %**
286. 1 Russia 4.01
287. 2 Australia 2.26
288. 3 Ukraine 1.05
289. 4 Uzbekistan 0.70
290. 5 Tajikistan 0.65
291. 6 The Republic of Korea 0.59
292. 7 Kazakhstan 0.57
293. 8 China 0.54
294. 9 Belarus 0.47
295. 10 Moldova 0.39
296. * We excluded those countries in which the number of users of Kaspersky Lab mobile security
297. products over the reported period was less than 25,000.
298. ** Percentage of unique users attacked by mobile banking Trojans, relative to all users of Kaspersky
299. Lab’s mobile security products in the country.
300. In Russia – ranked first in the Top 10 – mobile banking Trojans were encountered by 4% of mobile users.
301. This is almost two times higher than in second-placed Australia. The difference is easily explained by the
302. fact that the most popular mobile banking Trojan Svpeng was mostly spread in Russia. Representatives
303. of the Asacub and Faketoken families were also popular there.
304. In Australia, the Trojan-Banker.AndroidOS.Acecard and Trojan-Banker.AndroidOS.Marcher families were
305. responsible for most infection attempts. In South Korea (7th place) the most popular banking Trojans
306. belonged to the Trojan-Banker.AndroidOS.Wroba family.
307. In the other countries of the Top 10, the most actively distributed mobile banking Trojan families were
308. Trojan-Banker.AndroidOS.Faketoken and Trojan-Banker.AndroidOS.Svpeng. The representatives of the
309. latter were especially widespread in 2016, with more than half of mobile users encountering them. As
310. we have already mentioned, this was the result of them being distributed via the AdSense advertising
311. network and being loaded stealthily via a mobile browser vulnerability.
312. The Trojan-Banker.AndroidOS.Faketoken family was in second place in this rating. Some of its
313. modifications were capable of attacking more than 2,000 financial organizations.
314. Third place was occupied by the Trojan-Banker.AndroidOS.Asacub family, which attacked more than
315. 16% of all users affected by mobile bankers. These Trojans are mainly distributed in Russia, often via
316. SMS spam.
317. 18
318. Mobile Trojan-Ransom
319. In 2016, the volume of mobile ransomware increased considerably both in the number of installation
320. packages detected and in the number of users attacked. Over the reporting period, we detected
321. 261,214 installation packages, which is almost 8.5 times more than in 2015.
322. Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab
323. (Q1 2016 – Q4 2016)
324. In 2016, 153,258 unique users from 167 countries were attacked by Trojan-Ransom programs; this is 1.6
325. times more than in 2015.
326. Interestingly, a large number of installation packages in the first two quarters of 2016 belonged to the
327. Trojan-Ransom.AndroidOS.Fusob family, though there was a fall in activity in the third quarter. The
328. subsequent growth in the fourth quarter was fueled by an increase in activity by the TrojanRansom.AndroidOS.Congur
329. family: it includes relatively simple Trojans that either block a device using
330. their own window, or change the device’s password.
331. 19
332. Geography of mobile ransomware threats in 2016 (number of users attacked)
333. TOP 10 countries attacked by Trojan-Ransom malware – share of users relative to all
334. attacked users in the country.
335. Country* %**
336. 1 Germany 2.54
337. 2 USA 2.42
338. 3 Canada 2.34
339. 4 Switzerland 1.88
340. 5 Kazakhstan 1.81
341. 6 United Kingdom 1.75
342. 7 Italy 1.63
343. 8 Denmark 1.29
344. 9 Mexico 1.18
345. 10 Australia 1.13
346. * We excluded those countries in which the number of users of Kaspersky Lab mobile security
347. products over the reported period was less than 25,000.
348. ** Percentage of unique users attacked by mobile Trojan ransomware, relative to all users of
349. Kaspersky Lab’s mobile security products in the country.
350. The largest percent of mobile users attacked by ransomware was in Germany – over 2.5%. In almost all
351. the countries in this ranking, representatives of the Trojan-Ransom.AndroidOS.Fusob and TrojanRansom.AndroidOS.Svpeng
352. families were particularly popular. Kazakhstan (5th place) was the only
353. 20
354. exception – the most frequently used ransom programs there were various modifications of the TrojanRansom.AndroidOS.Small
355. family.
356. More information about these three families of mobile Trojan ransomware can be found in a dedicated
357. study.
358. 21
359. Conclusion
360. In 2016, the growth in the number of advertising Trojans capable of exploiting super-user rights
361. continued. Throughout the year it was the No. 1 threat, and we see no sign of this trend changing.
362. Cybercriminals are taking advantage of the fact that most devices do not receive OS updates (or receive
363. them late), and are thus vulnerable to old, well-known and readily available exploits.
364. This year, we will continue to closely monitor the development of mobile banking Trojans: the
365. developers of this class of malware are the first to use new technologies and are always looking for ways
366. to bypass security mechanisms implemented in the latest versions of mobile operating systems.
367. In 2016, one of the most controversial issues was the safety of IoT devices. Various Internet-connected
368. ‘smart’ devices are becoming increasingly popular, though their level of security is fairly low. Also in
369. 2016, we discovered an ‘attack-the-router’ Trojan. We see that the mobile landscape is getting a little
370. crowded for cybercriminals, and they are beginning to interact more with the world beyond
371. smartphones. Perhaps in 2017 we will see major attacks on IoT components launched from mobile
372. devices.