Mobile advertising Trojans declined in 2017 over 2016, but the threat continues to aggressively spread as some Trojan families began to use monetization schemes involving paid SMS and WAP-billing services in order to preserve and increase profits, new research found.
Malicious programs taking advantage of super-user rights have become a major mobile threat in recent years. With root privileges, these Trojans have the capability to secretly install various applications or bombard an infected device with ads to make use of the smartphone impossible, according to research in Kaspersky Lab’s “Mobile Malware Evolution” report.
In addition to having almost unlimited access, these Trojans are also extremely difficult to detect and remove.
Based on Kaspersky’s observations, the overall number of mobile advertising Trojans exploiting super-user rights declined in 2017, in comparison with the previous year. This decline appears to have been triggered by an overall decrease in the number of mobile devices running older versions of Android, which are the main targets of these Trojans, as potentially exploited vulnerabilities are patched in newer versions.
To back that up, the proportion of users with devices running Android 5.0 or older dropped from more than 85 percent in 2016 to 57 percent in 2017, according to Kaspersky Lab data. The proportion of Android 6.0 (or newer) users more than doubled, rising from 21 percent in 2016 to 50 percent in 2017.
In 2017, Kaspersky Lab discovered new modifications of advertising Trojans that were not exploiting root access vulnerabilities to show ads, but were instead leveraging other methods, such as taking advantage of premium SMS services. For example, two Trojans related to the Ztorg malware family with such functionality were downloaded dozens of thousands of times from the Google Play Store.
Kaspersky Lab researchers also recorded a rise in the number of mobile Trojan clickers stealing money from Android users through WAP-billing, a type of direct mobile payment that does not require registration. These Trojans click on pages with paid services, and once a subscription is activated, money from a victim’s account flows directly to the cybercriminals. Some of the WAP-clickers discovered in 2017 also incorporated modules for cryptocurrency mining.
The ransomware epidemics that hit the world in 2017 were also reflected in the mobile threat landscape.
Kaspersky Lab discovered 544,107 installation packages for mobile ransomware Trojans last year, which is twice as high as in 2016 and 17 times more than in 2015. This increasing volume was detected during the first months of the year due to the high activity of the Congur Trojan family (83 percent of all installation packages in 2017), a blocker that sets or resets a device’s PIN or passcode and then demands money to unlock the device.
Although mobile ransomware capabilities and techniques remained primarily the same throughout the year, some ransomware functionality has been discovered among banking Trojan families, such as Svpeng and Faketoken, with the modifications able to encrypt people’s files.
In 2017, Kaspersky Lab mobile security products reported:
• 42.7 million attempted attacks by mobile malware (40M in 2016)
• Over 4.9 million users of Android-based devices protected (1.2 times more than in 2016)
• Iran (57.25 percent), Bangladesh (42.76 percent) and Indonesia (41.14 percent) were the top three countries attacked by mobile malware
• 5,730,916 installation packages for mobile Trojans detected (1.5 times less than in 2016)
• 110,184 unique users targeted by mobile ransomware (1.4 times lower than 2016)
• 94,368 mobile banking Trojans detected (1.3 times less than in 2016)
“The mobile threat landscape is evolving in direct connection with what is happening in the global mobile market,” said Roman Unuchek, security expert at Kaspersky Lab. “Right now, mobile advertising Trojans that exploit root rights are in decline, but if new versions of Android firmware happened to be vulnerable, new opportunities will be presented and we will see their growth return. The same is true for cryptocurrency – with the increasing activity of miners around the world, we expect to see further modifications of mobile malware with mining modules inside, even though the performance power of mobile devices is not so high.”