Kaspersky Lab IT Threat Evolution: Q2 2013

More Than 100,000 Unique Mobile Malware Samples Now Detected

Q2 2013 Malware Statistics

The following data was obtained using the cloud-based Kaspersky Security Network (KSN). All statistics were compiled with the full consent of users participating in KSN.*

• Kaspersky Lab products detected and neutralized a total of 983,051,408 threats in the second quarter of 2013.

• Web-Based Attacks: 577,159, 385 infections were prevented from infecting users’ while accessing the Internet. 
• Computer Infections: 400,604,327 malicious programs were prevented from infecting users’ machines.
• Mobile Malware: 29, 695 new malware modifications were added to Kaspersky Lab’s detection system in the second quarter of 2013.

Mobile Malware Evolution

As of June 30, 2013, Kaspersky Lab had added an aggregate total of 100,386 mobile malware modifications to its system, which is a dramatic increase compared to the end of 2012 (46, 445 modifications). 

It’s important to note that modifications are not individual detections or malicious programs – they’re malicious code samples that cybercriminals use to infect legitimate mobile applications. The common procedure for cybercriminals is to download legitimate applications and modify them by adding the malicious code. Cybercriminals then redistribute the modified – and now malicious - applications to sites where they can be downloaded by users, such as third-party app stores. Kaspersky Lab’s system identifies the malicious code samples that are being inserted into the modified applications using cloud-based technologies, heuristics and antivirus signatures. By detecting the malicious code samples, Kaspersky Lab can identify which applications are malicious before they run on the user’s device.

Mobile Malware by Behavioral Category

While the most prevalent mobile malware category has traditionally been SMS-Trojans, Kaspersky Lab saw this trend decline in the second quarter as Trojans designed for mobile platforms started to incorporate more capabilities and flexibility.

In the second quarter Backdoor Trojans had the largest amount of modifications added, taking 32.3% of the share, followed by Trojans (23.2%) and SMS-Trojans (27.7%).

In terms of mobile malware capabilities, cybercriminals are now adding obfuscation techniques to evade analysis while frequently compiling programs that carry multiple payloads, which generates can generate money using several types of illegal business models.  New variants can also exfiltrate larger amounts of stolen data from users’ devices while also being able to download and install additional malware onto infected devices. Android-based malware has evolved the most compared to other platforms and is starting to become the mobile equivalent to Windows PC malware.

Ransomware for Android

In June the first instance of Android-based Ransomware - “Free Calls Update” - which was a free application that could be downloaded from third-party app stores. Ransomware is a type of software that is designed to extort money from a victim by blocking access to their device or computer until the infected user pays a “ransom fee;” however, the payment is generally a scam and even after the victim pays the access to the machine is not restored. After Free Calls Update installed onto the device the app launched itself and tried to gain device administrator rights in order to change settings on the device to change its cellular and Wi-Fi settings. The app itself then pretends to scan for malware and shows a fake notification, telling the user their device is infected with a virus. It then prompts the victim to buy a license to a fake mobile anti-virus software kit to remove the infection. The notification will continue to display itself on the device while blocking access to the rest of the phone, rendering it useless.

Ransomware and fake anti-virus notifications have been common schemes in PC-based malware and cybercriminals are using these methods, both technically and psychologically, in attempts to fool the less mature mobile device market.

Bitcoins Fueling the Underground Economy

The most notable emerging trend of the second quarter was the increased focus of cybercriminals creating malware to accumulate bitcoins. Bitcoins are a digital currency that’s built on a peer-to-peer (P2P) infrastructure and designed for anonymous and decentralized financial transactions. Transactions are conducted on its servers, called Bitcoin miners, which are used to contribute to the exchange and processing of bitcoins. The infrastructure relies on a network of connected computers serving as resources which enable the Bitcoin miners to operate. The virtual money can later be converted into another currency or used to pay for goods and services in online stores (bitcoins as a digital currency are represented using a lowercase “b” while the Bitcoin infrastructure uses a capital “B”).

The value of bitcoins has risen dramatically over the last year or so. While one unit was the equivalent of less than 1 US cent, the value has skyrocketed to the $130 range. While the currency’s rate is volatile, it continues to grow gradually more stable. The popularity, anonymity and increase in value have all served as incentives for cybercriminals to target them more aggressively. Additionally, bitcoins are the currency of choice for cybercriminals to conduct business since they have a fair amount of anonymity, a secure transaction processes and are absent financial or regulatory requirements or procedures, making them much harder to trace.

In April, Kaspersky Lab’s research team discovered a campaign in which cybercriminals used Skype to distribute malware for Bitcoin mining. It used social engineering to initially infect victims, and then installed malware onto the compromised machine that turned victims’ computers their CPU resources into slave machines for Bitcoin mining. Bitcoins mined by the abused machines of the victims were then sent to the account of the cybercriminals behind the scam.

One month later Kaspersky Lab’s security experts identified another malicious Bitcoin campaign, which was a Brazilian phishing attack. Similar to abusing Skype to infect computers cybercriminals relied on social engineering to infect victims; however, in this attack the criminals used the phishing emails to redirect users to a fake version of one of the most popular Bitcoin-trading site - MtGox. MtGox handles a large amount of authorized transactions, so the goal of this campaign was to trick users into giving up their login credentials, which then would allow attackers to steal bitcoins from user accounts directly.

You can read the full version of the report on the evolution of IT threats in Q2 2013 at securelist.com

*About the Kaspersky Security Network (KSN)

The cloud-based Kaspersky Security Network detects new types of malware in real-time, even when no corresponding signatures or heuristics exist, by identifying sources of malware proliferation on the Internet and blocking access to them. At the same time, KSN’s real-time response to new threats prevents new threats from launching on users’ computers within seconds of them being identified as malicious, which protects users from subsequent infections without having to rely on antivirus database updates first. 

KSN is voluntary option for users running Kaspersky Lab’s products - all statistics obtained for this report was compiled with the full consent of users participating in KSN.

Useful links

• IT Threat Evolution in Q2 2013
• IT Threat Evolution in Q1 2013
• Kaspersky Security Bulletin 2012. The overall statistics