Mobile Advertising Trojans in 2017: drop in the number of older Android devices makes criminals look for new monetization methods
Mobile Advertising Trojans, the former top mobile malware threat from 2016, went into decline in 2017.
Mobile Advertising Trojans, the former top mobile malware threat from 2016, went into decline in 2017. They continue to aggressively infect users, but the techniques they have been using have been modified over the last 12 months. According to the annual “Mobile Malware Evolution” report, some Trojan families started to use monetization schemes involving paid SMS and WAP-billing services in order to preserve and increase profits.
Malicious programs using super-user rights have been a major mobile threat over the last few years, and possibly one of the most powerful. With root privileges, the Trojans have the capability to secretly install various applications, as well as bombard the infected device with ads to make further use of the smartphone impossible. Along with an almost unlimited number of possibilities, it is also harder to detect and delete such Trojans. However, in 2017 these Trojans faced some challenges.
Based on Kaspersky Lab observations, the overall number of mobile advertising Trojans exploiting super-user rights declined in 2017, in comparison with the previous year. This was triggered by the overall decrease in the number of mobile devices running older versions of Android, which are the main targets of Trojans, primarily because the common vulnerabilities they exploit are usually patched in the newer versions of the system. According to Kaspersky Lab data, the percentage of users with devices running Android 5.0 or older declined from more than 85% in 2016 to 57% in 2017, while the proportion of Android 6.0 (or newer) users more than doubled – 21% in 2016 compared to 50% in 2017 (6% of users updated their devices during 2016, 7% - during 2017). However, this type of Trojan remained the most popular among the top 20 mobile threats of 2017.
In 2017, Kaspersky Lab discovered new modifications of advertising Trojans that weren’t exploiting root access vulnerabilities to show ads, but were instead trying other methods, such as premium SMS services. Two Trojans related to the Ztorg malware family with such functionality were downloaded dozens of thousands of times from Play Store.
At the same time Kaspersky Lab researchers have recorded a comeback in the amount of mobile Trojan clickers that are stealing money from Android users through WAP-billing, a type of direct mobile payment with no additional registration. These Trojans click on pages with paid services, and once a subscription is activated, money from a victim's account flows directly to the hackers’ accounts. This trend has not been observed for a while, but in 2017 the mobile threat started to spread actively. Some of the discovered WAP-clickers also had modules for crypto-currency mining.
Mobile ransomware
The ransomware epidemics that hit the world last year were also reflected in the mobile threat landscape. Kaspersky Lab discovered 544,107 installation packages for mobile ransomware Trojans, which is twice as high as in 2016 and 17 times more than in 2015. This increasing volume was detected during the first months of the year due to the high activity of the Congur Trojan family (83% of all installation packages in 2017), a blocker that sets or resets the device PIN (passcode) and then demands money for unblocking the device.
Although mobile ransomware capabilities and techniques remained practically the same throughout the year, some ransomware functionality has been discovered among banking Trojan families, such as Svpeng and Faketoken, with the modifications able to encrypt users’ files.
In 2017, Kaspersky Lab mobile security products reported:
- 7 million attempted attacks by mobile malware (40m in 2016)
- Over 4.9 million users of Android-based devices protected (1.2 times more than in 2016)
- Iran (57.25%), Bangladesh (42.76%) and Indonesia (41.14%) were the top 3 countries attacked by mobile malware
- 5,730,916 installation packages for mobile Trojans detected (1.5 times less than in 2016)
- 110,184 unique users targeted by mobile ransomware (1.4 times lower than 2016)
- 94,368 mobile banking Trojans detected (1.3 times less than in 2016). More information can be found in the Financial Cyberthreats in 2017 report.
“The mobile threat landscape is evolving in direct connection with what is happening in the global mobile market. Right now, mobile advertising Trojans that exploit root rights are in decline, but if new versions of Android firmware happened to be vulnerable, new opportunities will be presented and we will see their growth return. The same is true for cryptocurrency – with the increasing activity of miners around the world, we expect to see further modifications of mobile malware with mining modules inside, even though the performance power of mobile devices is not so high”, says Roman Unuchek, security expert at Kaspersky Lab.
To reduce the risk of infection and to stay protected, users are advised to do the following:
- Pay attention to the apps installed on your device and avoid downloading them from unknown sources
- Always keep your device updated
- Regularly run a system scan to check for possible infections.
Kaspersky Lab also recommends that users install a reliable security solution on their device, such as Kaspersky Internet Security for Android, which aims to protect users’ privacy and personal information from Android mobile threats.
Read more about the evolution of mobile threats in 2017 on Securelist.com
Mobile Advertising Trojans in 2017: drop in the number of older Android devices makes criminals look for new monetization methods
Kaspersky
Related Articles Press Releases
Innovation journey: Dubai welcomed Kaspersky's Cyber Immunity Conference
Leading cybersecurity experts, scientists, business leaders and government officials from more than 20 countries worldwide have come together for the inaugural international Cyber Immunity Conference. Exploring the complex and evolving cyberthreat landscape the conference provided invaluable insights into the future of our digital age and celebrated the pioneering efforts of the first Cyber Immunity Champions.Read More >Kaspersky Thin Client 2.0: Cyber Immune protection with enhanced connectivity, performance and design
Kaspersky has presented an updated operating system for thin clients that offers enhanced connectivity, higher speed of applications delivery, lower total cost of ownership, user-friendly graphical interface and quick deployment. Kaspersky Thin Client 2.0 is the main component of the Cyber Immune solution for building thin client infrastructure in a wide range of industries, including healthcare, finance, education and manufacturing.Read More >New DuneQuixote cyberespionage campaign targets governmental entities worldwide
Kaspersky researchers have discovered an ongoing malicious campaign initially targeting a governmental entity in the Middle East. Further investigation uncovered more than 30 malware dropper samples actively employed in this campaign, allegedly expanding the victimology to APAC, Europe and North America. Dubbed DuneQuixote, the malware strings incorporate snippets taken from Spanish poems to enhance persistence and evade detection, with the ultimate goal of cyber espionage.Read More >
We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.