IT threat evolution in Q2 2021. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

In Q2 2021, according to data from Kaspersky Security Network:

  • 14,465,672 malware, adware and riskware attacks were prevented.
  • The largest share of all detected threats accrued to RiskTool programs — 38.48%.
  • 886,105 malicious installation packages were detected, of which:
  • 24,604 packages were mobile banking Trojans;
  • 3,623 packages were mobile ransomware Trojans.

Quarterly highlights

Android’s own security has changed dramatically since the first devices were released with Android 1.6 Donut when it became the most dominant OS on the market. The development of Google Play Protect is worth highlighting, and the rights of apps have since been severely restricted, as now they have to request all permissions from users explicitly. Moreover, the security subsystem was moved to a separate updatable component, independent of the device manufacturer. Yet there is one thing both the old 1.6 version and the latest Android 11 have in common which significantly compromises the operating system’s security: the freedom to install apps from third-party sources. It’s great in terms of OS user-friendliness — I use it myself almost every day — but it gives all sorts of cybercriminals a real “window of opportunity” from a security point of view. It’s also the reason why third-party distribution platforms for Android apps have mushroomed. These platforms offer the most diverse range of downloads, from popular apps clones to different types of malware. However, the platform is not the only danger. The client working with it can also be to blame for loading and installing apps into the system similar to the official Google Play client.

In Q2 2021, we discovered that the popular APKPure app has been infected by a malicious module. The developers implemented an unverified advertisement SDK, which downloaded Trojans to users’ devices without them knowing. In other words, a Trojan dropper found a way into the program together with the SDK. The malware’s next move depended on the Android OS version it managed to infect. Users with relatively recent versions would get off more lightly with just some annoying advertising and subscriptions, but devices running older versions were in for a plethora of threats such as the xHelper mobile Trojan.

This review will conclude with a chart depicting mobile threats detected on devices with installed Kaspersky security solutions.

Number of attacks targeting users of Kaspersky mobile solutions, Q2 2020 — Q2 2021 (download)

Mobile threats clearly are not letting up, and the number of attacks remains persistently high. The number of malware, adware and riskware attacks exceeded the 14.4 million mark in the second quarter.

Mobile threat statistics

Kaspersky Lab detected 886,105 malicious installation packages in Q2 2021, which is 565,555 less than in the previous quarter and 359,789 less than the number detected in Q2 2020.

Number of detected malicious installation packages, Q2 2020 — Q2 2021 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q1 and Q2 2021 (download)

A third of all the threats detected in Q2 2021 accrued to RiskTool (38.48%). The percentage of these riskware attacks dramatically increased by 23.04 p.p. in light of the decline in adware attacks. The vast majority of detected apps of this type (93,52%) belong to the SMSreg family.

Adware came in second (34.10%) with 27.33 p.p. down compared to the previous quarter. The worst offenders were adware from the Ewind family (52.38% of all adware threats detected), HiddenAd (18.11%) and FakeAdBlocker (13.56%).

Various types of Trojans complete the top three (16.48%), whose share increased by 8.21 p.p. The Trojans which stood out came from the Mobtes (84.89%), Boogr (7.71%) and Plangton (1.53%) families.

Top 20 mobile malware programs

Note that the malware rankings below exclude PUAs, such as riskware or adware.

Verdict
%*

1
DangerousObject.Multi.Generic
39.94

2
Trojan-Spy.AndroidOS.SmsThief.po
10.03

3
Trojan-SMS.AndroidOS.Agent.ado
5.68

4
DangerousObject.AndroidOS.GenericML
4.29

5
Trojan.AndroidOS.Agent.vz
3.85

6
Trojan-Dropper.AndroidOS.Agent.rp
3.56

7
Trojan.AndroidOS.Triada.el
3.33

8
Trojan-Downloader.AndroidOS.Necro.d
3.21

9
Trojan.AndroidOS.Triada.ef
3.09

10
Trojan.AndroidOS.MobOk.ad
3.01

11
Trojan-Dropper.AndroidOS.Hqwar.bk
2.81

12
Trojan.AndroidOS.Hiddad.gx
2.77

13
Trojan.AndroidOS.Whatreg.b
2.51

14
Trojan-Dropper.AndroidOS.Triada.ap
2.51

15
Trojan-Downloader.AndroidOS.Gapac.d
2.37

16
Trojan-Dropper.AndroidOS.Hqwar.cf
1.90

17
Trojan-Downloader.AndroidOS.Agent.kx
1.90

18
Trojan.AndroidOS.Triada.dq
1.89

19
Trojan-Banker.AndroidOS.Svpeng.t
1.88

20
HackTool.AndroidOS.Wifikill.c
1.86

* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The DangerousObject.Multi.Generic verdict (39,94%), which we apply to all malware detected with cloud technology, is topping the list, as usual. Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is essentially how the latest malware types are detected.

The second place went to a Trojan called Trojan-Spy.AndroidOS.SmsThief.po (10.03%), the main task of which is monitoring incoming text messages and forwarding intercepted data to the cybercriminals’ server. The malware is essentially a “Russian doll” with the outer layer being a Trojan dropper and the encrypted DEX file of SmsThief.po itself buried deep within the APK distribution. This Trojan mostly targeted users in Russia.

The Top 3 was rounded out by Trojan-SMS.AndroidOS.Agent.ado (5.68%), a form of malware which sends text messages to short premium-rate numbers draining the victim’s mobile account. In order for the attack to succeed, the Trojan waits for a confirmation code (Advice of charge) from the provider and sends a response. Like the previously mentioned form of malware, Agent.ado mostly targets users in Russia.

Fourth place was taken by DangerousObject.AndroidOS.GenericML (4.29%). These verdict is assigned to files recognized as malicious by our machine-learning systems.

Fifth place went to Trojan.AndroidOS.Agent.vz (3.85%), which downloads a payload while serving as a payload for another malicious object. Cybercriminals create these types of chains to ensure malware remains on the device. Even if the victim removes one of the links in the chain, their device is bound to be reinfected by another.

Another “Russian doll” came in sixth — the Trojan-Dropper.AndroidOS.Agent.rp (3.56%). Its outer layer is a Java code, which accesses the native library to decrypt the DEX file located somewhere in the APK file. The inner layer is deployed for the second stage of the attack — the malware we detect as Trojan-Downloader.AndroidOS.Agent.ki. Our remotely collected data indicates that users with Agent.rp also encounter Trojan-Dropper.AndroidOS.Triada.ap (2.51%, 14th place in our rating), Trojan.AndroidOS.Whatreg.b (2.51%, 13th place) and Trojan-Downloader.AndroidOS.Necro.d (3.21%, 8th place). It’s quite likely that all of these Trojans detected in Q2 2021 were part of the same campaign and served as links in the same infection chain. The same applies to the other Trojans from the Trojan.AndroidOS.Triada family ranked seventh, ninth and eighteenth on our list.

Our Top 10 is completed by Trojan.AndroidOS.MobOk.ad (3.01%), the main aim of which is subscribing victims to paid mobile services. MobOk family malware attacked mobile users in Russia more often than in any other country.

Malware from the Trojan-Banker.AndroidOS.Hqwar family came in eleventh and sixteenth place in Q2. The number of known objects from this family just keeps on growing, and had reached 370,744 files by the time this report was compiled.

Twelfth place was taken by Trojan.AndroidOS.Hiddad.gx (2.77%), which aims to display banner ads, ensure a constant presence on the device and hide icons in the app bar.

Fifteenth place went to Trojan-Downloader.AndroidOS.Gapac.d (2.37%) — a Trojan which is also a link in a chain of infection and essentially serves to download other malware.

The Trojan that came in seventeenth in Q2 was Trojan-Downloader.AndroidOS.Agent.kx (1.90%). It is spread through legitimate software and serves the main task of downloading advertising apps.

The well-known banking Trojan Svpeng (1.88%), which we’ve written about on multiple occasions, came in nineteenth place.

Last on our Top 20 is the HackTool.AndroidOS.Wifikill.c, which aims to carry out Denial-of-Service (DoS) attacks on users to disconnect them from a Wi-Fi network. Hackers trick the victim into reconnecting to the same Wi-Fi network in an attempt to capture the handshake and carry out a MitM attack.

Geography of mobile threats

Map of infection attempts by mobile malware, Q2 2021 (download)

Top 10 countries by share of users attacked by mobile malware

Country*
%**

1
Iran
23.79

2
Saudi Arabia
23.09

3
China
18.97

4
Algeria
18.47

5
India
16.68

6
Morocco
12.97

7
Malaysia
12.81

8
Nigeria
11.76

9
Ecuador
11.54

10
Bangladesh
11.31

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Share of unique users attacked as a percentage of all users of Kaspersky mobile security solutions in the country.

Iran was the most frequently targeted country in Q2 2021 based on the percentage of infected systems detected (23.79%). The most commonly encountered threat was annoying adware from AdWare.AndroidOS.Notifyer and AdWare.AndroidOS.Fyben families.

Saudi Arabia is in second place (23.09%). Users in this country most frequently encountered adware, but from the AdWare.AndroidOS.HiddenAd and AdWare.AndroidOS.FakeAdBlocker families.

China was the last to make it into the top three (18.97%), where the most common threats came from the riskware families RiskTool.AndroidOS.SmsPay and RiskTool.AndroidOS.Wapron. Both target the victim’s mobile account: the former abuses a shady SMS monetization scheme used in certain games, while the latter sends text messages purportedly as payment for porn viewings. Another Trojan that made the list of top threats in China was Trojan.AndroidOS.Najin.a.

Mobile banking Trojans

In the reporting period, we detected 24,604 installation packages for mobile banking Trojans. That’s 710 up compared to Q1 2021, but 16,801 less than a year before in Q2 2020.

The worst offenders were the creators of the Trojan family known as Trojan-Banker.AndroidOS.Agent, which accounted for 66.23% of all detected banking Trojans. Other threats which stood out were from families called Trojan-Banker.AndroidOS.Gustuff (8.19%) and Trojan-Banker.AndroidOS.Anubis (6.86%). It’s interesting that the latter is one of the most dangerous financial Trojans but one that is very rarely encountered in the wild according to our remotely collected data.

Number of mobile banking Trojan installation packages detected by Kaspersky, Q1 and Q2 2021 (download)

Ten most common mobile bankers

Verdict
%*

1
Trojan-Banker.AndroidOS.Svpeng.t
20.90

2
Trojan-Banker.AndroidOS.Agent.eq
19.46

3
Trojan-Banker.AndroidOS.Svpeng.q
8.92

4
Trojan-Banker.AndroidOS.Anubis.t
7.26

5
Trojan-Banker.AndroidOS.Asacub.ce
5.44

6
Trojan-Banker.AndroidOS.Agent.ep
3.08

7
Trojan-Banker.AndroidOS.Hqwar.t
3.03

8
Trojan-Banker.AndroidOS.Agent.cf
2.43

9
Trojan-Banker.AndroidOS.Regon.p
2.40

10
Trojan-Banker.AndroidOS.Asacub.ar
2.33

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

Geography of mobile banking threats, Q2 2021 (download)

Top 10 countries by shares of users attacked by mobile banking Trojans

Country*
%**

1
Japan
1.62

2
Spain
0.76

3
France
0.71

4
Turkey
0.64

5
Australia
0.50

6
Norway
0.26

7
South Korea
0.23

8
Italy
0.20

9
Finland
0.16

10
Belgium
0.15

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Japan has the largest share of unique users attacked by mobile financial threats in Q2 2021 (1.62%). The malware detected most often in this country was Trojan-Banker.AndroidOS.Agent.eq, which accounted for 99% of all mobile financial attacks there.

Spain followed by a wide margin with 0.76%. The most commonly encountered malware type there were again Trojan-Banker.AndroidOS.Regon.p (71.38%), Trojan-Banker.AndroidOS.Agent.io (19.15%) and Trojan-Banker.AndroidOS.Cebruser.d (3.75%).

The country that came in third was France (0.71%), where Trojan-Banker.AndroidOS.Agent.eq (98.75%) was also found to be widespread.

Mobile ransomware Trojans

In Q2 2021, we detected 3623 installation packages for mobile ransomware Trojans. That’s 27 more than the number recorded in the last quarter but 182 less than in Q2 2020.

Number of mobile ransomware Trojan installation packages detected by Kaspersky, Q1 and Q2 2021 (download)

Top 10 most common mobile ransomware

Verdict
%*

1
Trojan-Ransom.AndroidOS.Pigetrl.a
66.96%

2
Trojan-Ransom.AndroidOS.Rkor.an
4.65%

3
Trojan-Ransom.AndroidOS.Small.as
3.85%

4
Trojan-Ransom.AndroidOS.Fusob.h
2.34%

5
Trojan-Ransom.AndroidOS.Rkor.au
2.29%

6
Trojan-Ransom.AndroidOS.Rkor.as
2.20%

7
Trojan-Ransom.AndroidOS.Rkor.aw
2.11%

8
Trojan-Ransom.AndroidOS.Small.ce
1.17%

9
Trojan-Ransom.AndroidOS.Rkor.at
1.02%

10
Trojan-Ransom.AndroidOS.Soobek.a
1.00%

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

Geography of mobile ransomware Trojans, Q2 2021 (download)

Top 10 countries by share of users attacked by mobile ransomware Trojans

Country*
%**

1
Kazakhstan
0.37

2
Sweden
0.12

3
Kyrgyzstan
0.10

4
China
0.09

5
Uzbekistan
0.07

6
Saudi Arabia
0.06

7
Morocco
0.04

8
Pakistan
0.03

9
Lithuania
0.03

10
USA
0.03

* Excluded from the rating are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Unique users attacked by ransomware trojans as a percentage of all Kaspersky mobile security solution users in the country.

The leader by number of users attacked by mobile ransomware Trojans were Kazakhstan (0.37%), Sweden (0.12%) and Kyrgyzstan (0.10%). That said, in Kazakhstan and Sweden users mostly encountered the Trojan-Ransom.AndroidOS.Rkor family Trojans. Apart from Rkor, Trojan-Ransom.AndroidOS.Pigetrl.a was found to be common in Kyrgyzstan.

Source:: Securelist