Site icon GIXtools

The mobile malware threat landscape in 2023

The figures above are based on detection statistics received from Kaspersky users who consented to sharing usage data with Kaspersky Security Network. The data for years preceding 2023 may differ from that published previously, as the calculation methodology was refined, and the data was retrospectively revised in 2023.

The year in figures

According to Kaspersky Security Network, in 2023:

The year’s trends

Malware, adware, and riskware attacks on mobile devices dipped in February, only to rise steadily until the end of the year. In total, Kaspersky products blocked 33,790,599 attacks in 2023.

Number of attacks targeting users of Kaspersky mobile solutions, 2021–2023 (download)

Malware kept making its way into Google Play every now and then. For example, in 2023, we discovered that the marketplace contained a malicious application, Trojan.AndroidOS.Agent.wr, camouflaged as a file manager (see the image below).

The app decrypted and executed reverse proxy code, and displayed ads.

Both Google Play and third-party marketplaces were flooded with fake investment apps that relied on social engineering to coax personal data out of users: mostly phone numbers and full names, which were later added to databases used for phone fraud.

Also in 2023, we detected malicious WhatsApp and Telegram modifications that were stealing user data.

Mobile threat statistics

The number of new unique malware and riskware installation packages decreased slightly from 2022’s levels to 1,315,405.

Distribution of detected installation packages by type

Distribution of newly detected mobile malware by type in 2022 and 2023 (download)

Adware and RiskTool topped the rankings as usual. MobiDash (35.2%) was 2023’s most popular adware family, followed by Adlo (9.4%) and HiddenAd (9%).

Share of users attacked by the specific malware or riskware type in total Kaspersky users* attacked in 2022 and 2023 (download)

* These percentages may not add up to 100% if the same users encountered more than one type of attack.

The Trojan-SMS-type malware saw its activity decrease significantly, dropping six positions from 2022. By contrast, adware activity on user devices increased.

TOP 20 most frequently detected mobile malware programs

Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

 
Verdict
%*, 2022
%*, 2023
Difference in pp
Change in ranking

1
DangerousObject.Multi.Generic.
16.63
14.82
-1.81
0

2
Trojan.AndroidOS.Fakemoney.v
0.31
11.76
+11.45
+81

3
Trojan.AndroidOS.Boogr.gsh
5.70
6.81
+1.11
+2

4
Trojan.AndroidOS.GriftHorse.l
4.39
5.73
+1.34
+2

5
Trojan.AndroidOS.Triada.et
0.00
4.83
+4.83

6
Trojan.AndroidOS.Generic.
5.79
3.63
-2.16
-3

7
Trojan.AndroidOS.Triada.ex
0.00
3.31
+3.31

8
Trojan-Spy.AndroidOS.Agent.acq
1.18
3.22
+2.04
+16

9
Trojan-Spy.AndroidOS.Agent.afq
0.00
3.18
+3.18

10
Trojan-Dropper.AndroidOS.Badpack.g
0.00
2.75
+2.75

11
DangerousObject.AndroidOS.GenericML.
2.57
2.39
-0.18
-2

12
Trojan-Dropper.AndroidOS.Agent.uc
0.00
2.30
+2.30

13
Trojan.AndroidOS.Piom.baiu
0.00
2.09
+2.09

14
Trojan-Dropper.AndroidOS.Hqwar.bk
0.74
1.85
+1.12
+19

15
Trojan.AndroidOS.Fakeapp.ft
0.00
1.82
+1.82

16
Trojan-Spy.AndroidOS.CanesSpy.a
0.00
1.79
+1.79

17
Backdoor.AndroidOS.Mirai.b
0.00
1.78
+1.78

18
Trojan-Spy.AndroidOS.Agent.aas
5.74
1.66
-4.08
-14

19
Trojan.AndroidOS.Triada.ey
0.00
1.58
+1.58

20
Trojan-Dropper.AndroidOS.Hqwar.hd
1.59
1.46
-0.12
-6

* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.

Many malware families that were not in 2022’s top 20 joined the list in 2023.

The generalized cloud verdict DangerousObject.Multi.Generic (14.82%), which covers malware from several different families, unsurprisingly retains the top spot. The umbrella ML verdict Trojan.AndroidOS.Boogr.gsh (6.81%) was also close to the top positions.

Trojan.AndroidOS.Fakemoney.v (11.76%), in second place, represents investment and payout scam apps. Another scam app variety, Trojan.AndroidOS.GriftHorse.l (5.73%), that tricked users into buying subscriptions disguised as weight loss plans, was fourth.

A number of malicious WhatsApp mods hit the top 20 list: Trojan.AndroidOS.Triada.et (4.83%), Trojan.AndroidOS.Triada.ex (3.31%), as well as Trojan-Spy.AndroidOS.CanesSpy.a (1.79%) and Trojan-Spy.AndroidOS.Agent.afq (3.18%).

The banking Trojan packer Trojan-Dropper.AndroidOS.Badpack.g (2.75%) was tenth.

Curiously, Trojan-Dropper.AndroidOS.Agent.uc (2.30%) joined the rankings as well. Detected mostly on smart TVs, this dropper is used for hidden deployments of the Mirai bot, which targets Android devices.

Region-specific malware

In this section, we describe malware that predominantly attacks users in specific countries.

Verdict
Country*
%**

Trojan-Banker.AndroidOS.BrowBot.g
Turkey
100.00

Trojan-Banker.AndroidOS.BrowBot.i
Turkey
99.54

Trojan-Banker.AndroidOS.GodFather.i
Turkey
99.53

Trojan.AndroidOS.Piom.bbfv
Turkey
99.44

Trojan-Banker.AndroidOS.BrowBot.a
Turkey
99.40

Trojan-Banker.AndroidOS.Banbra.aa
Brazil
99.35

Trojan.AndroidOS.Piom.azgy
Brazil
99.21

Trojan-Banker.AndroidOS.BRats.b
Brazil
99.11

Trojan.AndroidOS.Piom.axdh
Turkey
98.86

Trojan-Banker.AndroidOS.Sova.i
Turkey
98.83

Trojan-Banker.AndroidOS.Banbra.ac
Brazil
98.80

Trojan-Spy.AndroidOS.SmsThief.tp
Turkey
98.79

Trojan.AndroidOS.Piom.azgh
India
98.53

Trojan-Banker.AndroidOS.GodFather.h
Turkey
98.51

Trojan-SMS.AndroidOS.Fakeapp.e
Turkey
98.32

Trojan-SMS.AndroidOS.Fakeapp.g
Thailand
98.27

Trojan-Banker.AndroidOS.Rewardsteal.c
India
98.13

Trojan.AndroidOS.Piom.bbfw
Azerbaijan
98.04

Trojan-Banker.AndroidOS.Bray.n
Japan
97.94

Trojan-Banker.AndroidOS.GodFather.d
Turkey
97.91

Trojan-Banker.AndroidOS.Agent.lc
Indonesia
97.78

Trojan-Banker.AndroidOS.Agent.nd
Turkey
97.68

Trojan-Spy.AndroidOS.SmsThief.vb
Indonesia
97.58

Backdoor.AndroidOS.Tambir.b
Turkey
97.57

Trojan.AndroidOS.Hiddapp.da
Iran
97.39

Trojan-Banker.AndroidOS.GodFather.g
Turkey
97.18

Trojan-Spy.AndroidOS.SmsThief.tw
Indonesia
96.93

Trojan-Banker.AndroidOS.Agent.la
Turkey
96.79

Trojan-Spy.AndroidOS.SmsEye.b
Indonesia
96.75

Trojan-Banker.AndroidOS.GodFather.e
Turkey
96.41

* Country where the malware was most active.
* Unique users who encountered the malware in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same malware.

Users in Turkey experienced the greatest variety of threats concentrated within a single country in 2023. These included BrowBot, GodFather, and Sova banking Trojan modifications; SmsThief.tp spies; Fakeapp.e SMS Trojans; and the Tambir backdoor. Tambir opens VNC access for malicious actors, functions as a keylogger, steals SMS messages, contacts, and app lists, and sends SMS messages.

Also, several specialized threats were active in Brazil, including the Banbra and Brats banking Trojans, which we mentioned in several previous reports.

The SmsThief and SmsEye spies were mostly spread in Indonesia. Fakeapp.g, a program that opens the website of a third-party app store while sending SMS messages to short codes, specialized in attacking users in Thailand.

Mobile banking Trojans

The number of new banking Trojan installation packages dropped slightly from 2022’s level to 153,682.

The number of mobile banking Trojan installation packages detected by Kaspersky in 2020–2023 (download)

TOP 10 mobile bankers

Verdict
%*, 2022
%*, 2023
Difference in pp
Change in ranking

Trojan-Banker.AndroidOS.Bian.h
23.78
22.22
-1.56
0

Trojan-Banker.AndroidOS.Agent.eq
3.46
20.95
+17.50
+6

Trojan-Banker.AndroidOS.Faketoken.pac
6.42
5.33
-1.09
+1

Trojan-Banker.AndroidOS.Agent.cf
1.16
4.84
+3.68
+13

Trojan-Banker.AndroidOS.Agent.ma
0.00
3.74
+3.74

Trojan-Banker.AndroidOS.Agent.la
0.04
3.20
+3.16

Trojan-Banker.AndroidOS.Anubis.ab
0.00
3.00
+3.00

Trojan-Banker.AndroidOS.Agent.lv
0.00
1.81
+1.81

Trojan-Banker.AndroidOS.Agent.ep
4.17
1.74
-2.44
-4

Trojan-Banker.AndroidOS.Mamont.c
0.00
1.67
+1.67

* Unique users who encountered this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

The total number of banking Trojan attacks remained at 2022’s level despite a slight decrease in the number of unique installation packages. This suggests that malicious actors were more likely to reuse the same malware for attacking new users than in the previous year.

Mobile ransomware Trojans

The number of new ransomware installation packages increased slightly year-on-year, reaching 11,202.

Number of installation packages for mobile ransomware detected by Kaspersky, 2020–2023 (download)

TOP 10 mobile ransomware Trojan apps

Verdict
%*, 2022
%*, 2023
Difference in pp
Change in ranking

Trojan-Ransom.AndroidOS.Rasket.a
0.00
52.39
+52.39

Trojan-Ransom.AndroidOS.Pigetrl.a
74.28
22.30
-51.99
-1

Trojan-Ransom.AndroidOS.Rkor.eg
0.00
5.13
+5.13
-3

Trojan-Ransom.AndroidOS.Rkor.ef
0.00
2.65
+2.65
-4

Trojan-Ransom.AndroidOS.Congur.y
0.41
1.13
+0.72
+33

Trojan-Ransom.AndroidOS.Congur.cw
0.93
1.00
+0.07
+5

Trojan-Ransom.AndroidOS.Small.as
1.80
0.94
-0.86
-4

Trojan-Ransom.AndroidOS.Agent.bw
0.72
0.86
+0.14
+11

Trojan-Ransom.AndroidOS.Svpeng.ac
0.86
0.73
-0.12
+5

Trojan-Ransom.AndroidOS.Fusob.h
1.03
0.67
-0.35
-2

* Unique users who encountered this malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

The Rasket Trojan (52.39%) topped the rankings of similar Trojans in terms of attacks by pushing out Pigertl (22.30%). The rest of the positions were, as usual, occupied by various modifications of Rkor, Congur, Small, and Svpeng Trojans, which had been active for a long time.

Conclusion

Android malware and riskware activity surged in 2023 after two years of relative calm, returning to early 2021 levels by the end of the year. That said, the number of unique installation packages dropped from 2022, suggesting that malicious actors were more frequently using the same packages to infect different victims. Adware accounted for the majority of threats detected in 2023.

Attackers continued to use official app marketplaces, such as Google Play, to spread malware. Also, we repeatedly detected malicious mods of popular instant messaging apps.

Source:: Securelist

Exit mobile version