The overall number of attacks on mobile users is down, but they’re getting slicker, both in terms of malware functionality and vectors, researchers say.
The number of cyberattacks launched against mobile users was down last year, researchers have found — but don’t pop the champagne just yet. The decline was offset by jacked-up, more sophisticated, more nimble mobile nastiness.
In a Monday report, Kaspersky said that its researchers have observed a downward trend in the number of attacks on mobile users, as shown in the chart below. However, “attacks are becoming more sophisticated in terms of both malware functionality and vectors,” according to Kaspersky experts Tatyana Shiskova and Anton Kivva.
“In the reporting period, after a surge in H2 2020, cybercriminal activity gradually abated: There were no global newsbreaks or major campaigns, and the COVID-19 topic began to fade,” according to Monday’s report. “At the same time, new players continue to emerge on the cyberthreat market as malware becomes more sophisticated; thus, the fall in the overall number of attacks is ‘compensated’ by the greater impact of a successful attack. Most dangerous of all in this regard are banking malware and spyware.”
The company’s mobile products and technologies detected 97,661 new mobile banking trojans, along with 3,464,756 malicious installation packages and 17,372 new mobile ransomware trojans.
The number of malicious installation packages observed in 2021 actually dropped substantially, down 2,218,938 from 2020 and slightly down from the 3,503,952 packages discovered in 2019.
New Tricks for Mobile Banking Malware
Last year, banking trojans learned a number of new tricks. For example, the Fakecalls banker, which targets Korean mobile users, is now “[dropping] outgoing calls to the victim’s bank and plays pre-recorded operator responses stored in the trojan’s body,” according to the report.
Other old dogs learning new tricks include the Sova banker, which steals cookies, “enabling attackers to access the user’s current session and personal mobile banking account without knowing the login credentials.”
In 2021, cybercriminals also went after mobile gaming credentials – which are often sold later on the darknet or used to steal in-game goods from users. Last year, for example, marked the first time that researchers spotted what they called a “Gamethief-type mobile trojan,” aimed at stealing account credentials for the mobile version of PlayerUnknown’s Battlegrounds (PUBG).
As well, the Vultur backdoor – found packed into a malicious, fully functional two-factor authentication (2FA) app discovered last month on Google Play – picked up the capability of using Virtual Network Computing (VNC) to snoop on targets by recording smartphone screens: “When the user opens an app that is of interest to attackers, they can monitor the on-screen events,” researchers said.
Other trends spotted in 2021: fewer pandemic/COVID-19 topics used as bait, and more pop-culture lures, such as Squid Game. Kaspersky pointed to the Joker trojan on Google Play, which was found masquerading “as an app with a background wallpaper in the style of Squid Game.”
Google Play Still Infested
Speaking of the malware-ridden Play Store, regardless of Google’s attempts to scrub its app store clean, it’s still a bit of a roach motel. ThreatFabric researchers recently sniffed out 300,000 banking trojan infections in Google Play during a four-month period.
Kaspersky also called out what it said were “repeat incidents of malicious code injection into popular apps through advertising SDKs,” as in the “sensational” case of CamScanner: a malicious app spotted in the Google Play store in August 2019 that tallied 100 million downloads.
One example was particularly alarming, from a security hygiene perspective: the malicious, fully functional 2FA app that hung out in Google Play for more than two weeks, managing to cling to 10,000 downloads. It came loaded with the Vultur stealer malware that targets and swoops down on financial data.
Among all of last year’s many banking-trojans moves, researchers found the resurgence of Joker especially notable. The malware, which zaps victims with premium SMS charges, popped up yet again on Google Play, in a mobile app called Color Message, after which it snuck into more than a half-million downloads before the store collared it.
Kaspersky researchers also called out the Facestealer trojan: a family of Android trojans that uses social engineering to rip off victims’ Facebook credentials.
These trojans most commonly sneak into Google Play by masquerading as a legitimate app, such as a photo editor or VPN service, to which they add a small code snippet to decrypt and launch their payload, the researchers explained. To confound analysis, such malware often uses a command-and-control (C2) server to send unpacking commands that get carried out in multiple steps: “Each decrypted module contains the address of the next one, plus instructions for decrypting it,” they said.
Most of It’s Still Adware
At 42 percent, adware was yet again the biggest slice of the mobile malware pie, even though it fell 14.83 percentage points over the prior year. In 2020, adware was also the No. 1 mobile menace, at 57 percent.
Next in prevalence were potentially unwanted riskware apps at 35 percent: a share increase of 14 percentage points, after a sharp decline in 2019–2020. As defined by Kaspersky, riskware are legitimate programs “that pose potential risks due to security vulnerability, software incompatibility or legal violations.”
In third place were trojan threats at 9 percent: a share that rose by 4 percentage points year-over-year.
Join Threatpost on Wed. Feb 23 at 2 PM ET for a LIVE roundtable discussion “The Secret to Keeping Secrets,” sponsored by Keeper Security, focused on how to locate and lock down your organization’s most sensitive data. Zane Bond with Keeper Security will join Threatpost’s Becky Bracken to offer concrete steps to protect your organization’s critical information in the cloud, in transit and in storage. REGISTER NOW and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.