A snapshot of the 2020 mobile threat landscape reveals major shifts toward adware and threats to online banks.

Hackers painted a bullseye on the backs of online financial institutions in 2020 as the pandemic shuttered local branch offices and forced customers online. Over the past 12 months, incidents of adware nearly tripled. And, overall in 2020 researchers saw a slight drop in the number of mobile cyberattacks, according to a report released Monday by Kaspersky.

In its’ Mobile Malware Evolution 2020, Kaspersky documents the current mobile threat landscape and identifies 2021 mobile security trends. It found that while mobile threats have dipped slightly over the past year, criminals have focused on the quality of mobile attacks versus mass infections.

“We saw a decrease in the number of attacks in the first half of the year, which can be attributed to the confusion of the first months of the pandemic,” wrote Victor Chebyshev, a mobile security researcher at Kaspersky and author of the report. “The attackers had other things to worry about [and] were back at it in the second half.”
, Mobile Adware Booms, Online Banks Become Prime Target for Attacks
What Are the Biggest Mobile Threats?

Leading mobile threat types in 2020 is adware, accounting for 57 percent of attacks. Risk tools came in second, representing 21 percent of attacks. Trojan droppers and mobile trojans each represented 4.5 percent of attacks and SMS-based trojans represented 4 percent of actual mobile criminal activity.

Risk tools, as Kaspersky calls them, are potentially dangerous or unwanted programs that are not inherently malicious, but are used to hide files or terminate applications and could be used with malicious intent.

Each of aforementioned threats, save adware, saw steep declines in attack occurrences. Compared to 2019, adware attacks against mobile users grew from representing 22 percent of attacks to 57 percent of all types of mobile threats.

The Most Popular Adware in 2020?

Leading adware families included Ewind (representing 65 percent of adware samples found) followed by FakeAdBlocker (representing 15 percent of samples) and trailed by HiddenAd (accounting for 10 percent of samples).

How did Ewind Adware Becomes to Potent?   

Researchers credit the success of Ewind with the nearly 2 million Ewind.kp Android installer packages bundled successfully within legitimate applications, such as icons and resource files. These seemingly innocuous downloads, Chebyshev wrote, are readily available at seemingly trustworthy third-part Android application download sites.

What Mobile Malware Did Apple’s iOS Face?

Unlike Android handsets, Apple’s closed hardware and software ecosystem posed unique challenges for criminals, however it didn’t deter them completely.

Topping threats to Apple’s smattering of mobile devices – including its iPhone and iPad lines – are drive-by downloads abusing the company’s Safari browser rendering engine called WebKit, Kaspersky said.

“In 2020, our colleagues at TrendMicro detected the use of Apple WebKit exploits for remote code execution (RCE) in conjunction with Local Privilege Escalation exploits to deliver malware to an iOS device,” wrote Chebyshev.

“The payload was the LightSpy trojan whose objective was to extract personal information from a mobile device, including correspondence from instant messaging apps and browser data, take screenshots, and compile a list of nearby Wi-Fi networks,” he wrote.

The iOS malware LightSpy has a modular design. “One of the modules discovered was a network scanner that collected information about nearby devices including their MAC addresses and manufacturer names. TrendMicro said LightSpy distribution took advantage of news portals, such as COVID-19 update sites,” according to the report.

What’s the Most Common Android Trojans in 2020?

Popular malware families targeting the Android operating system in 2020 were banking trojans GINP, Cebruser, Ghimob and Cookiethief.

“The trojan Ghimob was one of 2020’s most exciting discoveries,” according to the Kaspersky report. “It stole credentials for various financial systems including online banking applications and cryptocurrency wallets in Brazil.”

The trojan was rudimentary, but effective, and abused the Android Accessibility feature with a common mobile overlay scheme.

“Whenever the user tried to access the Ghimob removal menu, the trojan immediately opened the home screen to protect itself from being uninstalled,” according to the report.

Cookiethief Android Trojan Abuses Cookies

As for Cookiethief malware, researchers said the trojan targeted mobile cookies, which store unique identifiers of web sessions and hence can be used for authorization. “For example, an attacker could log in to a victim’s Facebook account and post a phishing link or spread spam. Typically, cookies on a mobile device are stored in a secure location and are inaccessible to applications, even malicious ones. To circumvent the restriction, Cookiethief tried to get root privileges on the device with the help of an exploit, before it began its malicious activities,” the researcher wrote.

There was Significant Growth in Mobile Financial Threats in 2020.

“We detected 156,710 installation packages for mobile banking Trojans in 2020, which is twice the previous year’s figure and comparable to 2018,” Kaspersky wrote.

Top banking Trojans were Agent (72 percent of infections) followed by a long list of banking Trojans representing single-digit infections including Wroba, Rotexy and Anubis.

Interest in targeting financial institutions is tied to the pandemic, researchers said. “The inability to visit a bank branch forced customers to switch to mobile and online banking, and banks, to consider stepping up the development of those services,” they wrote.

On the Bright Side: Incidents of Mobile Ransomware Plummet

“Overall, the decrease in ransomware can be associated with the assumption that attackers have been converting from ransomware to bankers or combining the features of the two. Current versions of Android prevent applications from locking the screen, so even successful ransomware infection is useless,” researchers noted.

How Do Adware and Malware Criminal Gangs Work Together?

It is unclear how new the trend is, but the Kaspersky report offered insights into the seldom-described symbiotic relationship between adware pushers and those behind malware infections.

“Adware creators are interested in obstructing the removal of their products from a mobile device. They typically work with malware developers to achieve this. An example of a partnership like that is the use of various trojan botnets: we saw a number of these cases in 2020,” the report stated.

The mutually beneficial relationship starts with bots infecting mobile devices.

“As soon as the owners of the botnet and their [criminal] customers come to an agreement, the bot receives a command to download, install and run a payload, in this case, adware. If the victim is annoyed by the unsolicited advertising and removes the source, the bot will simply repeat the steps,” the report outlines.

Those infections can sometime also lead to “elevate access privileges on the device, placing adware in the system area and making the user unable to remove them without outside help,” they said.

How Android Gear Comes Pre-Installed with Malware?

Another example of the partnership between less-than-savory actors is a scheme called “preinstalls”. This is when the phone’s maker preloads an adware application or a component with the firmware.

“As a result, the device hits the shelves already infected. This is not a supply chain attack, but a premeditated step on the part of the manufacturer for which it receives extra profits,” Kaspersky explains.

Researchers explain this is a particularly difficult, if not impossible, infection to inoculate.

“[N]o security solution is yet capable of reading an OS system partition to check if the device is infected. Even if detection is successful, the user is left alone with the threat, without a possibility of removing the malware quickly or easily, as Android system partitions are write protected. This vector of spreading persistent threats is likely to become increasingly popular in the absence of new effective exploits for popular Android versions,” it said.