IT threat evolution Q2 2020. Mobile statistics

IT threat evolution Q2 2020. Review
IT threat evolution Q2 2020. PC statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.

Quarterly figures

According to Kaspersky Security Network, the second quarter saw:

  • 1,245,894 detected malicious installers, of which
    • 38,951 packages were related to mobile banking trojans
    • 3,805 packages proved to be mobile ransomware trojans
  • A total of 14,204,345 attacks on mobile devices were blocked

Quarterly highlights

In summing up the results of the second quarter, we will begin with the number of attacks that targeted mobile devices. In Q2 2019, we thwarted 15,137,884 attacks, but one year later, the number decreased insignificantly, to 14,204,345.

Number of attacks on mobile devices, Q1 2019 – Q2 2020 (download)

The absence of significant changes indicates that malware developers kept up their activities in the face of the coronavirus pandemic. At the same time, this shows that we are not going through an epidemic caused by any particular family or class of mobile threats. In other words, no one reached the level of Asacub in yet another quarter, which is good news.

Nevertheless, mobile security users encountered malicious files more often than adware or potentially unwanted apps.

Share of users who encountered various threat classes, Q2 2020 (download)

The number of users whose devices were found to contain adware is almost half the number of those whose devices were infected with various classes of malware. At the same time, adware is a clear leader by number of objects detected, both in the second quarter and in previous ones. What is peculiar about adware and applications with an integrated advertising module is that they are extremely difficult for the user to identify or remove. The applications themselves naturally give no warning that they will pop up half-screen or even full-screen advertisements, and telling which application is being displayed if the user did not run it is impossible without special tools.

This kind of applications can be found in the official Google Play store, too, and to our utter regret, some developers are not making a conscious effort to remove questionable advertisements from their products.

Further good news from Q2 2020 is a decrease in the number of devices that were found to contain stalkerware. Several possible explanations exist as to the cause of the significant decline that we have seen since Q4 2019 – we shall talk about these in the appropriate section.

Mobile threat statistics

In Q2 2020, Kaspersky detected 1,245,894 malicious installers, an increase of 93,232 over the previous quarter.

Number of detected malicious installation packages, Q2 2019 – Q2 2020 (download)

Over the past few quarters, we have seen an increase in the number of detected objects. Early 2018 saw a similar situation, when a great number of trojan droppers and potentially unwanted software was discovered.

Distribution of detected mobile apps by type

Distribution of newly detected mobile apps by type, Q1 and Q2 2020 (download)

Adware topped the list with 48%, a decrease of one percentage point from the previous quarter. The Ewind adware family (60.53% of all adware detected) was most common in Q2, followed by the FakeAdBlocker family with 13.14% and Inoco with 10.17%.

RiskTool-type potentially unwanted software ranked second among all detected threat classes. Its share was 20%, which is eight percentage points smaller than in Q1 2020 and 21 p.p. smaller than in Q2 2019.

Most of the detected RiskTool variants were SMSreg (44.6% of all detected potentially unwanted software), Resharer (12.63%) and Dnotua (11.94%) families.

SMS trojans hold third place among all detected threats with 7.59%. This threat class is believed to be dying out, as a mobile carrier account is a far less tempting target for criminals than a bank account, and both can be controlled from a mobile device. Agent (33.74%), Fakeinst (26.80%) and Opfake (26.33%) were the largest of the detected families of SMS trojans. All the three families were more common with Russian users, which is typical of the entire SMS trojan threat class. Users from Iran followed, far behind the Russians. The Opfake and Fakeinst families are also the leaders in the number of detections on end-user devices, each accounting for 23% of the total number of unique users attacked by SMS trojans. The Prizmes family (21%) and the Agent family (16%) followed in third and fourth place, respectively.

The Opfake and Fakeinst families are among the oldest mobile threats known to Kaspersky. It is safe to say that their discovery in the wild is more of an echo of past large-scale distribution campaigns. This is supported by the fact that most of the malware detected no longer had functioning control centers. Since the main means of distributing these trojans are fake application websites, one can assume that during lockdown users are more likely to turn to such resources in search of free content and thus provide the malware families with a statistical boost.

Top 20 mobile malware programs

Note that this malware rating does not include potentially dangerous or unwanted programs, such as RiskTool or AdWare.

Verdict %*
1 DangerousObject.Multi.Generic 40.29
2 Trojan.AndroidOS.Boogr.gsh 9.02
3 DangerousObject.AndroidOS.GenericML 6.17
4 Trojan-Downloader.AndroidOS.Necro.d 4.86
5 Trojan-Dropper.AndroidOS.Hqwar.cf 3.63
6 Trojan.AndroidOS.Hiddad.fi 3.19
7 Trojan-Downloader.AndroidOS.Helper.a 2.84
8 Trojan-Downloader.AndroidOS.Agent.hy 2.64
9 Trojan.AndroidOS.Agent.vz 2.32
10 Trojan-Downloader.AndroidOS.Agent.ik 2.06
11 Trojan.AndroidOS.Handda.san 2.04
12 Trojan.AndroidOS.MobOk.v 1.89
13 Trojan-Downloader.AndroidOS.Agent.ic 1.84
14 Trojan.AndroidOS.MobOk.x 1.67
15 Trojan-Dropper.AndroidOS.Hqwar.gen 1.54
16 Trojan-Dropper.AndroidOS.Helper.n 1.45
17 Trojan-Banker.AndroidOS.Rotexy.e 1.36
18 Trojan-Downloader.AndroidOS.Malota.a 1.29
19 Trojan-Dropper.AndroidOS.Penguin.e 1.24
20 Trojan.AndroidOS.Dvmap.a 1.13

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile antivirus that were attacked.

As per tradition, first place in our Top 20 for Q2 went to the DangerousObject.Multi.Generic verdict (40.29%), which we use for malware detected using cloud technologies. Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is basically how the latest malicious programs are detected.

Second and third places were claimed by Trojan.AndroidOS.Boogr.gsh (9.02%) and DangerousObject.AndroidOS.GenericML (6.17%). These verdicts are assigned to files recognized as malicious by our machine-learning systems.

In fourth place, as in the last quarter, is Trojan-Downloader.AndroidOS.Necro.d (4.86%). This Trojan family is closely associated with various classes of Triada group of complex threats, as well as the xHelper Trojan family, whose members took the seventh and sixteenth positions in the rankings, respectively. A distinctive feature of Necro trojans, which leads to serious problems for its victims, is their ability to take root on the device by escalating access rights. Having obtained root privileges, such trojans can write themselves to the device’s read-only memory, preventing the user from removing the malware with built-in tools.

Fifth and fifteenth places in the rankings were taken by representatives of the Trojan-Dropper.AndroidOS.Hqwar family. This is the most popular dropper in the wild: if you look at the number of detected droppers from various families, you will find Hqwar in second position, immediately after the Agent generalized verdict. In Q2 2020, the share of the Hqwar family among all detected droppers increased markedly to 30.12% from 8% in Q1 2020.

TOP 3 detected droppers

Verdict %
Agent 30.38%
Hqwar 30.32%
Wapnor 30.12%

The sixth position in the rankings went to Trojan.AndroidOS.Hiddad.fi (3.19%), whose capabilities include displaying advertising banners and concealing its activities.

Members of Trojan-Downloader.AndroidOS.Agent took the eighth, tenth and thirteenth positions. These trojans have the simple task of downloading modules from the C2 and running these. The downloaded modules are often adware, but we have seen trojan payloads as well.

Trojan.AndroidOS.vz (2.32%) took the ninth place. Apparently, this Trojan served as a payload for a different type of malware, with Agent.vz’s task coming down to downloading executable code as well. This suggests that the malware is only an intermediate link in the infection chain.

In the eleventh place, we find the Trojan.AndroidOS.Handda.san trojan (2.04%). This verdict covers a whole group of malware, which includes a variety of trojans united by common capabilities: hiding their icons, obtaining Device Admin rights and using packers to counteract detection.

The twelfth and fourteenth places went to members of the Trojan.AndroidOS.MobOk family. These trojans are a link in infection chains and most commonly have been detected with mobile users from Russia.

As in Q1 2020, the twenty most common threats included the bank trojan Rotexy (1.36%). It is worth noting that this is likely not the only widespread banker, as more popular Hqwar droppers often conceal financial malware.

In the eighteenth place we see Trojan-Downloader.AndroidOS.Malota.a (1.29%). We have known this trojan since October 2019. Its main task is to download executable code from the C2 to the infected device.

Geography of mobile threats

Map of mobile malware infection attempts, Q2 2020 (download)

Top 10 countries by share of users attacked by mobile malware

Country* %**
1 Iran 43.62
2 Algeria 21.97
3 Bangladesh 19.30
4 Morocco 17.57
5 Nigeria 15.12
6 India 13.54
7 Saudi Arabia 13.52
8 Kenya 12.61
9 Indonesia 12.17
10 Pakistan 12.16

* Excluded from the rating are countries with relatively few users of Kaspersky mobile security solutions (under 10000).
** Unique users attacked in the country as a share of all users of Kaspersky mobile security solutions in the country.

The TOP 3 countries with the largest user shares remained unchanged in Q2: Iran (43.62%) followed by Algeria (21.97%) and Bangladesh (19.30%).

Most commonly detected in Iran were AdWare.AndroidOS.Notifyer-family adware, alternate Telegram clients (RiskTool.AndroidOS.FakGram.d, for instance, is one of the ten most commonly detected threats in Iran), and Trojan.AndroidOS.Hiddap-family trojans. The latter have a variety of tools and one common feature: the tendency to hide their icons from the app manager screen.

HiddenAd and FakeAdBlocker adware was most common in Algeria, a similar situation to Q1 2020.

In Bangladesh, the leader is HiddenAd-family adware, which conceals their carrier application. AdWare.AndroidOS.Outad.c (fifth place within the country) and AdWare.AndroidOS.Loead (sixth place) adware types were common as well.

Mobile web threats

The statistics presented here are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data.

Hackers use a variety of techniques to attract potential victims to malicious landing pages, from rogue SEO for displaying their sites in top ten results for certain search queries to redirect chains that will quickly and discreetly take the user from a legitimate site to a malicious one. We decided to calculate the countries where mobile users were most likely to encounter malicious websites while browsing the Web and where these sites are located.

Geography of the countries with the highest risk of infection via web resources, Q2 2020 (download)

Ten countries with the highest risk of infection

Country* % of attacked users**
Morocco 7.08
Algeria 6.25
Ecuador 6.05
Saudi Arabia 5.24
Oman 4.98
India 4.93
Vietnam 4.63
Kuwait 4.47
UAE 4.27
Brazil 4.25

* Excluded are countries with relatively few Kaspersky mobile product users (under 10,000).
** Unique users targeted by all types of web attacks as a share of all unique users of Kaspersky mobile products in the country.

Countries where mobile web threats are based

Geography of countries where mobile attacks are based, Q2 2020 (download)

TOP 10 countries where the largest numbers of mobile attacks are based

Country %*
Netherlands 51.17
USA 32.87
Dominican Republic 8.36
Singapore 3.64
Germany 1.53
Russian Federation 1.00
Luxembourg 0.44
Ireland 0.32
France 0.19
India 0.05

* Share of mobile threat sources in the country out of the total number of such sources

The Netherlands and the United States topped the list of web threat sources in Q2 2020. The Netherlands accounted for more than half of all attacks, typically engaging advertising-related websites. The United States were the other most common source of a similar type of threats.

Mobile banking Trojans

During the reporting period, we detected 38,951 mobile banking trojan installer packages, 3,164 fewer than in Q1 2020.

TOP 10 detected bankers

1 Agent 58.7%
2 Wroba 8.3%
3 Zitmo 8.2%
4 Rotexy 6.5%
5 Knobot 4.4%
6 Anubis 3.8%
7 Faketoken 3.0%
8 Cebruser 2.4%
9 Asacub 1.0%
10 Ginp 0.9%

The Trojan-Banker.AndroidOS.Agent family made the largest contribution to the number of packages detected: 58.7% of all discovered banking trojans. The Trojan-Banker.AndroidOS.Wroba family (8.3%) was second, far behind the leader, and immediately followed by Trojan-Banker.AndroidOS.Zitmo (8.2%).

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q2 2019 – Q2 2020 (download)

TOP 10 mobile bankers

Verdict %*
1 Trojan-Banker.AndroidOS.Rotexy.e 13.29
2 Trojan-Banker.AndroidOS.Svpeng.q 9.66
3 Trojan-Banker.AndroidOS.Agent.eq 6.48
4 Trojan-Banker.AndroidOS.Asacub.snt 6.45
5 Trojan-Banker.AndroidOS.Asacub.ce 5.59
6 Trojan-Banker.AndroidOS.Anubis.san 5.49
7 Trojan-Banker.AndroidOS.Faketoken.snt 4.34
8 Trojan-Banker.AndroidOS.Anubis.n 3.49
9 Trojan-Banker.AndroidOS.Hqwar.t 3.14
10 Trojan-Banker.AndroidOS.Asacub.a 3.09

* Unique users attacked by this malware as a share of all Kaspersky mobile security solution users attacked by banking threats.

The first and second places on our list went to mobile bankers that targeted mobile users from Russia: Trojan-Banker.AndroidOS.Rotexy.e (13.29%) and Trojan-Banker.AndroidOS.Svpeng.q (9.66%).

Various members of the Asacub family took three positions out of ten on the TOP 10 for mobile financial threats. Although this threat family is not particularly numerous, it is very popular with attackers.

The Anubis banker family gained popularity in Q2 2020, with its members occupying the sixth and eighth positions. We believe that these versions of the trojan were built from source code leaked onto the Internet.

Geography of mobile banking threats, Q2 2020 (download)

TOP 10 countries by share of users attacked by mobile banking Trojans

Country* %**
1 Turkey 1.29%
2 Japan 0.90%
3 Spain 0.71%
4 Italy 0.65%
5 Taiwan 0.49%
6 China 0.19%
7 Tajikistan 0.16%
8 Korea 0.14%
9 Russia 0.14%
10 Poland 0.13%

* Excluded from the rating are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Unique users attacked by mobile banking Trojans as a share of all users of Kaspersky mobile security solutions in the country.

Turkey had the largest share of unique users attacked by mobile financial threats in Q2 2020, 1.29%. Members of the Trojan-Banker.AndroidOS.Cebruser family were most commonly detected there.

Turkey was followed by Spain with 0.71%. The rankings of mobile financial threats in this country were as follows:

Verdict %
Trojan-Banker.AndroidOS.Ginp.snt 36.60%
Trojan-Banker.AndroidOS.Cebruser.san 25.57%
Trojan-Banker.AndroidOS.Cebruser.pac 22.43%
Trojan-Banker.AndroidOS.Knobot.g 5.19%
Trojan-Banker.AndroidOS.Knobot.pac 4.89%
Trojan-Banker.AndroidOS.Knobot.c 3.73%
Trojan-Banker.AndroidOS.Knobot.h 3.43%
Trojan-Banker.AndroidOS.Agent.eq 2.99%
Trojan-Banker.AndroidOS.Knobot.c 2.63%
Trojan-Banker.AndroidOS.Cebruser.b 2.12%

Unlike the Ginp and Cebruser mobile bankers, which we have mentioned in the past, Knobot is a relatively new player on the market for threats that target financial data. Along with phishing windows and interception of 2FA verification messages, the trojan has several tools that are uncharacteristic of financial threats. An example of these is hijacking device PINs through exploitation of Accessibility Services. The attackers probably require the PIN in case they need to control the device manually in real time.

Mobile ransomware Trojans

In Q2 2020, we detected 3,805 installation packages for mobile Trojan ransomware, which is 534 fewer than last quarter.

The number of detected objects has been decreasing from quarter to quarter. We believe that there are two main causes:

  • It is much harder to extort cash from users than to steal the bank account data right away. At the same time, the device needs to be previously infected in either case, so with the costs being equal, cybercriminals will choose the path of least resistance, i.e. theft.
  • A ransomware trojan is a threat the user will likely want to fight to get the device back to a functional state. The user is likely to win, too, even if by factory-resetting the device. Cybercriminals, in their turn, try to keep their malware undetected on the device as long as possible, which runs counter to the whole idea of mobile ransomware.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q2 2019 – Q2 2020 (download)

Attacks reveal a similar pattern: the number of users attacked by ransomware trojans in Q2 2020 fell threefold compared to Q2 2019.

Verdict %*
1 Trojan-Ransom.AndroidOS.Small.as 14.27
2 Trojan-Ransom.AndroidOS.Agent.bq 8.46
3 Trojan-Ransom.AndroidOS.Svpeng.aj 7.67
4 Trojan-Ransom.AndroidOS.Small.o 5.77
5 Trojan-Ransom.AndroidOS.Rkor.k 5.37
6 Trojan-Ransom.AndroidOS.Agent.bo 5.01
7 Trojan-Ransom.AndroidOS.Congur.am 4.32
8 Trojan-Ransom.AndroidOS.Small.ce 3.65
9 Trojan-Ransom.AndroidOS.Fusob.h 3.42
10 Trojan-Ransom.AndroidOS.Soobek.a 3.01

* Unique users attacked by this malware as a share of all Kaspersky mobile antivirus users attacked by ransomware trojans.

The list TOP 10 ransomware trojans detected in Q2 2020 contains only two new species: Trojan-Ransom.AndroidOS.Agent.bq (8,46%) and Trojan-Ransom.AndroidOS.Agent.bo (5.01%). All the rest were originally developed in 2017–2019 and have been kept relevant by their creators through minor code changes.

The aforementioned Agent.bq and Agent.bo, like various other trojan classes, notably contain code that exploits Accessibility Services. In the case of these two, however, the code is used for screen locking and delete protection, literally leaving the victim no chances to remove the trojan without an external utility, such as ADB. However, ADB cannot always be used for removing the ransomware either: developer mode, which it requires, is deactivated on an overwhelming majority of devices.

Geography of mobile ransomware Trojans, Q2 2020 (download)

Top 10 countries by share of users attacked by mobile ransomware Trojans:

Country* %**
1 Kazakhstan 0.41
2 Malaysia 0.10
3 USA 0.10
4 Iran 0.09
5 Indonesia 0.07
6 Saudi Arabia 0.04
7 Vietnam 0.03
8 Italy 0.02
9 Algeria 0.02
10 Romania 0.02

* Excluded from the rating are countries with relatively few Kaspersky mobile antivirus users (under 10000).
** Unique users attacked by mobile ransomware Trojans in the country as a percentage of all users of Kaspersky mobile solutions in the same country.

Kazakhstan (0.41%), Malaysia (0.10%) and the United States (0.10%) saw the largest shares of users attacked by mobile ransomware trojans.

Stalkerware

This section uses statistics collected by Kaspersky Mobile Antivirus security solution.

The past second quarter of 2020 seems not to have been the most successful one for stalkerware developers. Many of the countries were this type of spyware enjoyed popularity went on a lockdown or imposed self-isolation requirements, which resulted in stalkerware users finding themselves locked up for a long period of time with those they intended to spy on. One can assume this led to a decrease in the number of mobile devices on which we detected stalkerware. At the same time, we discovered ten previously unknown families of stalker software in Q2 2020:

  1. AndroidOS.Andropol.a
  2. AndroidOS.AndTrace.a
  3. AndroidOS.Basmon.a
  4. AndroidOS.Flashlog.a
  5. AndroidOS.Floatspy.a
  6. AndroidOS.FoneSpy.a
  7. AndroidOS.GmSpy.a
  8. AndroidOS.Spytm.a
  9. AndroidOS.UniqSpy.a
  10. AndroidOS.Xnspy.a

It would hence be incorrect to assume that developers have lost interest in creating this type of programs. We will continue to monitor new samples, as none of the families listed above were popular enough in Q2 2020 to get on the list of the ten most common stalkerware types.

TOP 10 stalkerware

Verdicts %
1 Monitor.AndroidOS.Cerberus.a 14.21%
2 Monitor.AndroidOS.Nidb.a 13.66%
3 Monitor.AndroidOS.MobileTracker.c 5.56%
4 Monitor.AndroidOS.Agent.af 5.07%
5 Monitor.AndroidOS.Anlost.a 4.20%
6 Monitor.AndroidOS.PhoneSpy.b 3.39%
7 Monitor.AndroidOS.Agent.a 2.56%
8 Monitor.AndroidOS.Agent.hb 2.37%
9 Monitor.AndroidOS.SecretCam.a 2.27%
10 Monitor.AndroidOS.Traca.a 2.25%
11 Monitor.AndroidOS.Alltracker.a 2.22%
12 Monitor.AndroidOS.Agent.al 2.15%
13 Monitor.AndroidOS.SpyHuman.c 2.10%
14 Monitor.AndroidOS.Wspy.a 1.91%
15 Monitor.AndroidOS.Agent.gt 1.73%
16 Monitor.AndroidOS.MonitorMinor.e 1.62%
17 Monitor.AndroidOS.Reptilic.a 1.49%
18 Monitor.AndroidOS.Agent.he 1.43%
19 Monitor.AndroidOS.Anfur.a 1.39%
20 Monitor.AndroidOS.Talkw.a 1.25%

The rankings include long-standing, widely used commercial stalkerware families, among others, MonitorMinor, which we wrote about in the first quarter of this year.

Geography of stalkerware distribution, Q2 2020 (download)

Russia had the largest number of users whose devices were found to contain stalkerware in Q2 2020. It was followed closely by Brazil. India came third, having half of Russia’s number of users that had encountered stalkerware.

Both Russia and Brazil notably showed an encouraging trend, with the number of devices containing stalkerware dropping significantly in the second quarter.

Number of devices with stalkerware in Russia, Q1 2019 – Q2 2020 (download)

Number of devices with stalkerware in Brazil, Q1 2019 – Q2 2020 (download)

As for India, its statistics remained relatively unchanged in the second quarter of the year.

Number of devices with stalkerware in India, Q1 2019 – Q2 2020 (download)