Security researchers detected about 100,000 mobile banking trojans in 2021, highlighting the shifting focus towards mobile malware.
These mobile threats continue to infiltrate official app stores despite best efforts to keep them out of official app distribution channels.
Kaspersky’s Mobile Threats in 2021 report noted that the number of mobile trojans detected almost doubled in 2021, while the total number of mobile attacks declined during the same period.
Sadly, the increased sophistication of the attacks, malware functionality, and attack vectors, coupled with the emergence of new players in the market, compensated for the reduction in the number of attacks.
Mobile banking trojans almost doubled in 2021, while attacks almost halved
Kaspersky said it detected 3,464,756 malicious installation packages, 97,661 new mobile banking trojans, and 17,372 new mobile ransomware trojans.
In 2021, the number of attacks fell sharply from 5,683,694 in 2020, nearing 2019 records when Kaspersky recorded 3,503952 mobile attacks. However, the number of installation packages for banking trojans increased from 59,049 recorded in 2020.
Most attacks occurred in Iran (40.22%), China (28.86%), and Saudi Arabia (27.99%), with the most common threats being Adware.AndroidOS.Notifyer, RiskTool.AndroidOS.Wapron, and Adware.AndroidOS.HiddenAd, respectively.
Others in the top ten list of most targeted countries include Algeria (24.49%), India (20.91%), Iraq (19.65%), Yemen (19.25%), Oman (17.89%), Kuwait (17.30%), and Morocco (17.09%).
However, banking trojans targeted users in Japan, Spain, Turkey, France, Australia, Germany, Norway, Italy, Croatia, and Austria.
The most prevalent banking trojans were Trojan-Banker.AndroidOS.Agent (37.69%), Trojan-Banker.AndroidOS.Bray (21.08%) and Trojan-Banker.AndroidOS.Fakecalls(9.91%) families.
Despite falling by 14.83%, adware remained the most prevalent threat at 42%, followed by RiskTool apps (35.27%) after a 13.93% increase. Trojans scooped the third position at 8.86% after a 4.41% increase.
Kaspersky defined RiskTool as applications “that pose potential risks due to security vulnerability, software incompatibility or legal violations.”
“We can absolutely expect mobile malware growth to continue unabated, nearly exponentially, for the foreseeable future,” Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 said. “Why? That is where everyone is computing more and more, and malware creators go where the money is.”
He predicted an increase in mobile malware that “looks for, bypasses, and steals MFA credentials.”
“As the world goes more and more into MFA, so too, does the malware. It is the continued evolution of malicious hackers against potential victims. The maliciousness will flow where the users go. It is the continued evolution of malicious hackers against potential victims. The maliciousness will flow where the users go.”
Mobile malware and banking trojans employ new tactics to compromise mobile users
Kaspersky said mobile malware continued to infiltrate the Google Play store despite its attempts to keep the baddies out.
For example, the Joker mobile trojan that subscribes users to premium mobile services and FaceStealer that steals Facebook account credentials were still present in some Google Play store apps.
The surest method of sneaking mobile malware on official stores was impersonating a legitimate app and including logic for decrypting and launching a payload.
“Each decrypted module contains the address of the next one, plus instructions for decrypting it,” they wrote.
According to Kaspersky, the main objective of the malicious apps was stealing account credentials and accessing financial data. Common tactics include overlaying legitimate financial apps and tricking mobile users to fill in their login credentials, believing they were logging into the official banking app.
However, researchers discovered that banking trojans also employed new tactics to access the victims’ accounts. For example, the Sova banking malware could steal cookies from user sessions and access the victim’s mobile banking account without knowing the victim’s login credentials.
Additionally, the researchers discovered a new gamethief type mobile trojan targeting the mobile version of the PBUG gaming accounts.
Citing CamScanner, which had over 100 million downloads on Google Play Store, Kaspersky also warned about malicious code injection through third-party advertising SDKs.
Similarly, Kaspersky discovered malicious code in the source code of ad libraries of the third-party marketplace APKPure and a modified WhatsApp build FMWhatsapp 16.80.0.
Banking trojans also developed additional capabilities like dropping victims’ outgoing bank calls and playing pre-recorded responses. Others like Vultur backdoor recorded user’s screen interactions using virtual network computing (VNC) protocols.
Similarly, scam apps that promise various inexistent services, collect user data, and demand payment, exist on the Google Play store.
“Presently, mobile malware tends to be more difficult for cybercriminals to utilize when compared to general purpose ransomware targeting computer systems like laptops and servers. Chris Clements, VP of Solutions Architecture at Cerberus Sentinel.
“There are several impediments that make this so, including the necessity to evade security analysis by app stores if embedding malware directly into the app, the need to conduct a supply chain compromise like the CamScanner campaign, or entice users to download and install a compromised version of a popular application from a website the attacker controls.”
Clements noted that mobile malware could not easily spread like computer ransomware accessible as a service and deployable to thousands of linked computers.
Unlike computer ransomware, mobile malware lacks a straightforward monetization strategy and focuses on geographical regions and apps.
“Unfortunately, there are only a few things that end users can do to prevent this type of compromise,” Clements said. “Only downloading apps from a trusted app store and being hesitant to enter sensitive information like passwords or financial info in apps unrelated to those accounts can help, but ultimately, I believe it’s unreasonable to expect the average user to be able to discern real from malicious applications or to identify systemic issues from compromised ad networks.”
He believes app store operators should police their content and app actions and educate users about the risks of downloading apps from third-party stores and oversharing information.
Garret Grajek, CEO at YouAttest, said Kaspersky’s mobile malware report highlighted the growing malware problem to enterprises.
“The writers of these malware injectors are often agnostic to the payload – which is usually inserted after the attacker purchases the malware online,” Grajek noted. “This is why the results of the attack are so varied – from ransomware to credential stealing.
“Enterprises must assume that users bring malware ladened s/w into the enterprises via their home devices – and thus fortify their network and identity checking.”