{"id":108844,"date":"2023-02-27T10:05:35","date_gmt":"2023-02-27T10:05:35","guid":{"rendered":"https:\/\/kasperskycontenthub.com\/securelist\/?p=108844"},"modified":"2023-02-27T12:08:17","modified_gmt":"2023-02-27T12:08:17","slug":"mobile-threat-report-2022","status":"publish","type":"post","link":"https:\/\/securelist.com\/mobile-threat-report-2022\/108844\/","title":{"rendered":"The mobile malware threat landscape in 2022"},"content":{"rendered":"<p><em>These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.<\/em><\/p>\n<h2 id=\"figures-of-the-year\">Figures of the year<\/h2>\n<p>In 2022, Kaspersky mobile products and technology detected:<\/p>\n<ul>\n<li>1,661,743 malicious installers<\/li>\n<li>196,476 new mobile banking Trojans<\/li>\n<li>10,543 new mobile ransomware Trojans<\/li>\n<\/ul>\n<h2 id=\"trends-of-the-year\">Trends of the year<\/h2>\n<p>Mobile attacks leveled off after decreasing in the second half of 2021 and remained around the same level throughout 2022.<\/p>\n<div class=\"js-infogram-embed\" data-id=\"_\/CqGQiBiBk6t9U4og8lhK\" data-type=\"interactive\" data-title=\"01 EN Mobile report 2022 graphs\" style=\"min-height:;\"><\/div>\n<p style=\"text-align: center;font-style: italic;font-weight: bold;margin-top: -10px\"><em>Kaspersky mobile cyberthreat detection dynamics in 2020\u20132022 (<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/23052005\/01-en-mobile-report-2022-graphs.png\" target=\"_blank\" rel=\"noopener\">download<\/a>)<\/em><\/p>\n<p>Cybercriminals continued to use legitimate channels to spread malware.<\/p>\n<p>Similarly to 2021, we found a <a href=\"https:\/\/securelist.com\/malicious-whatsapp-mod-distributed-through-legitimate-apps\/107690\/\">modified WhatsApp build<\/a> with malicious code inside in 2022. It was notable for spreading via ads inside the popular Snaptube app and through the Vidmate in-app store.<\/p>\n<p>The spread of malware through Google Play continued as well. In particular, we found several <a href=\"https:\/\/securelist.com\/mobile-subscription-trojans-and-their-tricks\/106412\/\">mobile Trojan subscribers<\/a> on Google&#8217;s official Android app marketplace in 2022. These secretly signed users up for paid services. In addition to the previously known Jocker and MobOk families, we discovered a new family, named <a href=\"https:\/\/www.kaspersky.com\/blog\/harly-trojan-subscriber\/45573\/\">Harly<\/a> and active since 2020. Harly malware programs were downloaded a total of 2.6 million times from Google Play in 2022. Also last year, fraudsters abused the marketplace to spread various scam apps, which promised welfare payments or lucrative energy investments.<\/p>\n<p>Mobile banking Trojans were not far behind. Despite Europol having <a href=\"https:\/\/www.europol.europa.eu\/media-press\/newsroom\/news\/takedown-of-sms-based-flubot-spyware-infecting-android-phones\">shut down<\/a> the servers of FluBot (also known as Polph or Cabassous, the largest mobile botnet in recent years), users had to stay on guard, as Google Play still contained downloaders for other banking Trojan families, such as Sharkbot, Anatsa\/Teaban, Octo\/Coper, and Xenomorph, all masquerading as utilities. For instance, the Sharkbot downloader in the screenshot below imitates a file manager. This type of software is capable of requesting permission to install further packages the Trojan needs to function on the unsuspecting user&#8217;s device.<\/p>\n<p style=\"text-align: center\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/23053725\/09-en-ru-es-mobile-report-2022-graphs.png\" class=\"magnificImage\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-108845\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/23053725\/09-en-ru-es-mobile-report-2022-graphs.png\" alt=\"\" width=\"1100\" height=\"876\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/23053725\/09-en-ru-es-mobile-report-2022-graphs.png 1100w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/23053725\/09-en-ru-es-mobile-report-2022-graphs-300x239.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/23053725\/09-en-ru-es-mobile-report-2022-graphs-1024x815.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/23053725\/09-en-ru-es-mobile-report-2022-graphs-768x612.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/23053725\/09-en-ru-es-mobile-report-2022-graphs-220x175.png 220w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/23053725\/09-en-ru-es-mobile-report-2022-graphs-370x295.png 370w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/23053725\/09-en-ru-es-mobile-report-2022-graphs-352x280.png 352w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/23053725\/09-en-ru-es-mobile-report-2022-graphs-800x637.png 800w\" sizes=\"(max-width: 1100px) 100vw, 1100px\" \/><\/a><\/p>\n<p style=\"text-align: center;font-style: italic;font-weight: bold;margin-top: -10px\"><em>The Sharkbot banking Trojan downloader on Google Play<\/em><\/p>\n<p>Exploitation of popular game titles, where malware and unwanted software mimicked a pirated version of a game or game cheats, <a href=\"https:\/\/securelist.com\/gaming-related-cyberthreats-2021-2022\/107346\/\">remained<\/a> a popular mobile spread vector in 2022. The most frequently imitated titles included Minecraft, Roblox, Grand Theft Auto, PUBG, and FIFA. The malware spread primarily through questionable web sites, social media groups, and other unofficial channels.<\/p>\n<h2 id=\"mobile-cyberthreat-statistics\">Mobile cyberthreat statistics<\/h2>\n<h3 id=\"installer-numbers\">Installer numbers<\/h3>\n<p>We detected 1,661,743 malware or unwanted software installers in 2022\u00a0\u2014 1,803,013 less than we did in 2021. The number had been declining gradually since a 2020 increase.<\/p>\n<div class=\"js-infogram-embed\" data-id=\"_\/UPdbXwF2e8ugs0jU1qjm\" data-type=\"interactive\" data-title=\"02 EN-RU-ES Mobile report 2022 graphs\" style=\"min-height:;\"><\/div>\n<p style=\"text-align: center;font-style: italic;font-weight: bold;margin-top: -10px\"><em>Number of detected malicious installation packages in 2019\u20132022 (<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/23053840\/02-en-ru-es-mobile-report-2022-graphs.png\" target=\"_blank\" rel=\"noopener\">download<\/a>)<\/em><\/p>\n<h3 id=\"distribution-of-detected-mobile-malware-by-type\">Distribution of detected mobile malware by type<\/h3>\n<div class=\"js-infogram-embed\" data-id=\"_\/iy5rXVViKiHMZChOcA3X\" data-type=\"interactive\" data-title=\"03 EN Mobile report 2022 graphs\" style=\"min-height:;\"><\/div>\n<p style=\"text-align: center;font-style: italic;font-weight: bold;margin-top: -10px\"><em>Distribution of newly detected mobile malware by type in 2021 and 2022 (<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/23052015\/03-en-mobile-report-2022-graphs.png\" target=\"_blank\" rel=\"noopener\">download<\/a>)<\/em><\/p>\n<p>RiskTool-type potentially unwanted software (27.39%) topped the rankings in 2022, replacing the previous leader, adware (24.05%). That said, the share of RiskTool had decreased by 7.89 percentage points, and the share of adware, by 18.38 percentage points year-on-year.<\/p>\n<p>Various Trojan-type malware was third in the rankings with 15.56%, its cumulative share increasing by 6.7 percentage points.<\/p>\n<h3 id=\"geography-of-mobile-threats\">Geography of mobile threats<\/h3>\n<p>TOP\u00a010 countries by share of users attacked by mobile malware<\/p>\n<table width=\"100%\">\n<tbody>\n<tr>\n<td width=\"10%\"><\/td>\n<td width=\"70%\"><strong>Country*<\/strong><\/td>\n<td width=\"20%\"><strong>%**<\/strong><\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>China<\/td>\n<td>17.70<\/td>\n<\/tr>\n<tr>\n<td>2<\/td>\n<td>Syria<\/td>\n<td>15.61<\/td>\n<\/tr>\n<tr>\n<td>3<\/td>\n<td>Iran<\/td>\n<td>14.53<\/td>\n<\/tr>\n<tr>\n<td>4<\/td>\n<td>Yemen<\/td>\n<td>14.39<\/td>\n<\/tr>\n<tr>\n<td>5<\/td>\n<td>Iraq<\/td>\n<td>8.44<\/td>\n<\/tr>\n<tr>\n<td>6<\/td>\n<td>Saudi Arabia<\/td>\n<td>6.78<\/td>\n<\/tr>\n<tr>\n<td>7<\/td>\n<td>Kenya<\/td>\n<td>5.52<\/td>\n<\/tr>\n<tr>\n<td>8<\/td>\n<td>Switzerland<\/td>\n<td>5.44<\/td>\n<\/tr>\n<tr>\n<td>9<\/td>\n<td>Pakistan<\/td>\n<td>5.21<\/td>\n<\/tr>\n<tr>\n<td>10<\/td>\n<td>Tanzania<\/td>\n<td>5.15<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><em>* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security (under 10,000).<br \/>\n** Unique users attacked as a percentage of all Kaspersky mobile security users in the country.<\/em><\/p>\n<p>China had the largest share of users who experienced a mobile malware attack: 17.70%. Of these, 16.06% got hit by SMS-abusing malware that we detected as Trojan.AndroidOS.Najin.a.<\/p>\n<p>Other countries with significant shares of attacked users were Syria (15.61%) and Iran (14.53%), where the most frequently encountered mobile cyberthreat was Trojan-Spy.AndroidOS.Agent.aas, a WhatsApp modification carrying a spy module.<\/p>\n<h3 id=\"distribution-of-attacks-by-type-of-software-used\">Distribution of attacks by type of software used<\/h3>\n<div class=\"js-infogram-embed\" data-id=\"_\/9Qle5J1PTRxuUuXMao0L\" data-type=\"interactive\" data-title=\"04 EN Mobile report 2022 graphs\" style=\"min-height:;\"><\/div>\n<p style=\"text-align: center;font-style: italic;font-weight: bold;margin-top: -10px\"><em>Distribution of attacks by type of software used in 2022 (<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/23052024\/04-en-mobile-report-2022-graphs.png\" target=\"_blank\" rel=\"noopener\">download<\/a>)<\/em><\/p>\n<p>Similarly to previous years, 2022 saw malware used in most mobile attacks (67.78%). The shares of attacks that used Adware- and RiskWare-type applications had increased to 26.91% from 16.92% in 2021 and to 5.31% from 2.38% in 2021, respectively.<\/p>\n<h2 id=\"mobile-adware\">Mobile adware<\/h2>\n<p>The Adlo family accounted for the largest share of detected installers (22.07%) in 2022. These are useless fake apps that download ads. Adlo replaced the previous leader, the Ewind family, which had a share of 16.46%.<\/p>\n<p>TOP\u00a010 most frequently detected adware families in 2022<\/p>\n<table width=\"100%\">\n<tbody>\n<tr>\n<td width=\"10%\"><\/td>\n<td width=\"50%\"><strong>Family<\/strong><\/td>\n<td width=\"40%\"><strong>%*<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"10%\">1<\/td>\n<td width=\"50%\">Adlo<\/td>\n<td width=\"40%\">22.07<\/td>\n<\/tr>\n<tr>\n<td width=\"10%\">2<\/td>\n<td width=\"50%\">Ewind<\/td>\n<td width=\"40%\">16.46<\/td>\n<\/tr>\n<tr>\n<td width=\"10%\">3<\/td>\n<td width=\"50%\">HiddenAd<\/td>\n<td width=\"40%\">15.02<\/td>\n<\/tr>\n<tr>\n<td width=\"10%\">4<\/td>\n<td width=\"50%\">MobiDash<\/td>\n<td width=\"40%\">11.30<\/td>\n<\/tr>\n<tr>\n<td width=\"10%\">5<\/td>\n<td width=\"50%\">Dnotua<\/td>\n<td width=\"40%\">5.08<\/td>\n<\/tr>\n<tr>\n<td width=\"10%\">6<\/td>\n<td width=\"50%\">FakeAdBlocker<\/td>\n<td width=\"40%\">5.02<\/td>\n<\/tr>\n<tr>\n<td width=\"10%\">7<\/td>\n<td width=\"50%\">Agent<\/td>\n<td width=\"40%\">4.02<\/td>\n<\/tr>\n<tr>\n<td width=\"10%\">8<\/td>\n<td width=\"50%\">Fyben<\/td>\n<td width=\"40%\">3.94<\/td>\n<\/tr>\n<tr>\n<td width=\"10%\">9<\/td>\n<td width=\"50%\">Notifyer<\/td>\n<td width=\"40%\">3.19<\/td>\n<\/tr>\n<tr>\n<td width=\"10%\">10<\/td>\n<td width=\"50%\">Dowgin<\/td>\n<td width=\"40%\">1.38<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><em>* The share of the adware-type family in the total number of adware installers detected.<\/em><\/p>\n<h2 id=\"risktool-type-apps\">RiskTool-type apps<\/h2>\n<p>The SMSreg family retained its lead by number of detected RiskTool-type apps: 36.47%. The applications in this family make payments (for example by transferring cash to other individuals or paying for mobile service subscriptions) by sending text messages without explicitly notifying the user.<\/p>\n<p>TOP\u00a010 most frequently detected RiskTool families, 2022<\/p>\n<table width=\"100%\">\n<tbody>\n<tr>\n<td width=\"10%\"><\/td>\n<td width=\"50%\"><strong>Family<\/strong><\/td>\n<td width=\"40%\"><strong>%*<\/strong><\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>SMSreg<\/td>\n<td>36.47<\/td>\n<\/tr>\n<tr>\n<td>2<\/td>\n<td>Dnotua<\/td>\n<td>26.19<\/td>\n<\/tr>\n<tr>\n<td>3<\/td>\n<td>Robtes<\/td>\n<td>24.41<\/td>\n<\/tr>\n<tr>\n<td>4<\/td>\n<td>Resharer<\/td>\n<td>2.67<\/td>\n<\/tr>\n<tr>\n<td>5<\/td>\n<td>Agent<\/td>\n<td>2.39<\/td>\n<\/tr>\n<tr>\n<td>6<\/td>\n<td>SmsSend<\/td>\n<td>1.29<\/td>\n<\/tr>\n<tr>\n<td>7<\/td>\n<td>SpyLoan<\/td>\n<td>1.29<\/td>\n<\/tr>\n<tr>\n<td>8<\/td>\n<td>Skymobi<\/td>\n<td>1.10<\/td>\n<\/tr>\n<tr>\n<td>9<\/td>\n<td>SmsPay<\/td>\n<td>0.71<\/td>\n<\/tr>\n<tr>\n<td>10<\/td>\n<td>Wapron<\/td>\n<td>0.66<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><em>* The share of the RiskTool family in the total number of RiskTool installers detected.<\/em><\/p>\n<h2 id=\"top-20-most-frequently-detected-mobile-malware-programs\">TOP\u00a020 most frequently detected mobile malware programs<\/h2>\n<p><em>Note that the malware rankings below exclude riskware or potentially unwanted software, such as RiskTool or adware.<\/em><\/p>\n<table width=\"100%\">\n<tbody>\n<tr>\n<td width=\"10%\"><\/td>\n<td width=\"70%\"><strong>Verdict<\/strong><\/td>\n<td width=\"20\"><strong>%*<\/strong><\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>DangerousObject.Multi.Generic<\/td>\n<td>18.97<\/td>\n<\/tr>\n<tr>\n<td>2<\/td>\n<td>Trojan-SMS.AndroidOS.Fakeapp.d<\/td>\n<td>8.65<\/td>\n<\/tr>\n<tr>\n<td>3<\/td>\n<td>Trojan.AndroidOS.Generic<\/td>\n<td>6.70<\/td>\n<\/tr>\n<tr>\n<td>4<\/td>\n<td>Trojan-Spy.AndroidOS.Agent.aas<\/td>\n<td>6.01<\/td>\n<\/tr>\n<tr>\n<td>5<\/td>\n<td>Trojan.AndroidOS.Fakemoney.d<\/td>\n<td>4.65<\/td>\n<\/tr>\n<tr>\n<td>6<\/td>\n<td>Trojan.AndroidOS.GriftHorse.l<\/td>\n<td>4.32<\/td>\n<\/tr>\n<tr>\n<td>7<\/td>\n<td>Trojan-Dropper.AndroidOS.Agent.sl<\/td>\n<td>3.22<\/td>\n<\/tr>\n<tr>\n<td>8<\/td>\n<td>DangerousObject.AndroidOS.GenericML<\/td>\n<td>2.96<\/td>\n<\/tr>\n<tr>\n<td>9<\/td>\n<td>Trojan-SMS.AndroidOS.Fakeapp.c<\/td>\n<td>2.37<\/td>\n<\/tr>\n<tr>\n<td>10<\/td>\n<td>Trojan.AndroidOS.Fakeapp.ed<\/td>\n<td>2.19<\/td>\n<\/tr>\n<tr>\n<td>11<\/td>\n<td>Trojan.AndroidOS.GriftHorse.ah<\/td>\n<td>2.00<\/td>\n<\/tr>\n<tr>\n<td>12<\/td>\n<td>Trojan-Downloader.AndroidOS.Agent.kx<\/td>\n<td>1.72<\/td>\n<\/tr>\n<tr>\n<td>13<\/td>\n<td>Trojan.AndroidOS.Soceng.f<\/td>\n<td>1.67<\/td>\n<\/tr>\n<tr>\n<td>14<\/td>\n<td>Trojan-Dropper.AndroidOS.Hqwar.hd<\/td>\n<td>1.49<\/td>\n<\/tr>\n<tr>\n<td>15<\/td>\n<td>Trojan.AndroidOS.Fakeapp.dw<\/td>\n<td>1.43<\/td>\n<\/tr>\n<tr>\n<td>16<\/td>\n<td>Trojan-Ransom.AndroidOS.Pigetrl.a<\/td>\n<td>1.43<\/td>\n<\/tr>\n<tr>\n<td>17<\/td>\n<td>Trojan-Downloader.AndroidOS.Necro.d<\/td>\n<td>1.40<\/td>\n<\/tr>\n<tr>\n<td>18<\/td>\n<td>Trojan-SMS.AndroidOS.Agent.ado<\/td>\n<td>1.36<\/td>\n<\/tr>\n<tr>\n<td>19<\/td>\n<td>Trojan-Dropper.AndroidOS.Hqwar.gen<\/td>\n<td>1.35<\/td>\n<\/tr>\n<tr>\n<td>20<\/td>\n<td>Trojan-Spy.AndroidOS.Agent.acq<\/td>\n<td>1.34<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><em>* Unique users attacked by the malware as a percentage of all attacked Kaspersky mobile security users.<\/em><br \/>\nFirst and third places went to DangerousObject.Multi.Generic (18.97%) and Trojan.AndroidOS.Generic (6.70%), respectively, which are verdicts we use for malware detected with <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/wiki-section\/products\/big-data-the-astraea-technology\">cloud technology<\/a>. Cloud technology is triggered whenever the antivirus databases lack data for detecting a piece of malware, but the antivirus company&#8217;s cloud already contains information about the object. This is essentially how the latest malware types are detected.<\/p>\n<p>The Trojans in second and ninth places (8.65% and 2.37%) belonged to the Trojan-SMS.AndroidOS.Fakeapp family. This type of malware is capable of sending text messages and calling preset numbers, displaying ads, and hiding its icon on the device.<\/p>\n<p>WhatsApp modifications equipped with a spy module, detected as Trojan-Spy.AndroidOS.Agent.aas (6.01%) and Trojan-Spy.AndroidOS.Agent.acq (1.34%) were in fourth and twentieth positions, respectively.<\/p>\n<p>Scam apps detected as Trojan.AndroidOS.Fakemoney.d (4.65%) were the fifth-largest category. These try to trick users into believing that they are filling out an application for a welfare payout.<\/p>\n<p>Members of the Trojan.AndroidOS.GriftHorse family, which subscribe the user to premium SMS services, took both sixth and eleventh places (4.32% and 2%, respectively).<\/p>\n<p>The banking Trojan dropper Trojan-Dropper.AndroidOS.Agent.sl (3.22%) was seventh.<\/p>\n<p>The verdict of DangerousObject.AndroidOS.GenericML (2.96%) sank to eighth place. The verdict is assigned to files recognized as malicious by our <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/wiki-section\/products\/machine-learning-in-cybersecurity\">machine-learning<\/a> systems.<\/p>\n<p>Tenth place was taken by Trojan.AndroidOS.Fakeapp.ed (2.19%). This verdict refers to a category of fraudulent apps which target users in Russia by posing as a stock-trading platform for investing in gas.<\/p>\n<p>Trojan-Downloader.AndroidOS.Agent.kx (1.72%) rose to twelfth position. This type of malware is distributed as part of legitimate software, downloading advertising modules.<\/p>\n<p>Trojan.AndroidOS.Soceng.f (1.67%), in thirteenth place, sends text messages to people on your contact list, deletes files on the SD card, and overlays the interfaces of popular apps with its own window.<\/p>\n<p>Malware from the Trojan-Dropper.AndroidOS.Hqwar family, which unpacks and runs various banking Trojans, occupied fourteenth and nineteenth places (1.49 and 1.35%).<\/p>\n<p>Trojan.AndroidOS.Fakeapp.dw was fifteenth (1.43%). The verdict applies to a variety of scam apps, such as those supposedly offering the user to earn some extra cash.<\/p>\n<p>Trojan-Ransom.AndroidOS.Pigetrl.a (1.43%) took sixteenth place. Unlike classic Trojan-Ransom malware, which typically demands a ransom, it simply locks the screen and asks to enter a code. The application offers no instructions on obtaining the code, which is embedded in the program itself.<\/p>\n<p>Trojan-Downloader.AndroidOS.Necro.d sank to seventeenth position (1.4%). This malware is capable of downloading, installing, and running other applications when commanded by its operators.<\/p>\n<p>Trojan-SMS.AndroidOS.Agent.ado, which sends text messages to shortcodes, was eighteenth (1.36%).<\/p>\n<h2 id=\"mobile-banking-trojans\">Mobile banking Trojans<\/h2>\n<p>We detected <strong>196,476<\/strong> mobile banking Trojan installers in 2022, a year-on-year increase of 100% and the highest figure in the past six years.<\/p>\n<p>The Trojan-Banker.AndroidOS.Bray family accounted for two-thirds (66.40%) of all detected banking Trojans. This family attacked mostly users in Japan. It was followed by the Trojan-Banker.AndroidOS.Fakecalls family (8.27%) and Trojan-Banker.AndroidOS.Bian (3.25%).<\/p>\n<div class=\"js-infogram-embed\" data-id=\"_\/E2uaVwf0HPF7UIK1bo01\" data-type=\"interactive\" data-title=\"05 EN-RU-ES Mobile report 2022 graphs\" style=\"min-height:;\"><\/div>\n<p style=\"text-align: center;font-style: italic;font-weight: bold;margin-top: -10px\"><em>The number of mobile banking Trojan installers detected by Kaspersky in 2019\u20132022 (<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/23054147\/05-en-ru-es-mobile-report-2022-graphs.png\" target=\"_blank\" rel=\"noopener\">download<\/a>)<\/em><\/p>\n<p>Although the number of detected malware installers rose in 2022, mobile banking Trojan attacks had been decreasing since a 2020 rise.<\/p>\n<div class=\"js-infogram-embed\" data-id=\"_\/0oAuHnvqiRiMJWBG3SZz\" data-type=\"interactive\" data-title=\"06 EN Mobile report 2022 graphs\" style=\"min-height:;\"><\/div>\n<p style=\"text-align: center;font-style: italic;font-weight: bold;margin-top: -10px\"><em>The number of mobile banking Trojan attacks in 2021\u20132022 (<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/23052033\/06-en-mobile-report-2022-graphs.png\" target=\"_blank\" rel=\"noopener\">download<\/a>)<\/em><\/p>\n<p>TOP\u00a010 most frequently detected mobile banking Trojans<\/p>\n<table width=\"100%\">\n<tbody>\n<tr>\n<td width=\"10%\"><\/td>\n<td width=\"70%\"><strong>Verdict<\/strong><\/td>\n<td width=\"20%\"><strong>%*<\/strong><\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>Trojan-Banker.AndroidOS.Bian.h<\/td>\n<td>28.74<\/td>\n<\/tr>\n<tr>\n<td>2<\/td>\n<td>Trojan-Banker.AndroidOS.Anubis.t<\/td>\n<td>11.50<\/td>\n<\/tr>\n<tr>\n<td>3<\/td>\n<td>Trojan-Banker.AndroidOS.Svpeng.q<\/td>\n<td>5.50<\/td>\n<\/tr>\n<tr>\n<td>4<\/td>\n<td>Trojan-Banker.AndroidOS.Agent.ep<\/td>\n<td>5.25<\/td>\n<\/tr>\n<tr>\n<td width=\"65\">5<\/td>\n<td width=\"284\">Trojan-Banker.AndroidOS.Agent.eq<\/td>\n<td width=\"76\">4.51<\/td>\n<\/tr>\n<tr>\n<td>6<\/td>\n<td>Trojan-Banker.AndroidOS.Gustuff.d<\/td>\n<td>3.88<\/td>\n<\/tr>\n<tr>\n<td>7<\/td>\n<td>Trojan-Banker.AndroidOS.Asacub.ce<\/td>\n<td>3.54<\/td>\n<\/tr>\n<tr>\n<td>8<\/td>\n<td>Trojan-Banker.AndroidOS.Sova.g<\/td>\n<td>2.72<\/td>\n<\/tr>\n<tr>\n<td>9<\/td>\n<td>Trojan-Banker.AndroidOS.Faketoken.z<\/td>\n<td>2.01<\/td>\n<\/tr>\n<tr>\n<td>10<\/td>\n<td>rojan-Banker.AndroidOS.Bray.f<\/td>\n<td>1.71<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><em>* Unique users attacked by this malware as a percentage of all Kaspersky mobile security users attacked by banking threats.<\/em><br \/>\nOf all mobile banking Trojans that were active in 2022, Trojan-Banker.AndroidOS.Bian.h (28.74%) accounted for the largest share of attacked users, more than half of those in Spain.<\/p>\n<p>TOP\u00a010 countries by share of users attacked by mobile banking Trojans<\/p>\n<table width=\"100%\">\n<tbody>\n<tr>\n<td width=\"10%\"><\/td>\n<td width=\"70%\"><strong>Country*<\/strong><\/td>\n<td width=\"20%\"><strong>%**<\/strong><\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>Spain<\/td>\n<td>1.96<\/td>\n<\/tr>\n<tr>\n<td>2<\/td>\n<td>Saudi Arabia<\/td>\n<td>1.11<\/td>\n<\/tr>\n<tr>\n<td>3<\/td>\n<td>Australia<\/td>\n<td width=\"65\">1.09<\/td>\n<\/tr>\n<tr>\n<td>4<\/td>\n<td>Turkey<\/td>\n<td>0.99<\/td>\n<\/tr>\n<tr>\n<td>5<\/td>\n<td>China<\/td>\n<td>0.73<\/td>\n<\/tr>\n<tr>\n<td>6<\/td>\n<td>Switzerland<\/td>\n<td>0.48<\/td>\n<\/tr>\n<tr>\n<td>7<\/td>\n<td>Japan<\/td>\n<td>0.30<\/td>\n<\/tr>\n<tr>\n<td>8<\/td>\n<td>Colombia<\/td>\n<td>0.19<\/td>\n<\/tr>\n<tr>\n<td>9<\/td>\n<td>Italy<\/td>\n<td>0.17<\/td>\n<\/tr>\n<tr>\n<td>10<\/td>\n<td>India<\/td>\n<td>0.16<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><em>* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security (under 10,000).<br \/>\n** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security users in the country.<\/em><br \/>\nSpain had the largest share of unique users attacked by mobile financial threats in 2022 (1.96%), with 85.90% of the affected users encountering the aforementioned Trojan-Banker.AndroidOS.Bian.h.<\/p>\n<p>It was followed by Saudi Arabia (1,11%), also due to Trojan-Banker.AndroidOS.Bian.h, which affected 97.92% of users in that country.<\/p>\n<p>Australia (1.09%) was third, with 98% of the users who encountered banking Trojans there attacked by Trojan-Banker.AndroidOS.Gustuff.<\/p>\n<h2 id=\"mobile-ransomware-trojans\">Mobile ransomware Trojans<\/h2>\n<p>We detected <strong>10,543<\/strong> mobile ransomware Trojan installers in 2022, which was 6,829 less than the 2021 figure.<\/p>\n<div class=\"js-infogram-embed\" data-id=\"_\/v0XDsg01vRV9hxRXgk8r\" data-type=\"interactive\" data-title=\"07 EN-RU-ES Mobile report 2022 graphs\" style=\"min-height:;\"><\/div>\n<p style=\"text-align: center;font-style: italic;font-weight: bold;margin-top: -10px\"><em>The number of mobile ransomware Trojan installers detected by Kaspersky in 2019\u20132022 (<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/23054304\/07-en-ru-es-mobile-report-2022-graphs.png\" target=\"_blank\" rel=\"noopener\">download<\/a>)<\/em><\/p>\n<p>The number of mobile ransomware Trojan attacks also continued to decline, a process that started in late 2021.<\/p>\n<div class=\"js-infogram-embed\" data-id=\"_\/4BV6PyZV5XQir3f3VMcw\" data-type=\"interactive\" data-title=\"08 EN Mobile report 2022 graphs\" style=\"min-height:;\"><\/div>\n<p style=\"text-align: center;font-style: italic;font-weight: bold;margin-top: -10px\"><em>The number of mobile ransomware Trojan attacks in 2021\u20132022 (<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/02\/23052042\/08-en-mobile-report-2022-graphs.png\" target=\"_blank\" rel=\"noopener\">download<\/a>)<\/em><\/p>\n<table width=\"100%\">\n<tbody>\n<tr>\n<td width=\"10%\"><\/td>\n<td width=\"70%\"><strong>Verdict<\/strong><\/td>\n<td width=\"20%\"><strong>%*<\/strong><\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>Trojan-Ransom.AndroidOS.Pigetrl.a<\/td>\n<td>75.10<\/td>\n<\/tr>\n<tr>\n<td>2<\/td>\n<td>Trojan-Ransom.AndroidOS.Rkor.br<\/td>\n<td>3.70<\/td>\n<\/tr>\n<tr>\n<td>3<\/td>\n<td>Trojan-Ransom.AndroidOS.Small.as<\/td>\n<td>1.81<\/td>\n<\/tr>\n<tr>\n<td>4<\/td>\n<td>Trojan-Ransom.AndroidOS.Rkor.bs<\/td>\n<td>1.60<\/td>\n<\/tr>\n<tr>\n<td>5<\/td>\n<td>Trojan-Ransom.AndroidOS.Rkor.bi<\/td>\n<td>1.48<\/td>\n<\/tr>\n<tr>\n<td>6<\/td>\n<td>Trojan-Ransom.AndroidOS.Rkor.bt<\/td>\n<td>1.19<\/td>\n<\/tr>\n<tr>\n<td>7<\/td>\n<td>Trojan-Ransom.AndroidOS.Fusob.h<\/td>\n<td>1.05<\/td>\n<\/tr>\n<tr>\n<td>8<\/td>\n<td>Trojan-Ransom.AndroidOS.Rkor.ch<\/td>\n<td>0.99<\/td>\n<\/tr>\n<tr>\n<td>9<\/td>\n<td>Trojan-Ransom.AndroidOS.Rkor.bp<\/td>\n<td>0.92<\/td>\n<\/tr>\n<tr>\n<td>10<\/td>\n<td>Trojan-Ransom.AndroidOS.Congur.cw<\/td>\n<td>0.90<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><em>* Unique users attacked by the malware as a percentage of all Kaspersky mobile security users attacked by ransomware Trojans.<\/em><br \/>\nTrojan-Ransom.AndroidOS.Pigetrl.a remained the leading ransomware Trojan family in 2022 (75.10%). It was also one of the TOP\u00a020 most frequently detected mobile malware types. Russia accounted for as much as 92.74% of detections.<\/p>\n<p>That malware family was followed by Trojan-Ransom.AndroidOS.Rkor, which blocks the screen and demands the user to pay a fine for some illegal content they had supposedly viewed. Members of this family took six out of ten places in our rankings, with as much as 65.27% attacked users located in Kazakhstan.<\/p>\n<p>TOP\u00a010 countries by share of users attacked by mobile ransomware Trojans<\/p>\n<table width=\"100%\">\n<tbody>\n<tr>\n<td width=\"10%\"><\/td>\n<td width=\"70%\"><strong>Country*<\/strong><\/td>\n<td width=\"20%\"><strong>%**<\/strong><\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>China<\/td>\n<td>0.65<\/td>\n<\/tr>\n<tr>\n<td>2<\/td>\n<td>Yemen<\/td>\n<td>0.49<\/td>\n<\/tr>\n<tr>\n<td>3<\/td>\n<td>Kazakhstan<\/td>\n<td>0.36<\/td>\n<\/tr>\n<tr>\n<td>4<\/td>\n<td>Iraq<\/td>\n<td>0.08<\/td>\n<\/tr>\n<tr>\n<td>5<\/td>\n<td>Azerbaijan<\/td>\n<td>0.05<\/td>\n<\/tr>\n<tr>\n<td>6<\/td>\n<td>Kyrgyzstan<\/td>\n<td>0.05<\/td>\n<\/tr>\n<tr>\n<td>7<\/td>\n<td>Switzerland<\/td>\n<td>0.04<\/td>\n<\/tr>\n<tr>\n<td>8<\/td>\n<td>Saudi Arabia<\/td>\n<td>0.04<\/td>\n<\/tr>\n<tr>\n<td>9<\/td>\n<td>Lebanon<\/td>\n<td>0.04<\/td>\n<\/tr>\n<tr>\n<td>10<\/td>\n<td>Egypt<\/td>\n<td>0.03<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><em>* Excluded from the rankings are countries with relatively few Kaspersky mobile security users (under 10,000).<br \/>\n** Unique users attacked by mobile ransomware Trojans as a percentage of all Kaspersky mobile security users in the country.<\/em><br \/>\nWe observed the highest shares of users attacked by mobile ransomware Trojans in 2022 in China (0.65%), Yemen (0.49%), and Kazakhstan (0.36%).<\/p>\n<p>Users in China mostly encountered Trojan-Ransom.AndroidOS.Congur.y, most users in Yemen were affected by Trojan-Ransom.AndroidOS.Pigetrl.a, and a majority of users in Kazakhstan were hit by Trojan-Ransom.AndroidOS.Rkor.br.<\/p>\n<h2 id=\"conclusion\">Conclusion<\/h2>\n<p>The cybercriminal activity leveled off in 2022, with attack numbers remaining steady after a decrease in 2021. That said, cybercriminals are still working on improving both malware functionality and spread vectors. Malware is increasingly spreading through legitimate channels, such as official marketplaces and ads in popular apps. This is true for both scam apps and dangerous mobile banking malware.<\/p>\n<p>Potentially unwanted applications (RiskWare) accounted for a majority of newly detected threats in 2022, replacing the previous leader, adware. Most mobile cyberattacks used malware as before.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Android threat report by Kaspersky for 2022: malware on Google Play and inside the Vidmate in-app store, mobile malware statistics.<\/p>\n","protected":false},"author":2526,"featured_media":101880,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[919],"tags":[63,459,34,458,123,86,30,76,121,467,544,482],"banners":"","hreflang":[{"hreflang":"x-default","url":"https:\/\/securelist.com\/mobile-threat-report-2022\/108844\/"},{"hreflang":"ru","url":"https:\/\/securelist.ru\/mobile-threat-report-2022\/106860\/"},{"hreflang":"es","url":"https:\/\/securelist.lat\/mobile-threat-report-2022\/97661\/"}],"_links":{"self":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/108844"}],"collection":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/users\/2526"}],"replies":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/comments?post=108844"}],"version-history":[{"count":13,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/108844\/revisions"}],"predecessor-version":[{"id":108861,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/posts\/108844\/revisions\/108861"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/media\/101880"}],"wp:attachment":[{"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/media?parent=108844"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/categories?post=108844"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securelist.com\/wp-json\/wp\/v2\/tags?post=108844"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}