Malware reports

IT threat evolution in Q3 2021. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q3 2021:

  • 9,599,519 malware, adware and riskware attacks on mobile devices were prevented.
  • The largest share of all detected mobile threats accrued to RiskTool apps — 65.84%.
  • 676,190 malicious installation packages were detected, of which:
    • 12,097 packages were related to mobile banking Trojans;
    • 6,157 packages were mobile ransomware Trojans.

Quarterly highlights

The attackers became somewhat less active from the previous quarter — the number of mobile attacks dropped to 9.6 million. We have seen no new mass campaigns seeking to distribute any specific mobile malware family; nor were there any newsworthy events similar to what we had early into the COVID-19 pandemic.

Number of attacks targeting users of Kaspersky mobile solutions, Q1 2020 — Q3 2021 (download)

Yet Q3 brought us quite a few interesting finds at the same time. Thus, one of the modified WhatsApp builds, FMWhatsApp 16.80.0, contained the Trojan Triada along with an advertising SDK. The popularity of WhatsApp builds with extended functionality has secured this Trojan the fifth place in our malware ranking.

In Q3, new Trojan families emerged, distributed through Google Play. To those we already knew — Trojan.AndroidOS.Jocker and Trojan.AndroidOS.MobOk (signing the user up to paid subscriptions) and Trojan-Dropper.AndroidOS.Necro (downloading payload from the attack server) — two more were added. The first one includes scam apps of Trojan.AndroidOS.Fakeapp variety exploiting the theme of social payments to cajole money out of the user; the second one is the fast growing family Trojan-PSW.AndroidOS.Facestealer stealing Facebook account data.

Mobile banking Trojans were progressing, too. For example, a curious trick was employed by the family Trojan-Banker.AndroidOS.Fakecalls active in Korea: if the user tries to call the bank, the malware disconnects the real call and plays prerecorded operator’s responses stored in the Trojan’s body.

Mobile threat statistics

In Q3 2021, Kaspersky detected 676,190 malicious installation packages — 209,915 less than in the previous quarter and 445,128 less than in Q3 2020.

Number of detected malicious installation packages, Q3 2020 — Q3 2021 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q2 and Q3 2021 (download)

Two thirds of all threats detected in Q3 2021 came from RiskTool apps (65.84%), their share up by 27.37 p.p. The vast majority of detected apps of this type (91.02%) belonged to the family SMSreg.

Adware came in second with 21.51% — 12.58 p.p. down from the previous quarter. The malicious objects we most frequently encountered came from the families AdWare.AndroidOS.FakeAdBlocker (34.29% of all detected threats in the category), AdWare.AndroidOS.HiddenAd (30.66%) and AdWare.AndroidOS.MobiDash (8.81%).

Various Trojans are in third place (2.79%), their share down by 13.69 p.p. The worst offenders were from the families Boogr (48.88%), Piom (11.04%) and Hiddad (7.52%).

Top 20 mobile malware programs

Note that the malware rankings below exclude riskware and potentially unwanted software, such as RiskTool or adware.

Verdict %*
1 DangerousObject.Multi.Generic 33.02
2 Trojan-SMS.AndroidOS.Agent.ado 6.87
3 Trojan.AndroidOS.Whatreg.b 4.41
4 Trojan.AndroidOS.Triada.dq 3.85
5 Trojan.AndroidOS.Triada.ef 3.71
6 Trojan.AndroidOS.Hiddad.gx 3.70
7 DangerousObject.AndroidOS.GenericML 3.68
8 Trojan.AndroidOS.Agent.vz 3.63
9 Trojan-Downloader.AndroidOS.Necro.d 3.56
10 Trojan-Dropper.AndroidOS.Hqwar.bk 3.43
11 Trojan-SMS.AndroidOS.Fakeapp.b 3.35
12 Trojan.AndroidOS.MobOk.ad 3.13
13 Trojan.AndroidOS.Triada.el 2.76
14 Trojan-Downloader.AndroidOS.Agent.kx 2.21
15 Trojan-Dropper.AndroidOS.Hqwar.gen 1.74
16 Trojan-Downloader.AndroidOS.Gapac.e 1.71
17 Trojan-Dropper.AndroidOS.Agent.rp 1.66
18 Exploit.AndroidOS.Lotoor.be 1.66
19 Trojan.AndroidOS.Fakeapp.dn 1.64
20 Trojan-SMS.AndroidOS.Prizmes.a 1.53

* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The first ten threats from the Top 20 in Q3 are those already featured in our rankings earlier.

First place as usual went to DangerousObject.Multi.Generic (33.02%), the verdict we use for malware detected with cloud technology. This technology comes into play whenever the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is essentially how the latest malware types are detected.

The Trojan-SMS.AndroidOS.Agent.ado malware — sender of text messages to short premium-rate numbers — has climbed from third to second place (6.87%).

Third place was taken by Trojan.AndroidOS.Whatreg.b (4.41%) allowing attackers to use the victim’s phone number to register new WhatsApp accounts controlled by them alone.

The Triada family Trojans are fourth, fifth and thirteenth in our ranking. They download and execute other malware on the infected device. Triada’s victims often suffer from the abovementioned Trojan.AndroidOS.Whatreg.b, as well as Trojan-Downloader.AndroidOS.Necro.d (9th, 3.56%), Trojan-Downloader.AndroidOS.Gapac.e (16th, 1.71%) and Trojan-Dropper.AndroidOS.Agent.rp (17th, 1.66%), all of which likely belong to the same campaign.

Trojan.AndroidOS.Hiddad.gx (3.70%), a source of annoying ads, rose to sixth position.

Seventh place was taken by DangerousObject.AndroidOS.GenericML (3.68%). These verdicts are assigned to files recognized as malicious by our machine-learning systems.

The malware Trojan.AndroidOS.Agent.vz (3.63%) — similarly to Triada, a link in the infection chain of various Trojans — dropped into eighth.

Tenth and fifteenth places were taken by members of the family Trojan-Dropper.AndroidOS.Hqwar — a dropper used to unpack and execute various banking Trojans on the target device.

The newcomer Trojan-SMS.AndroidOS.Fakeapp.b came eleventh (3.35%). This mobile malware can text and call preset numbers, show ads, and conceal its icon. Most users attacked by the Trojan are from Russia.

Trojan.AndroidOS.MobOk.ad (3.13%) that signs users up to paid services dropped into twelfth.

The adware downloader Trojan-Downloader.AndroidOS.Agent.kx (2.21%) rose to fourteenth.

Exploit.AndroidOS.Lotoor.be (1.66%), an exploit used for elevating privileges on the device to superuser level, came eighteenth. Members of this family often come bundled with other widespread malware like Triada and Necro.

Trojan.AndroidOS.Fakeapp.dn (1.64%), another new arrival, takes the nineteenth place. This is a scam app exploiting the theme of social payments: it opens fake pages prompting users to provide their personal data and pay a fee to receive money.

The Top 20 is rounded out by Trojan-SMS.AndroidOS.Prizmes.a (1.53%), which is preinstalled on some Android devices under the guise of Sound Recorder. The Trojan texts preset numbers reporting the events taking place on the device (e.g., smartphone power on).

Geography of mobile threats

Map of infection attempts by mobile malware, Q3 2021 (download)

Top 10 countries by share of users attacked by mobile malware

Country* %**
1 Iran 20.14
2 Saudi Arabia 17.84
3 China 17.07
4 Algeria 16.73
5 India 15.33
6 Malaysia 13.63
7 Ecuador 11.52
8 Brazil 11.15
9 Bangladesh 10.81
10 Nigeria 10.81

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Share of unique users attacked as a percentage of all users of Kaspersky mobile security solutions in the country.

In Q3 2021, the infected systems percentage ranking is led by the same countries as in Q2; the most popular threats in these countries are likewise the same. First place went to Iran (20.14%), its prevailing threat represented by annoying adware modules of the families AdWare.AndroidOS.Notifyer and AdWare.AndroidOS.Fyben.

In Saudi Arabia, which came second with 17.84%, AdWare.AndroidOS.HiddenAd and AdWare.AndroidOS.FakeAdBlocker adware were the most common issue.

China (17.07%) came third with Trojan.AndroidOS.Najin.a as its most widely spread Trojan.

Mobile banking Trojans

We detected 12,097 mobile banking Trojan installers during the reporting period — 12,507 less from Q2 and 22,813 less year on year.

The largest contributors to these figures were the families Trojan-Banker.AndroidOS.Agent (46.72% of all banking Trojans detected), Trojan-Banker.AndroidOS.Bian (16.18%) and Trojan-Banker.AndroidOS.Anubis (8.20%).

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2020 – Q3 2021 (download)

Ten most common mobile bankers

Verdict %*
1 Trojan-Banker.AndroidOS.Anubis.t 16.77
2 Trojan-Banker.AndroidOS.Svpeng.q 11.17
3 Trojan-Banker.AndroidOS.Bian.f 9.08
4 Trojan-Banker.AndroidOS.Agent.eq 6.83
5 Trojan-Banker.AndroidOS.Asacub.ce 6.22
6 Trojan-Banker.AndroidOS.Agent.ep 5.17
7 Trojan-Banker.AndroidOS.Hqwar.t 3.53
8 Trojan-Banker.AndroidOS.Agent.cf 3.05
9 Trojan-Banker.AndroidOS.Bian.h 2.83
10 Trojan-Banker.AndroidOS.Svpeng.t 2.81

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

In Q3 2021, first place in our top mobile bankers ranking was taken by the Anubis family’s Trojan-Banker.AndroidOS.Anubis.t (16.77%). In second (11.17%) and tenth (2.81%) are bankers of the Svpeng family. Bian family bankers are in third (9.08%) and ninth (2.83%).

Geography of mobile banking threats, Q3 2021 (download)

Top 10 countries by share of users attacked by mobile banking Trojans

Country* %**
1 Spain 1.02
2 Austria 0.44
3 Croatia 0.43
4 Germany 0.33
5 Japan 0.26
6 Turkey 0.22
7 Portugal 0.20
8 Norway 0.20
9 China 0.18
10 Switzerland 0.14

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Spain has the largest share of unique users attacked by mobile financial threats in Q3 2021 (1.02%). The prevalent banker detected in this country is Trojan-Banker.AndroidOS.Bian.h (33.55% of all banking Trojans detected). Austria (0.44%) is second with another Bian family representative — Trojan-Banker.AndroidOS.Bian.f (96.02%) — leading by a mile. Croatia (0.43%) is third with Bian.f (97.59%) as its most widely spread banker.

Mobile ransomware Trojans

In Q3 2021, we detected 6,157 installation packages for mobile ransomware Trojans — an increase of 2,534 from the previous quarter and 635 more than in Q3 2020.

Number of mobile ransomware installers detected by Kaspersky, Q3 2020 — Q3 2021 (download)

Top 10 most common mobile ransomware

Verdict %*
1 Trojan-Ransom.AndroidOS.Pigetrl.a 51.00
2 Trojan-Ransom.AndroidOS.Rkor.ax 10.43
3 Trojan-Ransom.AndroidOS.Rkor.bb 8.58
4 Trojan-Ransom.AndroidOS.Rkor.az 5.31
5 Trojan-Ransom.AndroidOS.Rkor.bc 4.64
6 Trojan-Ransom.AndroidOS.Rkor.ay 4.49
7 Trojan-Ransom.AndroidOS.Small.as 3.92
8 Trojan-Ransom.AndroidOS.Rkor.ba 2.30
9 Trojan-Ransom.AndroidOS.Rkor.au 1.72
10 Trojan-Ransom.AndroidOS.Rkor.aw 1.41

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

Same as in Q2, this time the ransomware Trojans ranking is led by Trojan-Ransom.AndroidOS.Pigetrl.a — 51% of all attacked users. Most of its attacks (92%) were targeting users from Russia.

Geography of mobile ransomware Trojans, Q3 2021 (download)

Top 10 countries by share of users attacked by mobile ransomware Trojans

Country* %**
1 Kazakhstan 0.57
2 Sweden 0.22
3 Kyrgyzstan 0.21
4 Morocco 0.06
5 China 0.06
6 Saudi Arabia 0.05
7 Uzbekistan 0.04
8 Algeria 0.04
9 Pakistan 0.02
10 Egypt 0.02

* Excluded from the rating are countries with relatively few users of Kaspersky mobile security solutions (under 10,000).
** Unique users attacked by ransomware Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Countries leading by number of users attacked by mobile ransomware Trojans are the same as in Q2: Kazakhstan (0.57%), Sweden (0.22%) and Kyrgyzstan (0.21%). In all three the Trojan-Ransom.AndroidOS.Rkor family Trojans were the most common threat.

IT threat evolution in Q3 2021. Mobile statistics

Your email address will not be published. Required fields are marked *

 

Reports

Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

APT trends report Q1 2023

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

Subscribe to our weekly e-mails

The hottest research right in your inbox