According to KSN data, Kaspersky Lab solutions detected and repelled 342, 566, 061 malicious attacks from online resources located in 191 countries all over the world.
33, 006, 783 unique URLs were recognized as malicious by web antivirus components.
Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 224, 675 user computers.
Crypto ransomware attacks were blocked on 246, 675 computers of unique users.
Kaspersky Lab’s file antivirus detected a total of 185, 801, 835 unique malicious and potentially unwanted objects.
Kaspersky Lab mobile security products detected:
- 1, 319, 148 malicious installation packages;
- 28, 976 mobile banker Trojans (installation packages);
- 200, 054 mobile ransomware Trojans (installation packages).
As we wrote in the previous quarter, fraudsters had begun to actively use the Trojan-Banker.AndroidOS.Asacub mobile banker, distributing it via SMS spam. At the end of Q2, we detected a much larger campaign to spread it: in June, there were three times as many attacked users as in April, and judging by the first week of July, this growth continues.
Yet another interesting theme discussed in our report for the first quarter of 2017 remained relevant in Q2: the attackers continued to upload to Google Play new applications with the malicious Ztorg module. Interestingly, in the second quarter, we registered the cases of uploading additional Ztrog modules, not just the main ones. For example, we found the Trojan that could install and even buy apps on Google Play. We also discovered Trojan-SMS.AndroidOS.Ztorg.a, which could send paid SMS.
Of note is the fact that unlike the main Ztrog module, neither of the two malware samples attempted to exploit system vulnerabilities to obtain root privileges. To recap, Trojan.AndroidOS.Ztorg tries to get root privileges to display ads and secretly install new applications, including additional modules mentioned above.
Meet the new Trojan – Dvmap
In April 2017 we discovered a new rooting malware distributed via the official Google Play Store — Trojan.AndroidOS.Dvmap.a. Dvmap is very special rooting malware: it modifies system libraries. The Trojan exploits system vulnerabilities to obtain root privileges, and then injects its malicious code into the system library.
WAP billing subscriptions
In the second quarter of 2017, we registered an increase in the activity of Trojans designed to steal user money utilizing the mechanism of paid subscriptions (two years ago we wrote about similar attacks). To recap, the services of paid subscriptions are special sites that allow users to pay for services by deducting a certain amount of money from their phone accounts. Before getting the service, the client is redirected to the site of the cellular service provider, where he is asked to confirm his operation. The provider may also use SMS to confirm the payment. The Trojans have learned to bypass these restrictions: without user’s awareness they click on forms of confirmation, using special JS files. In addition, the Trojans can hide messages from the cellular service provider from the user.
We have discovered that in some cases after the infection, Trojan Ztorg can install additional modules with this functionality. Meanwhile the Trojan-Clicker.AndroidOS.Xafekopy family is capable of attacking such services in India and Russia, using JS files similar to those used by Ztrog.
Two malware samples from our Top 20 Trojan programs most popular in Q2 2017 were also attacking WAP subscriptions. They are Trojan-Clicker.AndroidOS.Autosus.a and Trojan-Dropper.AndroidOS.Agent.hb. Moreover, the most popular Trojans of the quarter detected by our machine learning-based system were also malicious programs utilizing mobile subscriptions.
Mobile threat statistics
In the second quarter of 2017, Kaspersky Lab detected 1,319, 148 malicious installation packages, which is almost as many as in two previous quarters.
Distribution of mobile malware by type
In Q2 2017, the biggest growth was demonstrated by Adware (13.31%) – its share increased by 5.99% p.p. The majority of all discovered installation packages are detected as AdWare.AndroidOS.Ewind.iz and AdWare.AndroidOS.Agent.n.
Trojan-SMS malware (6.83%) ranked second in terms of the growth rate: its contribution increased by 2.15 percentage points. Most of detected installation packages belonged to the Trojan-SMS.AndroidOS.Opfake.bo and Trojan-SMS.AndroidOS.FakeInst.a families, which percentage grew more than three-fold from the previous quarter.
The biggest decline was demonstrated by Trojan-Spy (3.88%). To recap, the growth rate of this type of malware were one of the highest in Q1 2017. This was caused by the increase in the number malicious programs belonging to the Trojan-Spy.AndroidOS.SmForw and Trojan-Spy.AndroidOS.SmsThief families.
The contribution of Trojan-Ransom programs, which had come first in terms of the growth rate in the first quarter of 2017, dropped by 2.55 p.p. and accounted for 15.09% in Q2.
TOP 20 mobile malware programs
Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware.
* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked.
First place was occupied by DangerousObject.Multi.Generic (62.27%), the verdict used for malicious programs detected using cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected.
Second came Trojan.AndroidOS.Boogr.gsh (15.46%). Such verdict is issued for files recognized as malicious by our system based on machine learning. The share of this verdict increased nearly threefold from the previous quarter which allowed it to move up from third to second place. In Q2 2017, this system most often detected Trojans which subscribed users to paid services as well as advertising Trojans which used superuser privileges.
Trojan.AndroidOS.Hiddad.an (4.20%) was third. This piece of malware imitates different popular games or programs. Interestingly, once run, it downloads and installs the application it imitated. In this case, the Trojan requests administrator rights to combat its removal. The main purpose of Trojan.AndroidOS.Hiddad.an is aggressive display of adverts, its main “audience” is in Russia. In the previous quarter it occupied second position.
Trojan-Dropper.AndroidOS.Hqwar.i (3.59%), the verdict used for the Trojans protected by a certain packer/obfuscator climbed from eighth to fourth position in the ranking. In most cases, this name hides the representatives of the FakeToken and Svpeng mobile banking families.
On fifth position was Trojan Backdoor.AndroidOS.Ztorg.c., one of the most active advertising Trojans which uses superuser rights. In the second quarter of 2017, our TOP 20 included eleven Trojans (highlighted in blue in the table) which tried to obtain or use root rights and which exploited advertising as the main means of monetization. Their goal is to deliver ads to the user more aggressively, applying (among other methods) hidden installation of new advertising programs. At the same time, superuser privileges help them “hide” in the system folder, thus making it very difficult to remove them. Of note is the fact that the number of such type of malware in the TOP 20 has been decreasing recently (in Q1 2017, there were fourteen Trojans of such type in the ranking).
Trojan-Dropper.AndroidOS.Agent.hb (3.16%) was sixth in the ranking. It is a complex modular Trojan, which main malicious part should be downloaded from the server of cybercriminals. We can assume that this Trojan is designed to steal money through paid subscriptions.
Eleventh place is occupied by Trojan-Clicker.AndroidOS.Autosus.a (2.08%) which main task is the activation of paid subscriptions. To do this, it “clicks” on the buttons in web catalogs of subscriptions, as well as hides incoming SMS with the information about them.
Trojan.AndroidOS.Agent.bw was fourteenth in the rating (1.67%). This Trojan, targeting primarily people in India (more than 92% of attacked users), just like Trojan.AndroidOS.Hiddad.an imitates popular programs and games, and once run, downloads and installs various applications from the fraudsters’ server.
Fifteenth came Trojan.AndroidOS.Agent.gp (1.54%), which steals user money making paid calls. Due to the use of administrator rights, it counteracts attempts to remove it from an infected device.
The ranking also included Trojan-Banker.AndroidOS.Svpeng (1.49%), which was seventeenth in the Top 20. This family has been active for three quarters in a row and remains the most popular banking Trojan in Q2 of 2017.
The geography of mobile threats
TOP 10 countries attacked by mobile malware (ranked by percentage of users attacked)
|Country*||% of users attacked **|
* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.
As in the previous quarter, in Q2 2017 Iran was the country with the highest percentage of users attacked by mobile malware – 44.78%. China came second: 31.49% of users there encountered a mobile threat at least once during the quarter. It was followed by Bangladesh (27.10%).
Russia (12.10%) came 26th in Q2 of 2017 (vs 40th place in the previous quarter), France (6.04%) 58th, the US (4.5%) 71st, Italy (5.7%) 62nd, Germany (4.8%) 67th, Great Britain (4.3%) 73rd.
The safest countries were Denmark (2.7%), Finland (2.6%) and Japan (1.3%).
Mobile banking Trojans
Over the reporting period, we detected 28, 976 installation packages for mobile banking Trojans, which is 1.1 times less than in Q1 2017.
Trojan-Banker.AndroidOS.Svpeng.q remained the most popular mobile banking Trojan for several quarters in a row. This family of mobile banking Trojans uses phishing windows to steal credit card data and logins and passwords from online banking accounts. In addition, fraudsters steal money via SMS services, including mobile banking.
Svpeng is followed by Trojan-Banker.AndroidOS.Hqwar.jck and Trojan-Banker.AndroidOS.Asacub.af. It is worth noting that most of users attacked by these three banking Trojans were in Russia.
TOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked)
|Country*||% of users attacked**|
* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country.
In Q2 2017, the TOP 10 countries attacked by mobile banker Trojans remained practically unchanged: Russia (1.63%) topped the ranking again. In second place was Australia (0.81%), where the Trojan-Banker.AndroidOS.Acecard and Trojan-Banker.AndroidOS.Marcher families were the most popular threats. Turkey (0.81%) rounded off the Top 3.
In Q2 2017, we detected 200, 054 mobile Trojan-Ransomware installation packages which is much more than in the fourth quarter of 2016.
In the first half of 2017, we discovered more mobile ransomware installation packages than for any other period. The reason was the Trojan-Ransom.AndroidOS.Congur family. Usually, the representatives of Congur have very simple functionality – they change the system password (PIN), or install it if no password was installed earlier, thus making it impossible to use the device, and then ask that user to contact the fraudsters via the QQ messenger to unblock it. It is worth noting that there are modifications of this Trojan that can take advantage of existing superuser privileges to install their module into the system folder.
Trojan-Ransom.AndroidOS.Fusob.h remained the most popular mobile Trojan-Ransomware in Q2, accounting for nearly 20% of users attacked by mobile ransomware, which is half as much as in the previous quarter. Once run, the Trojan requests administrator privileges, collects information about the device, including GPS coordinates and call history, and downloads the data to a malicious server. After that, it may receive a command to block the device.
TOP 10 counties attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked)
|Country*||% of users attacked**|
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country.
The US topped the ranking of ten countries attacked by mobile Trojan-Ransomware; the most popular family there was Trojan-Ransom.AndroidOS.Svpeng. These Trojans appeared in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng mobile banking family. They demand a ransom of $100-500 from victims to unblock their devices.
In China (0.65%), which came second in Q2 2017, most of mobile ransomware attacks involved Trojan-Ransom.AndroidOS.Congur.
Italy (0.57%) came third. The main threat to users originated from Trojan-Ransom.AndroidOS.Egat.d. This Trojan is mostly spread in Europe and demands $100-200 to unblock the devilce.
Vulnerable apps exploited by cybercriminals
The second quarter of 2017, especially popular were campaigns involving in-the-wild vulnerabilities. The appearance of several 0-day vulnerabilities for Microsoft Office resulted in a significant change in the pattern of exploits used.
The logical vulnerability in processing HTA objects CVE-2017-0199, which allows an attacker to execute arbitrary code on a remote machine using a specially generated file, was detected in early April. And despite the fact that the update fixing this vulnerability was published on April 11, the number of attacked Microsoft Office users soared almost threefold, to 1.5 million. 71% of all attacks on Microsoft Office users were implemented using this vulnerability; documents with exploits for CVE-2017-0199 were very actively used in spam mailings.
This was caused by several reasons – simplicity and reliability of its exploitation on all MS Office and Windows versions and rapid appearance of document generators with the CVE-2017-0199 exploit in open access which significantly reduced the entry threshold for exploitation of this vulnerability. In comparison, two other zero-day vulnerabilities in MS Office related to memory corruption vulnerability due to incorrect processing of EPS files – CVE-2017-0261 and CVE-2017-0262 – accounted for only 5%.
However, the main event of Q2 was publication by the Shadow Brokers hacker group of the archive with utilities and exploits, supposedly developed by the US special services. The Lost In Translation archive contained a large number of network exploits for various Windows versions. And even though most of those vulnerabilities were not zero-day vulnerabilities and had been patched by the MS17-010 update a month before the leak, the publication had horrendous consequences. The damage from worms, Trojans and ransomware cryptors being distributed via the network with the help of EternalBlue and EternalRomance, as well as the number of users infected, is incalculable. In the second quarter of 2017 only Kaspersky Lab blocked more over five million attempted attacks involving network exploits from the archive. And the average number of attacks per day was constantly growing: 82% of all attacks were detected in the last 30 days.
The statistics on the IDS component using ShadowBrokers exploits over the last month.
A sharp peak at the end of the month was the appearance of the ExPetr cryptor, which used modified EternalBlue and EternalRomance exploits as one of proliferation methods.
Online threats (Web-based attacks)
Online threats in the banking sector
These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. Beginning from the first quarter of 2017 the statistics include malicious programs for ATMs and POS terminals but does not include mobile threats.
Kaspersky Lab solutions blocked attempts to launch one or several malicious programs capable of stealing money via online banking on 224,000 computers in Q2 2017.
Geography of attacks
To evaluate and compare the risk of being infected by banking Trojans and ATM and POS-malware worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country.
TOP 10 countries by percentage of attacked users
|Country*||% of attacked users**|
These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000).
** Unique users whose computers have been targeted by banking Trojan and PoS/ATM malware attacks as a percentage of all unique users of Kaspersky Lab products in the country.
In the second quarter of 2017, Germany (2.61%) had the highest proportion of users attacked by banking Trojans. It was followed by Togo (2.14%). Libya (1.77%) rounded off the Top 3.
The TOP 10 banking malware families
The table below shows the TOP 10 malware families used in Q2 2017 to attack online banking users (as a percentage of users attacked):
|Name*||% of attacked users**|
* The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware.
In Q2 2017, Trojan-Spy.Win32.Zbot (32.58%) remained the most popular malware family. Its source codes have been publicly available since a leak, so cybercriminals regularly enhance the family with new modifications compiled on the basis of the source code and containing minor differences from the original.
Second came Trojan.Win32.Nymaim (26.02%). The first modifications of malware belonging to this Trojan family were downloaders, which blocked the infected machine with the help of downloaded programs unique for each country. Later, new modifications of the Trojan.Win32.Nymaim family malware were discovered. They included a fragment of Gozi used by cybercriminals to steal user payment data in online banking systems. In Q1 2017, Gozi (2.66%) was on 7th position in the rating.
May of 2017 saw the break out of the unprecedented epidemic of the Wannacry 2.0 ransomware cryptor, which spread using the worm that exploited a vulnerability in several Windows versions.
No sooner had this epidemic died down than in June 2017 a massive attack involving another Trojan – ExPetr – occurred. Wannacry 2.0 did not have obvious geographic preferences and attacked all countries indiscriminately, while ExPetr chose Ukraine its main target. Kaspersky Lab specialists have found out that ExPetr encrypts MFT (system area of the NTFS file system) irreversibly which means an affected user’s computer will not be completely restored the even if he pays the ransom.
Apart from the large-scale epidemics that shook the world, in Q2 2017 an interesting trend emerged: several criminal groups behind different ransomware cryptors concluded their activities and published their secret keys needed to decrypt victims’ files. Below is the list of families, the keys to which became public during the reporting period:
- Crysis (Trojan-Ransom.Win32.Crusis);
- AES-NI (Trojan-Ransom.Win32.AecHu);
- xdata (Trojan-Ransom.Win32.AecHu);
- Petya/Mischa/GoldenEye (Trojan-Ransom.Win32.Petr).
The number of new modifications
In Q2 of 2017, we discovered 15 new ransomware families. The number of new modifications was 15,663 which is considerably less than the number of modifications appeared in the previous quarter. Also, in the first quarter most of the new modifications turned to be the Cerberus cryptor variants, while in the second quarter this verdict faded into the background, giving way to the new cryptor – the world infamous Wannacry.
Currently we observe a sharp decrease in the number of new Cerber samples. Probably, it means that the development and distribution of this malware family is coming to an end. Time will tell whether that is true or not. Along with Cerber, the total number of ransomware modifications is going down in the second quarter of 2017.
The number of users attacked by ransomware
In Q2 2017, 246, 675 unique KSN users were attacked by cryptors which is almost as many as of the previous quarter. Despite the drop in the quantity of new modifications, the number of protected users grew.
The geography of attacks
Top 10 countries attacked by cryptors
|Country*||% of users attacked by cryptors **|
* We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 50,000)
** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country.
Top 10 most widespread cryptor families
|Name||Verdict*||% of attacked users**|
* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware.
In addition to the abovementioned Wannacry and ExPetr, the Top 10 most popular cryptors included another two “newcomers”: Jaff and Purgen. Jaff was 4th followed by Cryrar. Kaspersky Lab specialists carried out a detailed analysis of the Trojan and discovered a flaw in its implementation of cryptographic algorithms which allowed creating a utility for decrypting files.
Other positions were occupied by Cerber, Locky, Spora and Shade.
Top 10 countries where online resources are seeded with malware
The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks.
In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.
In Q2 2017, Kaspersky Lab solutions blocked 342, 566, 061 attacks launched from web resources located in 191 countries around the world. 33, 006, 783 unique URLs were recognized as malicious by web antivirus components.
In Q2 2017, the US took the lead in the number of web attack sources. The sourced in France turned more “popular” that those in Russia and Germany.
Countries where users faced the greatest risk of online infection
In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.
This rating only includes attacks by malicious programs that fall under the Malware class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.
|Country*||% of users attacked**|
These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
**Unique users whose computers have been targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.
On average, 17.26% of computers connected to the Internet globally were subjected to at least one Malware-class web attack during the quarter.
The countries with the safest online surfing environments included Cuba (5%), Finland (11.32%), Singapore (11.49%), Israel (13.81%) and Japan (7.56%).
Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).
Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.
In Q2 2017, Kaspersky Lab’s file antivirus detected 185, 801, 835 unique malicious and potentially unwanted objects.
Countries where users faced the highest risk of local infection
For each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.
The rating of malicious programs only includes Malware-class attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.
The Top 20 countries where users faced the highest risk of local infection remained almost unchanged from the previous quarter, however Kazakhstan and Belarus were replaced by Mozambique and Mauritania:
|Country*||% of users attacked**|
These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.
* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** The percentage of unique users in the country with computers that blocked Malware-class local threats as a percentage of all unique users of Kaspersky Lab products.
An average of 20.97% of computers globally faced at least one Malware-class local threat during the second quarter. Russia’s contribution to this rating accounted for 25.82%.
The safest countries in terms of local infection risks were: Chile (15.06%), Latvia (14.03%), Portugal (12.27%), Australia (9.46%), Great Britain (8.59%), Ireland (6.30%) and Puerto Rico (6.15%).