- IT threat evolution in Q2 2023
- IT threat evolution in Q2 2023. Non-mobile statistics
- IT threat evolution in Q2 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.
Quarterly figures
According to Kaspersky Security Network, in Q2 2023:
- A total of 5,704,599 mobile malware, adware, and riskware attacks were blocked.
- The most common threat to mobile devices was potentially unwanted software (RiskTool): 30.8% of all threats detected.
- A total of 370,327 malicious installation packages were detected, of which:
- 59,167 packages were related to mobile banking Trojans,
- 1318 packages were mobile ransomware Trojans.
Quarterly highlights
The number of malware, adware, or unwanted software attacks on mobile devices began to climb again in Q2 2023. Kaspersky products blocked a total of 5,700,000 attacks during the period.
Number of attacks targeting users of Kaspersky mobile solutions, Q4 2021 — Q2 2023 (download)
In Q2, we discovered a new type of ransomware named “Rasket”, created with the help of a shortcut utility.
We also discovered what we designated as “Trojan-Banker.AndroidOS.FakeShop.b”. The malware showed a popular Asian online store but with embedded JavaScript code that stole bank card details if the user tried to pay for a purchase.
The quarter’s other unusual discoveries included a movie-streaming app with a cryptominer inside published on Google Play. We assigned it the verdict of Trojan.AndroidOS.Miner.f.
Mobile threat statistics
In Q4 2022, we observed a noticeable decline in the number of malware installers due to decreased activity by Trojan-Dropper.AndroidOS.Ingopack. Q1 2023 saw a slight increase in the number of new malware samples, which continued into Q2.
Number of detected malicious installation packages, Q2 2022 — Q2 2023 (download)
Distribution of detected mobile malware by type
Distribution of newly detected mobile malware by type, Q1 2023 and Q2 2023 (download)
Unwanted software like RiskTool (30.79%) topped the rankings during the reporting period, with a significant part of the threat consisting of obfuscated Robtes files. The most numerous adware (22.69%) families in terms of packages were still MobiDash (30.7%), Adlo (20.6%), and HiddenAd (10.8%).
Share of users who encountered a certain type of threat out of all attacked mobile users in Q1 2023 and Q2 2023 (download)
The rankings underwent no changes from the previous quarter. RiskTool packages (9.45%), despite their huge absolute numbers, were still not as widespread as adware (62.65%). Various GriftHorse Trojan subscriber and Fakemoney investment app variants were the most active Trojan malware types.
TOP 20 most frequently detected mobile malware programs
Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.
Verdict | %* Q1 2023 | %* Q2 2023 | Difference in pp | Change in ranking | |
1 | DangerousObject.Multi.Generic. | 13.27 | 16.79 | +3.52 | 0 |
2 | Trojan.AndroidOS.Boogr.gsh | 8.39 | 10.05 | +1.66 | +1 |
3 | Trojan.AndroidOS.GriftHorse.l | 6.13 | 8.38 | +2.26 | +2 |
4 | Trojan.AndroidOS.Generic. | 5.95 | 6.56 | +0.61 | +2 |
5 | Trojan-Spy.AndroidOS.Agent.acq | 8.60 | 6.10 | –2.51 | –3 |
6 | Trojan.AndroidOS.Fakemoney.v | 7.48 | 5.34 | –2.14 | –2 |
7 | Trojan-Spy.AndroidOS.Agent.aas | 3.64 | 3.65 | +0.01 | +2 |
8 | DangerousObject.AndroidOS.GenericML. | 3.46 | 3.14 | –0.33 | +2 |
9 | Trojan-Dropper.AndroidOS.Badpack.g | 0.00 | 2.96 | +2.96 | |
10 | Trojan-Dropper.AndroidOS.Hqwar.hd | 4.54 | 2.33 | –2.21 | –3 |
11 | Trojan-Dropper.AndroidOS.Hqwar.bk | 0.51 | 2.17 | +1.65 | +26 |
12 | Trojan.AndroidOS.Fakemoney.x | 0.00 | 2.02 | +2.02 | |
13 | Trojan.AndroidOS.Fakeapp.ez | 0.72 | 1.73 | +1.01 | +13 |
14 | Trojan-Downloader.AndroidOS.Agent.mh | 3.68 | 1.72 | –1.96 | –6 |
15 | Trojan-Dropper.AndroidOS.Hqwar.hq | 0.00 | 1.66 | +1.66 | |
16 | Trojan-Banker.AndroidOS.Bian.h | 1.52 | 1.64 | +0.12 | –2 |
17 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.47 | 1.61 | +0.14 | –2 |
18 | Trojan.AndroidOS.Fakemoney.u | 1.64 | 1.55 | –0.09 | –5 |
19 | Trojan-Downloader.AndroidOS.Triada.al | 0.65 | 1.55 | +0.90 | +10 |
20 | Trojan.AndroidOS.GriftHorse.ah | 0.63 | 1.54 | +0.92 | +12 |
* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.
The generalized cloud verdict DangerousObject.Multi.Generic (16.79%) was again in its usual first position during the reporting period. Trojan-Spy.AndroidOS.Agent.acq (6.10%), a malicious WhatsApp variant, moved down three positions, replaced by the umbrella ML verdict Trojan.AndroidOS.Boogr.gsh (10.05%). Its cloud variant, DangerousObject.AndroidOS.GenericML (3.14%), rose by two positions compared to the previous quarter. Besides, the aforementioned GriftHorse and Fakemoney were part of the 20 most commonly detected malware applications too.
Region-specific malware
This section describes mobile malware that mostly targets the residents of certain countries.
Verdict | Country* | %** |
Trojan-SMS.AndroidOS.Fakeapp.g | Thailand | 99.00 |
Trojan-Banker.AndroidOS.Agent.la | Turkey | 98.62 |
Trojan-Banker.AndroidOS.BRats.b | Brazil | 98.33 |
Trojan-Spy.AndroidOS.SmsThief.tw | Indonesia | 98.03 |
Trojan-Spy.AndroidOS.SmsEye.b | Indonesia | 97.22 |
Trojan-Banker.AndroidOS.Agent.lc | Indonesia | 96.99 |
Trojan.AndroidOS.Hiddapp.da | Iran | 96.46 |
Trojan-SMS.AndroidOS.Agent.adr | Iran | 95.96 |
HackTool.AndroidOS.Cardemu.a | Brazil | 95.47 |
Trojan-Spy.AndroidOS.SmsThief.td | Indonesia | 94.76 |
Trojan.AndroidOS.Hiddapp.bn | Iran | 94.75 |
Trojan-Dropper.AndroidOS.Hqwar.hc | Turkey | 94.65 |
Trojan-Spy.AndroidOS.SmsThief.tt | Iran | 94.61 |
Trojan.AndroidOS.Hiddapp.cg | Iran | 90.26 |
Trojan.AndroidOS.FakeGram.a | Iran | 88.89 |
Trojan-Banker.AndroidOS.Agent.cf | Turkey | 88.61 |
Trojan-Dropper.AndroidOS.Wroba.o | Japan | 82.96 |
* Country where the malware was most active.
**Unique users who encountered the malware in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same malware
The Fakeapp.g Trojan was most frequently encountered by users from Thailand. The malware is distributed under the guise of gaming modifications, but in fact, simply sends text messages to premium numbers and charges the user’s account.
Users in Brasil encountered the Brats banking Trojan, a variety of Banbra, which we covered in our previous report. We also noticed some activity by Cardemu banking card emulators, sometimes used in payment terminal scams in Brazil.
SmsThief SMS spies, which masquerade as public services, system apps, or marketplaces, continued to spread in Indonesia. The SmsEye open-source spyware was active in that country too.
The Wroba dropper was still focused on Japan.
Turkish users were again targeted by several banking Trojans: Agent.la, Agent.cf, and the Hqwar banking Trojan dropper.
Hard-to-remove Hiddapp apps and FakeGram third-party Telegram clients operated in Iran.
A new GriftHorse variant honed in on Russia. A primitive malware app named “Soceng”, touted as “the most powerful virus ever” spread via Telegram among users in Russia. It deleted files from flash memory and sent texts to the victim’s contacts, saying the device had been “hacked”.
Mobile banking Trojans
The number of Trojan banker installation packages continued to grow in Q2 2023, exceeding 59,000.
Number of installation packages for mobile banking Trojans detected by Kaspersky, Q2 2022 — Q2 2023 (download)
Ten most common mobile bankers
Verdict | %* Q1 2023 | %* Q2 2023 | Difference in pp | Change in ranking | |
1 | Trojan-Banker.AndroidOS.Bian.h | 30.81 | 29.33 | –1.48 | 0 |
2 | Trojan-Banker.AndroidOS.Agent.eq | 5.51 | 13.05 | +7.54 | +1 |
3 | Trojan-Banker.AndroidOS.Agent.cf | 1.91 | 11.45 | +9.54 | +7 |
4 | Trojan-Banker.AndroidOS.Faketoken.pac | 10.15 | 8.49 | –1.66 | –2 |
5 | Trojan-Banker.AndroidOS.Gustuff.d | 1.26 | 2.68 | +1.43 | +11 |
6 | Trojan-Banker.AndroidOS.BRats.b | 1.16 | 2.68 | +1.51 | +12 |
7 | Trojan-Banker.AndroidOS.Svpeng.q | 4.05 | 2.40 | –1.65 | –2 |
8 | Trojan-Banker.AndroidOS.Asacub.bo | 0.02 | 2.09 | +2.07 | +217 |
9 | Trojan-Banker.AndroidOS.Agent.ep | 4.40 | 1.77 | –2.63 | –5 |
10 | Trojan-Banker.AndroidOS.Agent.lc | 0.48 | 1.70 | +1.22 | +27 |
* Unique users who encountered this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.
Users were more frequently exposed to Agent.ch, and the older Gustuff and Asacub Trojans in Q2 2023 than in Q1.
Mobile ransomware Trojans
Despite the new Rasket ransomware app appearing in Q2, the total number of ransomware packages continued to decline.
Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q2 2022 — Q2 2023 (download)
Top 10 most common mobile ransomware
Verdict | %* Q1 2023 | %* Q2 2023 | Difference in pp | Change in ranking | |
1 | Trojan-Ransom.AndroidOS.Pigetrl.a | 62.22 | 47.55 | –14.67 | 0 |
2 | Trojan-Ransom.AndroidOS.Rasket.a | 0.00 | 5.60 | +5.60 | |
3 | Trojan-Ransom.AndroidOS.Congur.y | 1.78 | 4.56 | +2.78 | +1 |
4 | Trojan-Ransom.AndroidOS.Small.as | 3.65 | 3.02 | –0.62 | –2 |
5 | Trojan-Ransom.AndroidOS.Rkor.dq | 0.00 | 2.93 | +2.93 | |
6 | Trojan-Ransom.AndroidOS.Congur.cw | 0.55 | 2.73 | +2.18 | +27 |
7 | Trojan-Ransom.AndroidOS.Svpeng.ac | 0.64 | 2.38 | +1.74 | +21 |
8 | Trojan-Ransom.AndroidOS.Congur.ap | 0.14 | 2.33 | +2.19 | +87 |
9 | Trojan-Ransom.AndroidOS.Rkor.dt | 0.00 | 1.98 | +1.98 | |
10 | Trojan-Ransom.AndroidOS.Rkor.dx | 0.00 | 1.69 | +1.69 |
* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware trojans.
The new Rasket.a Trojan (5.60%) went straight to second position by number of attacks among other malware of the type. The rest of the family rankings remained the same, although the lists of most common modifications within the families did change.
IT threat evolution in Q2 2023. Mobile statistics