Authors
Quarterly figures
According to Kaspersky Security Network, in Q2 2024:
- 7 million attacks using malware, adware or unwanted mobile software were blocked.
- The most common threat to mobile devices was RiskTool software – 41% of all detected threats.
- A total of 367,418 malicious installation packages were detected, of which:
- 13,013 packages were for mobile banking Trojans;
- 1,392 packages were for mobile ransomware Trojans.
Quarterly highlights
The number of malware, adware or unwanted software attacks on mobile devices climbed relative to the same period last year, but dropped against Q1 2024, with 7,697,975 attacks detected.
Number of attacks on users of Kaspersky mobile solutions, Q4 2022 – Q2 2024 (download)
The decrease is due to a sharp drop in the activity of adware apps, mostly from the covert applications of the AdWare.AndroidOS.HiddenAd family, which opens ads on the targeted device.
In April of this year, new versions of Mandrake spyware were discovered. Distributed via Google Play, these apps used sophisticated techniques to hide their malicious functionality: concealing dangerous code in an obfuscated native library; using certificate pinning to detect attempts to track app network traffic; and multiple methods to check for emulated runtime environments, such as sandboxes.
A Mandrake app on Google Play
Also in Q2, the IOBot banking Trojan was found targeting users in Korea. To install an additional malware component with VNC backdoor functionality, the Trojan’s authors use a technique to bypass Android protection against granting extended permissions to apps downloaded from unofficial sources.
Mobile threat statistics
The number of Android malware samples fell against the previous quarter to the Q2 2023 level, totaling 367,418 installation packages.
Number of detected malicious installation packages, Q2 2023 – Q2 2024 (download)
New trends emerged in the distribution of detected Adware and RiskTool packages: the former significantly decreased in number, while the latter increased. Otherwise, the number of detections remains largely the same.
Distribution of detected mobile apps by type, Q1*–Q2 2024 (download)
*Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.
Among adware, the number of HiddenAd, BrowserAd and Adlo apps dropped sharply, while the number of RiskTool.AndroidOS.Fakapp apps distributed under the guise of pornographic material rose. These apps collect and forward device information to a server, then open arbitrary URLs sent back in response.
Users attacked by the malware or unwanted software as a percentage* of all targeted users of Kaspersky mobile products, Q1*–Q2 2024 (download)
*The sum may be greater than 100% if the same users encountered more than one type of attack.
Despite the prevalence of RiskTool.AndroidOS.Fakapp installation packages, the number of real users who encountered this family showed no noticeable growth. In other words, attackers released many unique samples, but their distribution was limited.
The main changes in the distribution of the share of attacked users were driven by a fall in the activity of HiddenAd adware and a rise in the activity of two RiskTool apps: Revpn and SpyLoan.
TOP 20 most frequently detected mobile malware programs
Note that the malware rankings below exclude riskware and potentially unwanted software, such as RiskTool or adware.
| Verdict | Prev % | New % | Difference in p.p. | Change in ranking |
| DangerousObject.Multi.Generic | 9.82 | 11.44 | +1.61 | +1 |
| DangerousObject.AndroidOS.GenericML | 3.83 | 7.56 | +3.72 | +6 |
| Trojan.AndroidOS.Triada.ga | 5.66 | 6.66 | +1.00 | +2 |
| Trojan.AndroidOS.Fakemoney.v | 8.60 | 6.60 | -2.00 | -1 |
| Trojan.AndroidOS.Boogr.gsh | 6.62 | 6.01 | -0.61 | -1 |
| Trojan.AndroidOS.Triada.fd | 10.38 | 5.89 | -4.49 | -5 |
| Trojan.AndroidOS.Triada.gm | 0.00 | 5.16 | +5.16 | |
| Trojan-Downloader.AndroidOS.Dwphon.a | 5.26 | 2.71 | -2.55 | -2 |
| Trojan.AndroidOS.Generic | 2.08 | 2.59 | +0.51 | +5 |
| Trojan.AndroidOS.Triada.gn | 0.00 | 2.23 | +2.23 | |
| Trojan-Spy.AndroidOS.SpyNote.bz | 3.52 | 1.97 | -1.55 | -2 |
| Trojan-Dropper.AndroidOS.Agent.sm | 2.09 | 1.75 | -0.34 | +1 |
| Trojan.AndroidOS.Triada.gb | 1.34 | 1.72 | +0.37 | +11 |
| Trojan.AndroidOS.Fakemoney.bj | 4.26 | 1.47 | -2.79 | -7 |
| Trojan-Dropper.AndroidOS.Badpack.g | 1.87 | 1.40 | -0.47 | +1 |
| Trojan.AndroidOS.Triada.ex | 2.42 | 1.37 | -1.05 | -5 |
| Trojan-Banker.AndroidOS.Mamont.aq | 0.00 | 1.36 | +1.36 | |
| Trojan-Downloader.AndroidOS.Agent.ms | 1.39 | 1.34 | -0.05 | +5 |
| Trojan.AndroidOS.Triada.gh | 0.00 | 1.31 | +1.31 | |
| Trojan-Downloader.AndroidOS.Agent.mm | 2.12 | 1.29 | -0.83 | -8 |
The generalized cloud verdict DangerousObject.Multi.Generic returned to the top spot, and the cloud AI-delivered verdict DangerousObject.AndroidOS.GenericML also moved up. Also placing highly again were the Fakemoney Trojan, which scams users out of personal data with a promise of easy cash, the pre-installed Dwphon Trojan and modified versions of WhatsApp with built-in Triada modules. The latter include Trojan-Downloader.AndroidOS.Agent.ms.
The Mamont banking Trojan, which steals money by scanning text messages, saw quite a jump in its popularity.
Region-specific malware
This section describes malware whose activity is concentrated in specific countries.
| Verdict | Country* | %** |
| Backdoor.AndroidOS.Tambir.a | Turkey | 99.51 |
| Trojan-Banker.AndroidOS.BrowBot.q | Turkey | 99.30 |
| Trojan-Banker.AndroidOS.BrowBot.a | Turkey | 98.88 |
| Backdoor.AndroidOS.Tambir.d | Turkey | 98.24 |
| Trojan-Banker.AndroidOS.Rewardsteal.dn | India | 98.18 |
| Trojan-Banker.AndroidOS.UdangaSteal.k | India | 97.44 |
| HackTool.AndroidOS.FakePay.c | Brazil | 97.43 |
| Trojan-Banker.AndroidOS.Rewardsteal.c | India | 97.03 |
| Trojan-Banker.AndroidOS.Agent.ox | India | 96.97 |
| Trojan-Spy.AndroidOS.SmsThief.wk | India | 96.92 |
| Trojan-Banker.AndroidOS.Rewardsteal.n | India | 96.74 |
| Trojan-Banker.AndroidOS.UdangaSteal.f | Indonesia | 96.40 |
| Backdoor.AndroidOS.Tambir.b | Turkey | 96.20 |
| Trojan-Dropper.AndroidOS.Hqwar.hc | Turkey | 96.19 |
| Trojan-Banker.AndroidOS.Agent.pp | India | 95.97 |
| Trojan-Banker.AndroidOS.UdangaSteal.b | Indonesia | 95.23 |
| Trojan-Dropper.AndroidOS.Agent.sm | Turkey | 95.11 |
| Trojan-SMS.AndroidOS.EvilInst.f | Thailand | 95.05 |
| Trojan-SMS.AndroidOS.EvilInst.b | Thailand | 94.64 |
| Trojan-Spy.AndroidOS.SmsThief.vb | Indonesia | 94.57 |
| Trojan-Banker.AndroidOS.Coper.b | Turkey | 94.31 |
*Country where the malware was most active.
**Unique users who encountered this Trojan modification in the given country as a percentage of all users of Kaspersky mobile solutions targeted by this modification.
Users in Turkey continue to face banking Trojan attacks. At the same time, the list of malware active in the country remains unchanged: the VNC backdoor Tambir, the text message-stealing Trojan BrowBot and Hqwar banking Trojan packers were already mentioned in a past report.
Indonesia still has the largest concentration of UdangaSteal Trojans for stealing text messages. These are often sent to victims under the guise of wedding invitations. Similar to the last quarter, the payment-simulating app FakePay was widespread in Brazil, while users in Thailand ran into the EvilInst Trojan, which sends paid text messages.
A large number of families centered in India made it to the top. Rewardsteal snatches banking data under the pretense of a money giveaway; SmsThief.wk and Agent.ox steal text messages.
Mobile banking Trojans
The number of new unique installation packages for banking Trojans remains at the same level for the third quarter straight.
Number of installation packages for mobile banking Trojans detected by Kaspersky, Q2 2023 – Q2 2024 (download)
The total number of Trojan-Banker attacks is still on the rise, meaning that each new banking Trojan released by threat actors is increasingly used in attacks.
TOP 10 mobile bankers
| Verdict | Prev % | New % | Difference in p.p. | Change in ranking |
| Trojan-Banker.AndroidOS.Mamont.aq | 0.00 | 14.13 | +14.13 | |
| Trojan-Banker.AndroidOS.UdangaSteal.b | 7.00 | 10.10 | +3.10 | +3 |
| Trojan-Banker.AndroidOS.Bian.h | 10.21 | 7.46 | -2.76 | 0 |
| Trojan-Banker.AndroidOS.GodFather.m | 0.97 | 6.41 | +5.44 | +20 |
| Trojan-Banker.AndroidOS.Faketoken.z | 1.39 | 5.17 | +3.79 | +14 |
| Trojan-Banker.AndroidOS.Mamont.am | 0.00 | 5.12 | +5.12 | |
| Trojan-Banker.AndroidOS.Mamont.o | 4.58 | 5.00 | +0.42 | -1 |
| Trojan-Banker.AndroidOS.Agent.pp | 0.00 | 4.59 | +4.59 | |
| Trojan-Banker.AndroidOS.Agent.eq | 13.39 | 4.51 | -8.88 | -8 |
| Trojan-Banker.AndroidOS.Svpeng.aj | 0.95 | 3.74 | +2.79 | +15 |
Mobile ransomware Trojans
The number of ransomware installation packages decreased compared to Q1 2024 to roughly the same level as a year ago.
Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q2 2023 – Q2 2024 (download)
In the distribution of attacks, Rasket and Rkor ransomware dropped out of the top, and Pigetrl also fell. Other top-ranking families became markedly more active, not only percentage-wise, but in terms of absolute numbers.
| Verdict | Prev % | New % | Difference in p.p. | Change in ranking |
| Trojan-Ransom.AndroidOS.Svpeng.ac | 11.17 | 52.56 | +41.39 | +3 |
| Trojan-Ransom.AndroidOS.Congur.cw | 10.96 | 52.41 | +41.45 | +3 |
| Trojan-Ransom.AndroidOS.Small.cj | 10.49 | 49.76 | +39.26 | +3 |
| Trojan-Ransom.AndroidOS.Congur.ap | 6.66 | 41.52 | +34.86 | +3 |
| Trojan-Ransom.AndroidOS.Svpeng.ah | 6.03 | 35.62 | +29.59 | +4 |
| Trojan-Ransom.AndroidOS.Congur.bf | 4.15 | 32.98 | +28.83 | +5 |
| Trojan-Ransom.AndroidOS.Svpeng.snt | 5.72 | 25.72 | +20.00 | +3 |
| Trojan-Ransom.AndroidOS.Svpeng.ad | 3.42 | 24.79 | +21.37 | +4 |
| Trojan-Ransom.AndroidOS.Svpeng.ab | 3.32 | 24.60 | +21.28 | +5 |
| Trojan-Ransom.AndroidOS.Pigetrl.a | 15.56 | 12.70 | -2.86 | -8 |
Authors
From the same authors
In the same category
IT threat evolution in Q2 2024. Mobile statistics