Authors
- IT threat evolution in Q3 2023
- IT threat evolution in Q3 2023. Non-mobile statistics
- IT threat evolution in Q3 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.
Quarterly figures
According to Kaspersky Security Network, in Q3 2023:
- A total of 8,346,169 mobile malware, adware, and riskware attacks were blocked.
- The most common threat to mobile devices was adware, accounting for 52% of all detected threats.
- 438,962 malicious installation packages were detected, of which:
- 21,674 packages were related to mobile banking Trojans;
- 1,855 packages were mobile ransomware Trojans.
Quarterly highlights
The number of malware, adware and unwanted software attacks on mobile devices continued to climb in Q3. In total, Kaspersky products blocked more than 8.3 million attacks.
Number of attacks targeting users of Kaspersky mobile solutions, Q1 2022 — Q3 2023 (download)
This quarter, we discovered on Google Play a malicious app that we assigned the verdict Trojan-Downloader.AndroidOS.Banker.aj.
Disguised as a PDF viewer, the app in fact downloaded the Trojan-Banker.AndroidOS.Coper.a banking Trojan to the victim’s device.
Our other find on Google Play was a spyware Telegram mod capable of stealing user messages.
Also in Q3, cybercriminals made active use of a modified remote access client disguised as a bank technical support app to siphon off money. During the reporting period, more than 3,000 attacks using such apps were blocked.
One other discovery this quarter was the spyware Trojan-Spy.AndroidOS.Agent.afd. The malware caught our eye for its non-standard development approach: almost all Android malware is written in Java, sometimes in C/C++, but the coders of this malware opted for .NET Framework. This cross-platform framework is used widely to create Windows software, but rarely to write malware for Android.
Mobile threat statistics
The number of new malware samples continues to grow, attaining the level of Q3 of last year.
Number of detected malicious installation packages, Q3 2022 — Q3 2023 (download)
Distribution of detected mobile malware by type*
Distribution of newly detected mobile malware by type, Q2 2023 and Q3 2023 (download)
* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.
Adware and potentially unwanted software (riskware) traditionally top the rankings. Among adware families, first place again went to MobiDash, which increased its relative share to 55%; next come the generalized verdicts Dnotua (10.8%) and HiddenAd (4.3%).
Share of users who encountered a certain type of threat out of all attacked mobile users in Q2 2023 and Q3 2023 (download)
RiskTool threats (6.83%) dropped one place in the ranking by share of attacked users, ceding ground to Trojans (24.66%), while top spot was retained by adware (63.66%). Among Trojans, the previously described GriftHorse and Fakemoney remained highly active, but in first position this quarter was the adware Trojan Triada (23.5%) in WhatsApp mods.
TOP 20 most frequently detected mobile malware programs
Note that the malware rankings below exclude riskware and potentially unwanted software, such as RiskTool or adware.
| Verdict | % in Q2 2023* | % in Q3 2023* | Difference in p.p. | Change in ranking | |
| 1 | DangerousObject.Multi.Generic | 16.79 | 14.98 | –1.81 | 0 |
| 2 | Trojan.AndroidOS.Triada.et | 0.52 | 12.16 | +11.64 | +39 |
| 3 | Trojan.AndroidOS.GriftHorse.l | 8.38 | 10.89 | +2.51 | 0 |
| 4 | Trojan.AndroidOS.Fakemoney.v | 5.34 | 9.67 | +4.33 | +2 |
| 5 | Trojan.AndroidOS.Boogr.gsh | 10.05 | 7.05 | –3.00 | –3 |
| 6 | Trojan-Dropper.AndroidOS.Badpack.g | 2.96 | 4.67 | +1.71 | +3 |
| 7 | Trojan.AndroidOS.Generic | 6.56 | 3.94 | –2.62 | –3 |
| 8 | Trojan-Dropper.AndroidOS.Agent.uc | 0.00 | 3.39 | +3.39 | |
| 9 | Trojan-Dropper.AndroidOS.Hqwar.bk | 2.17 | 3.01 | +0.84 | +2 |
| 10 | Trojan.AndroidOS.Triada.ex | 0.00 | 2.97 | +2.97 | |
| 11 | Trojan.AndroidOS.Fakeapp.ft | 0.00 | 2.93 | +2.93 | |
| 12 | DangerousObject.AndroidOS.GenericML | 3.14 | 2.03 | –1.11 | –4 |
| 13 | Trojan.AndroidOS.Piom.aypd | 0.00 | 1.64 | +1.64 | |
| 14 | Trojan-Spy.AndroidOS.Agent.acq | 6.10 | 1.36 | –4.74 | –9 |
| 15 | Trojan.AndroidOS.Fakemoney.x | 2.02 | 1.31 | –0.71 | –3 |
| 16 | Trojan-Banker.AndroidOS.Agent.eq | 0.73 | 1.27 | +0.54 | +11 |
| 17 | Trojan.AndroidOS.GriftHorse.al | 0.00 | 1.07 | +1.07 | |
| 18 | Trojan.AndroidOS.GriftHorse.ah | 1.54 | 1.07 | –0.48 | +2 |
| 19 | Trojan-Downloader.AndroidOS.Agent.mh | 1.72 | 1.00 | –0.73 | –5 |
| 20 | Trojan-Dropper.AndroidOS.Agent.ub | 0.00 | 0.89 | +0.89 |
* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.
The generalized cloud verdict DangerousObject.Multi.Generic (14.98%) held on to first position in Q3. In second place was a malicious WhatsApp mod with the verdict Trojan.AndroidOS.Triada.et (12.16%), followed by GriftHorse and Fakemoney, which have been regular fixtures in the TOP 20 for several quarters in a row. Ranking behind the collective verdict for machine-learning technologies Trojan.AndroidOS.Boogr.gsh (7.05%) was Trojan-Dropper.AndroidOS.Badpack.g (4.67%), a packer commonly used to deliver banking malware.
Region-specific malware
This section describes mobile malware that mostly targets the residents of certain countries.
| Verdict | Country* | %** |
| Trojan-Banker.AndroidOS.GodFather.i | Turkey | 100.00 |
| Trojan-Banker.AndroidOS.BRats.b | Brazil | 99.59 |
| Trojan-Banker.AndroidOS.Agent.la | Turkey | 98.65 |
| Trojan-Banker.AndroidOS.GodFather.h | Turkey | 98.62 |
| Trojan.AndroidOS.Piom.axdh | Turkey | 98.42 |
| Trojan-Banker.AndroidOS.GodFather.m | Turkey | 98.30 |
| Trojan-Banker.AndroidOS.Agent.lc | Indonesia | 98.21 |
| Trojan-Spy.AndroidOS.SmsThief.vb | Indonesia | 97.95 |
| Trojan-Spy.AndroidOS.SmsEye.b | Indonesia | 97.65 |
| Trojan-Banker.AndroidOS.Agent.lw | Azerbaijan | 96.98 |
| Trojan-Spy.AndroidOS.SmsThief.tt | Iran | 96.70 |
| Trojan-Spy.AndroidOS.SmsThief.tw | Indonesia | 96.57 |
| Trojan-Dropper.AndroidOS.Hqwar.hc | Turkey | 94.76 |
| Trojan-Spy.AndroidOS.SmsThief.de | Indonesia | 94.23 |
| Trojan.AndroidOS.Hiddapp.bn | Iran | 94.00 |
| Trojan-Dropper.AndroidOS.Agent.sm | Turkey | 88.15 |
| Trojan-Spy.AndroidOS.FakeApp.an | Turkey | 82.71 |
* Country where the malware was most active.
* Unique users who encountered the malware in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same malware.
When it comes to attacks concentrated in a specific country, the leader in Q3 was Turkey. Among the threats faced by residents there, banking Trojans predominated. These included Trojan-Banker.AndroidOS.GodFather, which gives intruders remote access to devices, and Trojan-Banker.AndroidOS.Agent.la, which steals text messages. The Trojan-Dropper.AndroidOS.Agent.sm and Trojan-Dropper.AndroidOS.Hqwar.hc packers are also used to deliver banking malware to the victim.
The Brats banking Trojan continues to target users in Brazil, while various SMS-based spyware mods have been seeking new victims in Indonesia. Also of interest was the relative concentration of Trojan.AndroidOS.Thamera.u malware attacks in India. This Trojan is used to turn the target device into a proxy for creating accounts on social networks.
Mobile banking Trojans
In Q3 2023, the number of new banking Trojan installation packages dropped sharply to 21,000.
Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2022 — Q3 2023 (download)
Ten most common mobile bankers
| Verdict | % in Q2 2023* | % in Q3 2023* | Difference in p.p. | Change in ranking | |
| 1 | Trojan-Banker.AndroidOS.Agent.eq | 13.05 | 28.95 | +15.90 | +1 |
| 2 | Trojan-Banker.AndroidOS.Bian.h | 29.33 | 18.23 | –11.10 | –1 |
| 3 | Trojan-Banker.AndroidOS.Agent.ma | 0.00 | 5.68 | +5.68 | –3 |
| 4 | Trojan-Banker.AndroidOS.Agent.cf | 11.45 | 5.15 | –6.29 | –1 |
| 5 | Trojan-Banker.AndroidOS.Agent.la | 1.39 | 4.58 | +3.19 | +7 |
| 6 | Trojan-Banker.AndroidOS.Anubis.ab | 0.00 | 2.42 | +2.42 | |
| 7 | Trojan-Banker.AndroidOS.Faketoken.pac | 8.49 | 2.40 | –6.09 | –3 |
| 8 | Trojan-Banker.AndroidOS.Svpeng.q | 2.40 | 2.06 | –0.34 | –1 |
| 9 | Trojan-Banker.AndroidOS.GodFather.i | 0.00 | 1.55 | +1.55 | |
| 10 | Trojan-Banker.AndroidOS.GodFather.h | 0.00 | 1.50 | +1.50 |
* Unique users who encountered this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.
Despite the fall in the number of unique installation packages, the total number of Trojan-Banker malware attacks even rose slightly. In other words, one and the same files are increasingly being reused to carry out attacks on different users.
Mobile ransomware Trojans
Q3 saw a slight change in the number of new ransomware installation packages compared to the previous quarter.
Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q3 2022 — Q3 2023 (download)
TOP 10 most common mobile ransomware
| Verdict | % in Q2 2023* | % in Q3 2023* | Difference in p.p. | Change in ranking | |
| 1 | Trojan-Ransom.AndroidOS.Rasket.a | 5.60 | 32.44 | +26.84 | +1 |
| 2 | Trojan-Ransom.AndroidOS.Pigetrl.a | 47.55 | 25.27 | –22.27 | –1 |
| 3 | Trojan-Ransom.AndroidOS.Rkor.eg | 0.35 | 10.56 | +10.21 | +59 |
| 4 | Trojan-Ransom.AndroidOS.Rkor.ef | 1.04 | 6.77 | +5.73 | +18 |
| 5 | Trojan-Ransom.AndroidOS.Rkor.eh | 0.00 | 1.61 | +1.61 | |
| 6 | Trojan-Ransom.AndroidOS.Congur.cw | 2.73 | 1.56 | –1.17 | 0 |
| 7 | Trojan-Ransom.AndroidOS.Small.as | 3.02 | 1.51 | –1.52 | –3 |
| 8 | Trojan-Ransom.AndroidOS.Congur.y | 4.56 | 1.40 | –3.16 | –5 |
| 9 | Trojan-Ransom.AndroidOS.Small.cj | 0.94 | 1.32 | +0.38 | +16 |
| 10 | Trojan-Ransom.AndroidOS.Agent.bw | 1.44 | 1.27 | –0.17 | +4 |
* Unique users who encountered this malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.
The Rasket.a Trojan (32.44%) leaped into first place by number of attacks among other malware of the same type. As usual, the remaining positions in the ranking are occupied by various modifications of Pigetrl, Rkor, Congur and Small.
Authors
From the same authors
In the same category
IT threat evolution in Q3 2023. Mobile statistics