Malware reports

Mobile malware evolution 2021

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Figures of the year

In 2021, Kaspersky mobile products and technologies detected:

  • 3,464,756 malicious installation packages
  • 97,661 new mobile banking Trojans
  • 17,372 new mobile ransomware Trojans

In 2021, we observed a downward trend in the number of attacks on mobile users. But it is too early to celebrate: attacks are becoming more sophisticated in terms of both malware functionality and vectors.

Last year saw repeat incidents of malicious code injection into popular apps through ad SDKs, as in the sensational case of CamScanner — we found malicious code inside ad libraries in the official APKPure client, as well as in a modified WhatsApp build.

Experts also continued to find malware in apps on Google Play, despite Google’s efforts to keep threats off the platform. Especially notable in 2021 were the Joker Trojan, which signs victims up to paid subscriptions, the Facestealer Trojan, which steals credentials from Facebook accounts, and various banking Trojan loaders. The most common way to sneak malware onto Google Play is for a Trojan to mimic a legitimate app already published on the site (for example, a photo editor or a VPN service) with the addition of a small piece of code to decrypt and launch a payload from the Trojan’s body or download it from the attackers’ server. Often, to complicate dynamic analysis, unpacking actions are performed through commands from the attackers’ server and in several steps: each decrypted module contains the address of the next one, plus instructions for decrypting it.

Besides apps with actual malicious functionality, there are various scamming apps on Google Play — for example, ones that imitate services where you can apply for welfare payments and redirect the user to a page asking for their data and payment of a fee.

Banking Trojans acquired new capabilities in 2021. The Fakecalls banker, which targets Korean users, drops outgoing calls to the victim’s bank and plays pre-recorded operator responses stored in the Trojan’s body. The Sova banker steals cookies, enabling attackers to access the user’s current session and personal mobile banking account without knowing the login credentials. The Vultur backdoor uses VNC (Virtual Network Computing) to record the smartphone screen; when the user opens an app that is of interest to attackers, they can monitor the on-screen events.

Another interesting find in 2021 was the first Gamethief-type mobile Trojan aimed at stealing account credentials for the mobile version of PlayerUnknown’s Battlegrounds (PUBG).

After 2020, which was full of newsbreaks and opportunities for masking malware, for example, as Covid19 trackers or video conferencing apps, the pandemic topic gradually faded in the reporting year. There were no new global cybercriminal trends. Of the few examples of exploiting a trending topic was the Joker Trojan on Google Play, which masquerades as an app with a background wallpaper in the style of Squid Game.

Speaking of mobile threats, we cannot fail to mention the high-profile investigation of the Pegasus spyware. Because protection against such programs is quite a live issue, we drew up some recommendations on how to guard against advanced spyware (or, at any rate, greatly complicate the intruder’s task).

Statistics

Number of installation package

In 2021, we detected 3,464,756 mobile malicious installation packages, down 2,218,938 from the previous year. Overall, the number of mobile malware installation packages dropped to around 2019 levels.

Number of detected malicious installation packages, 2018–2021 (download)

Number of attacks on mobile users

The number of attacks fell smoothly throughout the reporting period, reaching in H2 2021 the lowest monthly average in the past two years.

Number of attacks on mobile users, 2019–2021 (download)

Geography of mobile threats

Map of infection attempts by mobile malware, 2021 (download)

Top 10 countries by share of users attacked by mobile malware

Country* %**
1 Iran 40.22
2 China 28.86
3 Saudi Arabia 27.99
4 Algeria 24.49
5 India 20.91
6 Iraq 19.65
7 Yemen 19.26
8 Oman 17.89
9 Kuwait 17.30
10 Morocco 17.09

* Excluded from the rating are countries with relatively few users of Kaspersky mobile technologies (under 10,000).
** Unique users attacked as a percentage of all users of Kaspersky mobile technologies in the country.

For the fifth year in a row, Iran topped the leaderboard by share of infections: 40.22% of users there encountered mobile threats. As in the previous year, this was largely due to the active distribution of adware from the AdWare.AndroidOS.Notifyer family.

In second place is China (28.86%), where users most often crossed paths with potentially unwanted apps from the RiskTool.AndroidOS.Wapron family. Members of this family target victims’ mobile accounts, in particular by sending chargeable text messages on behalf of the victim as payment for supposedly viewing porn.

Not far behind in third place lies Saudi Arabia (27.99%), where users most often came across adware from the AdWare.AndroidOS.HiddenAd family.

Distribution of detected mobile threats by type

Distribution of new detected mobile threats by type, 2020 and 2021 (download)

As in 2020, adware (42.42%) accounted for the largest share of all detected threats in the reporting period, despite a fall of 14.83 p.p. against 2020.

Potentially unwanted RiskTool apps (35.27%) ranked second; their share increased by 13.93 p.p. after a sharp decline in 2019–2020.

In third place were Trojan threats (8.86%), whose share rose by 4.41 p.p.

Distribution of attacks by type of software used

Distribution of attacks by type of software used, 2021 (download)

In 2021, as in previous years, the largest share of attacks on mobile users belonged to malware (80.69%). At the same time, the share of adware-based attacks continued to grow: 16.92% versus 14.62% in 2020, while the share of attacks using RiskWare-class apps fell (2.38% versus 3.21%).

Mobile adware

In the reporting period, as in 2020, more than half of all detected adware (53.66%) came from the Ewind family, an aggressive form of adware that tracks user actions and resists deletion.

Top 10 adware families detected in 2021

Name %*
1 Ewind 53.66
2 HiddenAd 18.48
3 FakeAdBlocker 13.34
4 MobiDash 3.54
5 Adlo 1.89
6 Dnotua 1.09
7 Agent 1.09
8 Fyben 1.05
9 Loead 0.66
10 Kuguo 0.63

* Share of the adware family packages in the total number of adware packages.

RiskTool-class apps

In 2021, SMSreg regained its supremacy among RiskTool-class threats: 90.96% of detected apps of this type were members of this family. In absolute terms, the number of SMSreg packages more than doubled compared to 2020 to 1,111,713 apps. A characteristic feature of this family is making payments (for example, money transfers or subscriptions to mobile services) by text message without explicitly informing the user.

Top 10 RiskTool families detected in 2021

Name %*
1 SMSreg 90.96
2 Dnotua 4.07
3 Resharer 1.14
4 Robtes 1.06
5 Agent 0.79
6 Wapron 0.53
7 Autopay 0.28
8 SmsPay 0.18
9 ContactsCollector 0.17
10 Hamad 0.12

* Share of the RiskTool family packages in the total number of RiskTool packages.

Top 20 mobile malware programs

Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

Verdict %*
1 DangerousObject.Multi.Generic 33.69
2 Trojan-SMS.AndroidOS.Agent.ado 6.65
3 DangerousObject.AndroidOS.GenericML 4.92
4 Trojan-Spy.AndroidOS.SmsThief.po 3.91
5 Trojan.AndroidOS.Agent.vz 3.68
6 Trojan-Downloader.AndroidOS.Necro.d 3.58
7 Trojan.AndroidOS.Triada.el 3.07
8 Trojan.AndroidOS.Whatreg.b 3.02
9 Trojan.AndroidOS.Triada.ef 3.01
10 Trojan-Dropper.AndroidOS.Hqwar.cf 2.81
11 Trojan-Dropper.AndroidOS.Hqwar.bk 2.80
12 Trojan.AndroidOS.MobOk.ad 2.78
13 Trojan.AndroidOS.Hiddad.gx 2.11
14 Trojan.AndroidOS.Triada.dq 2.02
15 Trojan-SMS.AndroidOS.Fakeapp.b 1.91
16 Exploit.AndroidOS.Lotoor.be 1.84
17 Trojan-Dropper.AndroidOS.Agent.rp 1.75
18 HackTool.AndroidOS.Wifikill.c 1.60
19 Trojan-Banker.AndroidOS.Agent.eq 1.58
20 Trojan-Downloader.AndroidOS.Agent.kx 1.55

* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile technologies.

As per tradition, first place in our Top 20 went to DangerousObject.Multi.Generic (33.69%), the verdict we use for malware detected using cloud technologies. Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is essentially how the latest malware types are detected.

Trojan-SMS.AndroidOS.Agent.ado (6.65%), which sends text messages to short premium numbers, moved up from sixth to second position. Victims of this malware are predominantly in Russia.

In third place was the verdict DangerousObject.AndroidOS.GenericML (4.92%). These verdicts are assigned to files recognized as malicious by our machine-learning systems.

Fourth position was taken by Trojan-Spy.AndroidOS.SmsThief.po (3.91%), whose main function is to monitor incoming text messages and send captured data to the cybercriminals’ server.

In fifth place was Trojan.AndroidOS.Agent.vz (3.68%), a malicious module that forms a link in the infection chain of various Trojans and is responsible for downloading other modules, in particular the above-mentioned Ewind adware.

Trojan-Downloader.AndroidOS.Necro.d (3.58%), which downloads, installs and runs other apps on command, dropped to sixth place.
Trojans from the Triada family ranked seventh, ninth and fourteenth in the ranking. These are used to download and run other malicious programs on the infected device. Users infected with Triada also frequently encounter the above-mentioned Trojan-Downloader.AndroidOS.Necro.d, as well as Trojan.AndroidOS.Whatreg.b (eighth place, 3.02%), which allows cybercriminals to link new WhatsApp accounts to victims’ phone numbers and use them at will, and also Trojan-Dropper.AndroidOS.Agent.rp (seventeenth place, 1.75%), which decrypts payloads from APK file resources before downloading and running other malware.

Tenth and eleventh places go to members of the Trojan-Dropper.AndroidOS.Hqwar family of droppers that unpack and run various banking Trojans on the victim’s device. After a rise in the number of attacks by this malware in 2020, the number of detections in the reporting period fell back to 2019 levels.

Twelfth position is taken by a member of the Trojan.AndroidOS.MobOk.ad family (2.78%), which subscribes users to paid services.
Thirteenth place belongs to Trojan.AndroidOS.Hiddad.gx (2.11%), tasked with displaying advertising banners and ensuring a permanent presence on the device by hiding the icon in the app bar.

In fifteenth place is Trojan-SMS.AndroidOS.Fakeapp.b (1.91%), which can send text messages and make calls to specified numbers, display ads and hide its icon on the device. Most users attacked by this malware were located in Russia.

Exploit.AndroidOS.Lotoor.be (1.84%), an exploit used to elevate privileges on Android devices to superuser, lies in sixteenth position. Members of this family are found bundled with other common malware such as Triada and Necro.

Eighteenth place is secured by the HackTool.AndroidOS.Wifikill.c utility (1.60%), whose task is to carry out DOS attacks on Wi-Fi networks to disconnect other users.

In nineteenth place is Trojan-Banker.AndroidOS.Agent.eq (1.58%). Hiding behind this verdict are mostly banking Trojans from the Wroba family, and more than half of attacks targeted Japan.

Trojan-Downloader.AndroidOS.Agent.kx (1.55%), which is distributed with legitimate software and downloads adware, rounds out our Top 20.

Mobile banking Trojans

In 2021, we detected 97,661 installation packages for mobile banking Trojans, which is down 59,049 from the previous year. The largest contributors to the statistics were the Trojan-Banker.AndroidOS.Agent (37.69% of all detected banking Trojans), Trojan-Banker.AndroidOS.Bray (21.08%) and Trojan-Banker.AndroidOS.Fakecalls (9.91%) families.

Number of installation packages of mobile banking Trojans detected by Kaspersky, 2018–2021 (download)

After sharp growth in the number of attacks by mobile banking Trojans starting H2 2020, we have seen a gradual decrease since the spring of 2021.

Number of attacks by mobile banking Trojans, 2020–2021 (download)

Top 10 mobile banking Trojans

Verdict %*
1 Trojan-Banker.AndroidOS.Agent.eq 19.22
2 Trojan-Banker.AndroidOS.Anubis.t 14.93
3 Trojan-Banker.AndroidOS.Svpeng.t 8.98
4 Trojan-Banker.AndroidOS.Svpeng.q 7,58
5 Trojan-Banker.AndroidOS.Asacub.ce 5.05
6 Trojan-Banker.AndroidOS.Agent.ep 4.88
7 Trojan-Banker.AndroidOS.Hqwar.t 3.08
8 Trojan-Banker.AndroidOS.Bian.f 2.46
9 Trojan-Banker.AndroidOS.Agent.cf 2.03
10 Trojan-Banker.AndroidOS.Bian.h 2.02

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile technologies that were attacked by banking threats.

In 2021, Trojan-Banker.AndroidOS.Agent.eq (19.22%) topped the list of banking Trojans we detected, having also featured in our overall Top 20 ranking of mobile threats. In second place is the banker Anubis.t (14.93%). Third and fourth positions were claimed by bankers from the Svpeng family: Svpeng.t (8.98%) and Svpeng.q (7.58%).

Geography of mobile banking threats, 2021 (download)

Top 10 countries by shares of users attacked by mobile banking trojans

Country* %**
1 Japan 2.18
2 Spain 1.55
3 Turkey 0.71
4 France 0.57
5 Australia 0.48
6 Germany 0.46
7 Norway 0.31
8 Italy 0.29
9 Croatia 0.28
10 Austria 0.28

* Excluded from the rating are countries with relatively few users of Kaspersky mobile technologies (under 10,000).
** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky mobile technologies in the country.

In 2021, Japan ranked first by share of unique users attacked by mobile bankers (2.18%). The above-mentioned Trojan-Banker.AndroidOS.Agent.eq made the biggest contribution: 96.12% of all attacks.

Silver belongs to Spain (1.55%), where Trojan-Banker.AndroidOS.Bian.h was most often encountered (28.97%). And bronze goes to Turkey (0.71%), where Trojan-Banker.AndroidOS.Agent.ep (32.22%) leads the way.

Mobile ransomware Trojans

In 2021, we detected 17,372 installation packages for mobile ransomware Trojans — 3,336 fewer than last year.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, 2018–2021 (download)

What is more, the number of attacks by mobile ransomware Trojans, after a sharp increase in H2 2020, remained at the same level with a slight dip by the end of 2021.

Number of attacks by mobile ransomware Trojans, 2020–2021 (download)

Top 10 mobile ransomware Trojans

Verdict %*
1 Trojan-Ransom.AndroidOS.Pigetrl.a 59.39
2 Trojan-Ransom.AndroidOS.Rkor.an 3.86
3 Trojan-Ransom.AndroidOS.Small.as 3.39
4 Trojan-Ransom.AndroidOS.Rkor.ax 3.23
5 Trojan-Ransom.AndroidOS.Rkor.bb 2.58
6 Trojan-Ransom.AndroidOS.Congur.am 2.35
7 Trojan-Ransom.AndroidOS.Rkor.be 2.29
8 Trojan-Ransom.AndroidOS.Rkor.bc 1.95
9 Trojan-Ransom.AndroidOS.Rkor.bh 1.88
10 Trojan-Ransom.AndroidOS.Rkor.az 1.79

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile technologies that were attacked by ransomware Trojans.

In 2021, Trojan-Ransom.AndroidOS.Pigetrl.a topped the leaderboard of ransomware Trojans with 59.39% of all users attacked by ransomware. Moreover, 91.67% of attacks by this Trojan hit users in Russia. Unlike traditional representatives of the Trojan-Ransom class, this malware does not demand a ransom, but simply locks the device screen with a prompt to enter a code. The Trojan provides no instructions on how to get this code, which is embedded in the body of the malware.

In second place by popularity among cybercriminals are members of the long familiar Trojan-Ransom.AndroidOS.Rkor family, taking seven positions in the Top 10. This malware accuses the user of viewing prohibited content and demands payment of a fine.

Geography of mobile ransomware Trojans, 2021 (download)

Top 10 countries by share of users attacked by mobile ransomware Trojans

Country* %**
1 Kazakhstan 0.80
2 Yemen 0.37
3 Kyrgyzstan 0.25
4 Sweden 0.20
5 Iraq 0.13
6 Colombia 0.12
7 China 0.12
8 Saudi Arabia 0.08
9 Uzbekistan 0.08
10 Morocco 0.06

* Excluded from the rating are countries with relatively few users of Kaspersky mobile technologies (under 10,000).
** Unique users attacked by mobile ransomware Trojans in the country as a percentage of all users of Kaspersky mobile technologies in the country.

The top-placed countries by number of users attacked by mobile ransomware Trojans in 2021 were Kazakhstan (0.80%), Yemen (0.37%) and Kyrgyzstan (0.25%). Users in Kazakhstan and Kyrgyzstan most often encountered members of the Trojan-Ransom.AndroidOS.Rkor family, and in Yemen Trojan-Ransom.AndroidOS.Pigetrl.a.

Conclusion

In the reporting period, after a surge in H2 2020, cybercriminal activity gradually abated: there were no global newsbreaks or major campaigns, and the Covid-19 topic began to fade. At the same time, new players continue to emerge on the cyberthreat market as malware becomes more sophisticated; thus, the fall in the overall number of attacks is “compensated” by the greater impact of a successful attack. Most dangerous of all in this regard are banking malware and spyware.

As in 2020, adware makes up the lion’s share of newly detected mobile threats, but its lead over the previous frontrunner — potentially unwanted software — is shrinking. That said, more than 80% of attacks are still carried out using mobile malware.

Mobile malware evolution 2021

Your email address will not be published.

 

Reports

Kimsuky’s GoldDragon cluster and its C2 operations

Kimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea.

Andariel deploys DTrack and Maui ransomware

Earlier, the CISA published an alert related to a Stairwell report, “Maui Ransomware.” Our data should openly help solidify the attribution of the Maui ransomware incident to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly.

Subscribe to our weekly e-mails

The hottest research right in your inbox