Mobile threats

All of Ztorg Trojans were rooting malware that used exploits to gain root rights on the infected device. In May 2017, a new Ztorg variant appeared on the Google Play Store – only this this time it wasn’t a rooting malware but a Trojan-SMS.

In April 2017 we started observing new rooting malware being distributed through the Google Play Store. Unlike other rooting malware, this Trojan not only installs its modules into the system, it also injects malicious code into the system runtime libraries.

According to KSN data, Kaspersky Lab solutions detected and repelled 479,528,279 malicious attacks from online resources located in 190 countries all over the world. File antivirus detected a total of 174,989,956 unique malicious and potentially unwanted objects.

We’ve become accustomed to seeing a steady stream of security breaches month after month; and this quarter has been no exception, including attacks on Barts Health Trust, Sports Direct, Intercontinental Hotels Group and ABTA.

This research started when we discovered an infected Pokémon GO guide in Google Play. We detected the malware as Trojan.AndroidOS.Ztorg.ad. After some searching, I found some other similar infected apps that were being distributed from the Google Play Store.

In 2016, the growth in the number of advertising Trojans capable of exploiting super-user rights continued. Throughout the year it was the No. 1 threat, and we see no sign of this trend changing.

Fraudulent apps trying to send Premium SMS messages or trying to call to high rate phone numbers are not something new. It is much more interesting to talk about how certain groups bypass detection mechanisms such as those used by Google Play.

We’re often asked if there are any web injection attacks for Android devices. This is our attempt to investigate and give as full an answer as possible.

Although malware targeting the Android OS stopped being a novelty quite some time ago, this Android trojan is quite unique. Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network.

Many mobile bankers can block a device in order to extort money from its user. But we have discovered a modification of Trojan-Banker.AndroidOS.Faketoken that went even further – it can encrypt user data.

Earlier this month, we discovered a piece of encryption malware targeting Russian users. One of its peculiarities was that it uses Telegram Messenger’s communication protocol to send a decryption key to the threat actor.

We intercepted traffic coming from the attacked device when this sort of “advert” was displayed, and figured out how the malicious program Svpeng was downloaded and automatically saved.

The most popular mobile Trojan in the third quarter of 2016 was Trojan-Banker.AndroidOS.Svpeng.q. During the quarter, the number of users attacked by it grew almost eightfold.

Trojan-Ransom.AndroidOS.Fusob.h remained the most popular mobile Trojan-Ransomware in the third quarter, accounting for nearly 53% of users attacked by mobile ransomware.

The use of root privileges is not typical for banking malware attacks. However, in early February 2016, Kaspersky Lab discovered Trojan-Banker.AndroidOS.Tordow.a, whose creators decided that root privileges would come in handy.