Malware reports

IT threat evolution in Q2 2023. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q2 2023:

  • A total of 5,704,599 mobile malware, adware, and riskware attacks were blocked.
  • The most common threat to mobile devices was potentially unwanted software (RiskTool): 30.8% of all threats detected.
  • A total of 370,327 malicious installation packages were detected, of which:
    • 59,167 packages were related to mobile banking Trojans,
    • 1318 packages were mobile ransomware Trojans.

Quarterly highlights

The number of malware, adware, or unwanted software attacks on mobile devices began to climb again in Q2 2023. Kaspersky products blocked a total of 5,700,000 attacks during the period.

Number of attacks targeting users of Kaspersky mobile solutions, Q4 2021 — Q2 2023 (download)

In Q2, we discovered a new type of ransomware named “Rasket”, created with the help of a shortcut utility.

We also discovered what we designated as “Trojan-Banker.AndroidOS.FakeShop.b”. The malware showed a popular Asian online store but with embedded JavaScript code that stole bank card details if the user tried to pay for a purchase.

The quarter’s other unusual discoveries included a movie-streaming app with a cryptominer inside published on Google Play. We assigned it the verdict of Trojan.AndroidOS.Miner.f.

Mobile threat statistics

In Q4 2022, we observed a noticeable decline in the number of malware installers due to decreased activity by Trojan-Dropper.AndroidOS.Ingopack. Q1 2023 saw a slight increase in the number of new malware samples, which continued into Q2.

Number of detected malicious installation packages, Q2 2022 — Q2 2023 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q1 2023 and Q2 2023 (download)

Unwanted software like RiskTool (30.79%) topped the rankings during the reporting period, with a significant part of the threat consisting of obfuscated Robtes files. The most numerous adware (22.69%) families in terms of packages were still MobiDash (30.7%), Adlo (20.6%), and HiddenAd (10.8%).

Share of users who encountered a certain type of threat out of all attacked mobile users in Q1 2023 and Q2 2023 (download)

The rankings underwent no changes from the previous quarter. RiskTool packages (9.45%), despite their huge absolute numbers, were still not as widespread as adware (62.65%). Various GriftHorse Trojan subscriber and Fakemoney investment app variants were the most active Trojan malware types.

TOP 20 most frequently detected mobile malware programs

Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

Verdict %* Q1 2023 %* Q2 2023 Difference in pp Change in ranking
1 DangerousObject.Multi.Generic. 13.27 16.79 +3.52 0
2 Trojan.AndroidOS.Boogr.gsh 8.39 10.05 +1.66 +1
3 Trojan.AndroidOS.GriftHorse.l 6.13 8.38 +2.26 +2
4 Trojan.AndroidOS.Generic. 5.95 6.56 +0.61 +2
5 Trojan-Spy.AndroidOS.Agent.acq 8.60 6.10 –2.51 –3
6 Trojan.AndroidOS.Fakemoney.v 7.48 5.34 –2.14 –2
7 Trojan-Spy.AndroidOS.Agent.aas 3.64 3.65 +0.01 +2
8 DangerousObject.AndroidOS.GenericML. 3.46 3.14 –0.33 +2
9 Trojan-Dropper.AndroidOS.Badpack.g 0.00 2.96 +2.96
10 Trojan-Dropper.AndroidOS.Hqwar.hd 4.54 2.33 –2.21 –3
11 Trojan-Dropper.AndroidOS.Hqwar.bk 0.51 2.17 +1.65 +26
12 Trojan.AndroidOS.Fakemoney.x 0.00 2.02 +2.02
13 Trojan.AndroidOS.Fakeapp.ez 0.72 1.73 +1.01 +13
14 Trojan-Downloader.AndroidOS.Agent.mh 3.68 1.72 –1.96 –6
15 Trojan-Dropper.AndroidOS.Hqwar.hq 0.00 1.66 +1.66
16 Trojan-Banker.AndroidOS.Bian.h 1.52 1.64 +0.12 –2
17 Trojan-Dropper.AndroidOS.Hqwar.gen 1.47 1.61 +0.14 –2
18 Trojan.AndroidOS.Fakemoney.u 1.64 1.55 –0.09 –5
19 Trojan-Downloader.AndroidOS.Triada.al 0.65 1.55 +0.90 +10
20 Trojan.AndroidOS.GriftHorse.ah 0.63 1.54 +0.92 +12

* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The generalized cloud verdict DangerousObject.Multi.Generic (16.79%) was again in its usual first position during the reporting period. Trojan-Spy.AndroidOS.Agent.acq (6.10%), a malicious WhatsApp variant, moved down three positions, replaced by the umbrella ML verdict Trojan.AndroidOS.Boogr.gsh (10.05%). Its cloud variant, DangerousObject.AndroidOS.GenericML (3.14%), rose by two positions compared to the previous quarter. Besides, the aforementioned GriftHorse and Fakemoney were part of the 20 most commonly detected malware applications too.

Region-specific malware

This section describes mobile malware that mostly targets the residents of certain countries.

Verdict Country* %**
Trojan-SMS.AndroidOS.Fakeapp.g Thailand 99.00
Trojan-Banker.AndroidOS.Agent.la Turkey 98.62
Trojan-Banker.AndroidOS.BRats.b Brazil 98.33
Trojan-Spy.AndroidOS.SmsThief.tw Indonesia 98.03
Trojan-Spy.AndroidOS.SmsEye.b Indonesia 97.22
Trojan-Banker.AndroidOS.Agent.lc Indonesia 96.99
Trojan.AndroidOS.Hiddapp.da Iran 96.46
Trojan-SMS.AndroidOS.Agent.adr Iran 95.96
HackTool.AndroidOS.Cardemu.a Brazil 95.47
Trojan-Spy.AndroidOS.SmsThief.td Indonesia 94.76
Trojan.AndroidOS.Hiddapp.bn Iran 94.75
Trojan-Dropper.AndroidOS.Hqwar.hc Turkey 94.65
Trojan-Spy.AndroidOS.SmsThief.tt Iran 94.61
Trojan.AndroidOS.Hiddapp.cg Iran 90.26
Trojan.AndroidOS.FakeGram.a Iran 88.89
Trojan-Banker.AndroidOS.Agent.cf Turkey 88.61
Trojan-Dropper.AndroidOS.Wroba.o Japan 82.96

* Country where the malware was most active.
**Unique users who encountered the malware in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same malware

The Fakeapp.g Trojan was most frequently encountered by users from Thailand. The malware is distributed under the guise of gaming modifications, but in fact, simply sends text messages to premium numbers and charges the user’s account.

Users in Brasil encountered the Brats banking Trojan, a variety of Banbra, which we covered in our previous report. We also noticed some activity by Cardemu banking card emulators, sometimes used in payment terminal scams in Brazil.

SmsThief SMS spies, which masquerade as public services, system apps, or marketplaces, continued to spread in Indonesia. The SmsEye open-source spyware was active in that country too.

The Wroba dropper was still focused on Japan.

Turkish users were again targeted by several banking Trojans: Agent.la, Agent.cf, and the Hqwar banking Trojan dropper.

Hard-to-remove Hiddapp apps and FakeGram third-party Telegram clients operated in Iran.

A new GriftHorse variant honed in on Russia. A primitive malware app named “Soceng”, touted as “the most powerful virus ever” spread via Telegram among users in Russia. It deleted files from flash memory and sent texts to the victim’s contacts, saying the device had been “hacked”.

Mobile banking Trojans

The number of Trojan banker installation packages continued to grow in Q2 2023, exceeding 59,000.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q2 2022 — Q2 2023 (download)

Ten most common mobile bankers

Verdict %* Q1 2023 %* Q2 2023 Difference in pp Change in ranking
1 Trojan-Banker.AndroidOS.Bian.h 30.81 29.33 –1.48 0
2 Trojan-Banker.AndroidOS.Agent.eq 5.51 13.05 +7.54 +1
3 Trojan-Banker.AndroidOS.Agent.cf 1.91 11.45 +9.54 +7
4 Trojan-Banker.AndroidOS.Faketoken.pac 10.15 8.49 –1.66 –2
5 Trojan-Banker.AndroidOS.Gustuff.d 1.26 2.68 +1.43 +11
6 Trojan-Banker.AndroidOS.BRats.b 1.16 2.68 +1.51 +12
7 Trojan-Banker.AndroidOS.Svpeng.q 4.05 2.40 –1.65 –2
8 Trojan-Banker.AndroidOS.Asacub.bo 0.02 2.09 +2.07 +217
9 Trojan-Banker.AndroidOS.Agent.ep 4.40 1.77 –2.63 –5
10 Trojan-Banker.AndroidOS.Agent.lc 0.48 1.70 +1.22 +27

* Unique users who encountered this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

Users were more frequently exposed to Agent.ch, and the older Gustuff and Asacub Trojans in Q2 2023 than in Q1.

Mobile ransomware Trojans

Despite the new Rasket ransomware app appearing in Q2, the total number of ransomware packages continued to decline.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q2 2022 — Q2 2023 (download)

Top 10 most common mobile ransomware

Verdict %* Q1 2023 %* Q2 2023 Difference in pp Change in ranking
1 Trojan-Ransom.AndroidOS.Pigetrl.a 62.22 47.55 –14.67 0
2 Trojan-Ransom.AndroidOS.Rasket.a 0.00 5.60 +5.60
3 Trojan-Ransom.AndroidOS.Congur.y 1.78 4.56 +2.78 +1
4 Trojan-Ransom.AndroidOS.Small.as 3.65 3.02 –0.62 –2
5 Trojan-Ransom.AndroidOS.Rkor.dq 0.00 2.93 +2.93
6 Trojan-Ransom.AndroidOS.Congur.cw 0.55 2.73 +2.18 +27
7 Trojan-Ransom.AndroidOS.Svpeng.ac 0.64 2.38 +1.74 +21
8 Trojan-Ransom.AndroidOS.Congur.ap 0.14 2.33 +2.19 +87
9 Trojan-Ransom.AndroidOS.Rkor.dt 0.00 1.98 +1.98
10 Trojan-Ransom.AndroidOS.Rkor.dx 0.00 1.69 +1.69

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware trojans.

The new Rasket.a Trojan (5.60%) went straight to second position by number of attacks among other malware of the type. The rest of the family rankings remained the same, although the lists of most common modifications within the families did change.

IT threat evolution in Q2 2023. Mobile statistics

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Reports

Mysterious Elephant: a growing threat

Kaspersky GReAT experts describe the latest Mysterious Elephant APT activity. The threat actor exfiltrates data related to WhatsApp and employs tools such as BabShell and MemLoader HidenDesk.