2024-11-29 19:0:17 Author: securelist.com(查看原文) 阅读量:0 收藏
IT threat evolution in Q3 2024
IT threat evolution in Q3 2024. Non-mobile statistics
IT threat evolution in Q3 2024. Mobile statistics
Quarterly figures
According to Kaspersky Security Network, in Q3 2024:
- As many as 6.7 million attacks involving malware, adware or potentially unwanted mobile apps were prevented.
- Adware was the most common mobile threat, accounting for 36% of all detected threats.
- More than 222,000 malicious and potentially unwanted installation packages were detected, of which:
- 17,822 were associated with mobile banking Trojans.
- 1576 packages were mobile ransomware Trojans.
Quarterly highlights
Mobile attacks involving malware, adware or potentially unwanted apps dropped by 13% in Q3, to a total of 6,686,375. The figure is still above the early 2023 level.
Attacks on users of Kaspersky mobile solutions, Q1 2023 — Q3 2024 (download)
We attribute this drop to the ongoing decline in the activity of adware, primarily stealthware belonging to the AdWare.AndroidOS.HiddenAd family.
Meanwhile, threat actors had not abandoned their attempts to spread their creations through official app marketplaces. For instance, in the third quarter, we discovered the xHelper Trojan inside the Open Browser app on Google Play.
xHelper acts as a stealthy downloader, installing various apps on the device unbeknownst to the user. These downloaders can introduce both ads and malware onto your phone.
We also discovered many apps infected with the Necro Trojan, both in the Google Play store and outside of it. Necro is a multi-component Trojan with an extensive feature set. It can perform any action on a compromised device: from ad display and malware downloads to automatic subscriptions.
Mobile threat statistics
The number of detected Android malware and potentially unwanted app samples also decreased in the third quarter to 222,444.
Detected malicious and potentially unwanted installation packages, Q3 2023 — Q3 2024 (download)
Adware (36.28%) and riskware classified as RiskTool (23.90%) continued to dominate the landscape of installed software packages. The share of RiskTool decreased markedly from Q2. Conversely, there was a minor uptick in the proportion of detected adware.
Detected mobile apps by type, Q2* — Q3 2024 (download)
* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.
Compared to the previous quarter, there was a significant decrease in the number of installation packages for the BrowserAd and MobiDash adware. At the same time, there was an increase in the number of unique HiddenAd apps. The spike in new RiskTool.AndroidOS.Fakapp files, seen in the previous quarter, subsided, causing a decline in the overall RiskTool category.
Share* of users attacked by the given type of malicious or potentially unwanted app out of all targeted users of Kaspersky mobile products, Q2 — Q3 2024 (download)
*The sum may exceed 100% if the same users encountered multiple attack types.
Although the number of installation packages for AdWare.AndroidOS.HiddenAd increased, still, as mentioned above, the overall number of attacks by this malware decreased, which was reflected in its incidence on actual devices. Put simply, while cybercriminals released a variety of unique malware types, they were unsuccessful in infecting a large number of users.
Top 20 mobile malware programs
Note that the malware rankings below exclude riskware and potentially unwanted apps, such as adware and RiskTool.
| Verdict | %* in Q2 2024 | %* in Q3 2024 | Difference in p.p. | Change in ranking |
| DangerousObject.Multi.Generic. | 11.44 | 9.79 | -1.65 | 0 |
| Trojan.AndroidOS.Triada.ga | 6.66 | 9.18 | +2.52 | +1 |
| Trojan.AndroidOS.Fakemoney.v | 6.60 | 9.12 | +2.52 | +1 |
| Trojan.AndroidOS.Boogr.gsh | 6.01 | 5.22 | -0.79 | +1 |
| Trojan.AndroidOS.Triada.gs | 0.00 | 5.05 | +5.05 | |
| Trojan-Banker.AndroidOS.Mamont.bc | 0.14 | 4.89 | +4.75 | +180 |
| Trojan-Downloader.AndroidOS.Dwphon.a | 2.71 | 4.74 | +2.02 | +1 |
| DangerousObject.AndroidOS.GenericML. | 7.56 | 4.45 | -3.11 | -6 |
| Trojan.AndroidOS.Fakemoney.bw | 1.17 | 4.27 | +3.10 | +15 |
| Trojan.AndroidOS.Triada.gm | 5.16 | 3.89 | -1.27 | -3 |
| Trojan-Spy.AndroidOS.SpyNote.bv | 1.26 | 3.68 | +2.43 | +10 |
| Trojan-Spy.AndroidOS.SpyNote.bz | 1.97 | 2.98 | +1.01 | -1 |
| Trojan-Downloader.AndroidOS.Agent.mm | 1.29 | 2.67 | +1.38 | +7 |
| Trojan-Spy.AndroidOS.SpyNote.cc | 1.18 | 2.45 | +1.27 | +9 |
| Trojan.AndroidOS.Triada.gn | 2.23 | 2.44 | +0.20 | -5 |
| Trojan.AndroidOS.Generic. | 2.59 | 2.31 | -0.27 | -7 |
| Trojan-Dropper.Linux.Agent.gen | 0.90 | 1.54 | +0.64 | +13 |
| Trojan-Downloader.AndroidOS.Necro.f | 0.00 | 1.33 | +1.33 | |
| Trojan.AndroidOS.Triada.fd | 5.89 | 1.30 | -4.60 | -13 |
| Trojan-Spy.AndroidOS.SpyNote.ck | 0.00 | 1.25 | +1.25 |
* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.
The list of the most prevalent malware did not see any significant changes compared to the previous quarter. The generalized cloud verdict of DangerousObject.Multi.Generic took its usual top spot, followed by WhatsApp mods with embedded Triada modules, the Fakemoney phishing app which tricked users into providing their personal data by promising easy earnings, the Mamont banking Trojan, and the Dwphon pre-installed malware.
Region-specific malware
This section describes malware types that mostly focused on specific countries.
| Verdict | Country* | %* |
| Trojan-Banker.AndroidOS.BrowBot.q | Turkey | 98.80 |
| Trojan-Banker.AndroidOS.Coper.c | Turkey | 97.99 |
| Trojan-Banker.AndroidOS.Coper.a | Turkey | 97.70 |
| HackTool.AndroidOS.FakePay.c | Brazil | 97.36 |
| Trojan-Spy.AndroidOS.SmsThief.ya | India | 97.33 |
| Trojan-Banker.AndroidOS.UdangaSteal.f | Indonesia | 96.75 |
| Trojan-Dropper.AndroidOS.Agent.sm | Turkey | 96.71 |
| Trojan-Banker.AndroidOS.Agent.ox | India | 95.85 |
| Trojan-Banker.AndroidOS.Agent.pp | India | 95.50 |
| Trojan-Banker.AndroidOS.Rewardsteal.n | India | 95.31 |
| Trojan-Banker.AndroidOS.UdangaSteal.k | India | 95.17 |
| Backdoor.AndroidOS.Tambir.d | Turkey | 95.14 |
| Trojan-Spy.AndroidOS.SmsThief.fs | Turkey | 95.10 |
| Backdoor.AndroidOS.Tambir.a | Turkey | 94.93 |
| Trojan-Spy.AndroidOS.SmsThief.wk | India | 94.87 |
| Trojan-Spy.AndroidOS.SmsThief.xy | India | 94.59 |
| Trojan-Banker.AndroidOS.Rewardsteal.gm | India | 94.55 |
| Trojan-Banker.AndroidOS.UdangaSteal.b | Indonesia | 94.32 |
| Trojan-Dropper.AndroidOS.Hqwar.bf | Turkey | 94.31 |
| Trojan-Spy.AndroidOS.SmsThief.vb | Indonesia | 94.28 |
| Trojan-Banker.AndroidOS.Coper.d | Turkey | 94.17 |
* The country where the malware was most active.
** Unique users who encountered this Trojan modification in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same modification.
The list of malware types that targeted specific countries was updated with new samples: SmsThief.fs which attacked Turkish users, and SmsThief.ya and SmsThief.xy which both were being spread in India. The first one was associated with an ongoing Coper banker campaign in Turkey, while the other two were SMS spies masquerading as government or banking apps.
In addition, the list includes familiar malware that continued to operate in certain countries: the Tambir backdoor, and the BrowBot and Hqwar Trojans in Turkey, FakePay in Brazil, members of the UgandaSteal family in Indonesia and India, and others.
Mobile banking Trojans
The third quarter saw detected mobile banking Trojans installation packages reach a total of 17,822.
Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2023 — Q3 2024 (download)
The majority of the installation packages belonged to the Mamont family, which also dominated real-life cyberattacks.
Top 10 mobile bankers
| Verdict | %* in Q2 2024 | %* in Q3 2024 | Difference in p.p. | Change in ranking |
| Trojan-Banker.AndroidOS.Mamont.bc | 1.47 | 35.29 | +33.82 | +21 |
| Trojan-Banker.AndroidOS.Coper.c | 0.00 | 6.61 | +6.61 | |
| Trojan-Banker.AndroidOS.Agent.rj | 0.00 | 5.53 | +5.53 | |
| Trojan-Banker.AndroidOS.GodFather.m | 6.41 | 5.40 | -1.01 | 0 |
| Trojan-Banker.AndroidOS.Faketoken.z | 5.17 | 4.67 | -0.50 | 0 |
| Trojan-Banker.AndroidOS.Mamont.aj | 0.39 | 4.44 | +4.06 | +33 |
| Trojan-Banker.AndroidOS.Svpeng.aj | 3.74 | 3.84 | +0.10 | +3 |
| Trojan-Banker.AndroidOS.Coper.a | 2.35 | 3.22 | +0.86 | +7 |
| Trojan-Banker.AndroidOS.Mamont.aq | 14.13 | 2.93 | -11.20 | -8 |
| Trojan-Banker.AndroidOS.UdangaSteal.b | 10.10 | 2.87 | -7.23 | -8 |
* Unique users who encountered this malware as a percentage of all users of Kaspersky mobile security solutions who encountered banking threats.
如有侵权请联系:admin#unsafe.sh