Malware reports

IT threat evolution in Q3 2023. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q3 2023:

  • A total of 8,346,169 mobile malware, adware, and riskware attacks were blocked.
  • The most common threat to mobile devices was adware, accounting for 52% of all detected threats.
  • 438,962 malicious installation packages were detected, of which:
    • 21,674 packages were related to mobile banking Trojans;
    • 1,855 packages were mobile ransomware Trojans.

Quarterly highlights

The number of malware, adware and unwanted software attacks on mobile devices continued to climb in Q3. In total, Kaspersky products blocked more than 8.3 million attacks.

Number of attacks targeting users of Kaspersky mobile solutions, Q1 2022 — Q3 2023 (download)

This quarter, we discovered on Google Play a malicious app that we assigned the verdict Trojan-Downloader.AndroidOS.Banker.aj.

Disguised as a PDF viewer, the app in fact downloaded the Trojan-Banker.AndroidOS.Coper.a banking Trojan to the victim’s device.

Our other find on Google Play was a spyware Telegram mod capable of stealing user messages.

Also in Q3, cybercriminals made active use of a modified remote access client disguised as a bank technical support app to siphon off money. During the reporting period, more than 3,000 attacks using such apps were blocked.

One other discovery this quarter was the spyware Trojan-Spy.AndroidOS.Agent.afd. The malware caught our eye for its non-standard development approach: almost all Android malware is written in Java, sometimes in C/C++, but the coders of this malware opted for .NET Framework. This cross-platform framework is used widely to create Windows software, but rarely to write malware for Android.

Mobile threat statistics

The number of new malware samples continues to grow, attaining the level of Q3 of last year.

Number of detected malicious installation packages, Q3 2022 — Q3 2023 (download)

Distribution of detected mobile malware by type*

Distribution of newly detected mobile malware by type, Q2 2023 and Q3 2023 (download)

* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.

Adware and potentially unwanted software (riskware) traditionally top the rankings. Among adware families, first place again went to MobiDash, which increased its relative share to 55%; next come the generalized verdicts Dnotua (10.8%) and HiddenAd (4.3%).

Share of users who encountered a certain type of threat out of all attacked mobile users in Q2 2023 and Q3 2023 (download)

RiskTool threats (6.83%) dropped one place in the ranking by share of attacked users, ceding ground to Trojans (24.66%), while top spot was retained by adware (63.66%). Among Trojans, the previously described GriftHorse and Fakemoney remained highly active, but in first position this quarter was the adware Trojan Triada (23.5%) in WhatsApp mods.

TOP 20 most frequently detected mobile malware programs

Note that the malware rankings below exclude riskware and potentially unwanted software, such as RiskTool or adware.

Verdict % in Q2 2023* % in Q3 2023* Difference in p.p. Change in ranking
1 DangerousObject.Multi.Generic 16.79 14.98 –1.81 0
2 Trojan.AndroidOS.Triada.et 0.52 12.16 +11.64 +39
3 Trojan.AndroidOS.GriftHorse.l 8.38 10.89 +2.51 0
4 Trojan.AndroidOS.Fakemoney.v 5.34 9.67 +4.33 +2
5 Trojan.AndroidOS.Boogr.gsh 10.05 7.05 –3.00 –3
6 Trojan-Dropper.AndroidOS.Badpack.g 2.96 4.67 +1.71 +3
7 Trojan.AndroidOS.Generic 6.56 3.94 –2.62 –3
8 Trojan-Dropper.AndroidOS.Agent.uc 0.00 3.39 +3.39
9 Trojan-Dropper.AndroidOS.Hqwar.bk 2.17 3.01 +0.84 +2
10 Trojan.AndroidOS.Triada.ex 0.00 2.97 +2.97
11 Trojan.AndroidOS.Fakeapp.ft 0.00 2.93 +2.93
12 DangerousObject.AndroidOS.GenericML 3.14 2.03 –1.11 –4
13 Trojan.AndroidOS.Piom.aypd 0.00 1.64 +1.64
14 Trojan-Spy.AndroidOS.Agent.acq 6.10 1.36 –4.74 –9
15 Trojan.AndroidOS.Fakemoney.x 2.02 1.31 –0.71 –3
16 Trojan-Banker.AndroidOS.Agent.eq 0.73 1.27 +0.54 +11
17 Trojan.AndroidOS.GriftHorse.al 0.00 1.07 +1.07
18 Trojan.AndroidOS.GriftHorse.ah 1.54 1.07 –0.48 +2
19 Trojan-Downloader.AndroidOS.Agent.mh 1.72 1.00 –0.73 –5
20 Trojan-Dropper.AndroidOS.Agent.ub 0.00 0.89 +0.89

* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The generalized cloud verdict DangerousObject.Multi.Generic (14.98%) held on to first position in Q3. In second place was a malicious WhatsApp mod with the verdict Trojan.AndroidOS.Triada.et (12.16%), followed by GriftHorse and Fakemoney, which have been regular fixtures in the TOP 20 for several quarters in a row. Ranking behind the collective verdict for machine-learning technologies Trojan.AndroidOS.Boogr.gsh (7.05%) was Trojan-Dropper.AndroidOS.Badpack.g (4.67%), a packer commonly used to deliver banking malware.

Region-specific malware

This section describes mobile malware that mostly targets the residents of certain countries.

Verdict Country* %**
Trojan-Banker.AndroidOS.GodFather.i Turkey 100.00
Trojan-Banker.AndroidOS.BRats.b Brazil 99.59
Trojan-Banker.AndroidOS.Agent.la Turkey 98.65
Trojan-Banker.AndroidOS.GodFather.h Turkey 98.62
Trojan.AndroidOS.Piom.axdh Turkey 98.42
Trojan-Banker.AndroidOS.GodFather.m Turkey 98.30
Trojan-Banker.AndroidOS.Agent.lc Indonesia 98.21
Trojan-Spy.AndroidOS.SmsThief.vb Indonesia 97.95
Trojan-Spy.AndroidOS.SmsEye.b Indonesia 97.65
Trojan-Banker.AndroidOS.Agent.lw Azerbaijan 96.98
Trojan-Spy.AndroidOS.SmsThief.tt Iran 96.70
Trojan-Spy.AndroidOS.SmsThief.tw Indonesia 96.57
Trojan-Dropper.AndroidOS.Hqwar.hc Turkey 94.76
Trojan-Spy.AndroidOS.SmsThief.de Indonesia 94.23
Trojan.AndroidOS.Hiddapp.bn Iran 94.00
Trojan-Dropper.AndroidOS.Agent.sm Turkey 88.15
Trojan-Spy.AndroidOS.FakeApp.an Turkey 82.71

* Country where the malware was most active.
* Unique users who encountered the malware in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same malware.

When it comes to attacks concentrated in a specific country, the leader in Q3 was Turkey. Among the threats faced by residents there, banking Trojans predominated. These included Trojan-Banker.AndroidOS.GodFather, which gives intruders remote access to devices, and Trojan-Banker.AndroidOS.Agent.la, which steals text messages. The Trojan-Dropper.AndroidOS.Agent.sm and Trojan-Dropper.AndroidOS.Hqwar.hc packers are also used to deliver banking malware to the victim.

The Brats banking Trojan continues to target users in Brazil, while various SMS-based spyware mods have been seeking new victims in Indonesia. Also of interest was the relative concentration of Trojan.AndroidOS.Thamera.u malware attacks in India. This Trojan is used to turn the target device into a proxy for creating accounts on social networks.

Mobile banking Trojans

In Q3 2023, the number of new banking Trojan installation packages dropped sharply to 21,000.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2022 — Q3 2023 (download)

Ten most common mobile bankers

Verdict % in Q2 2023* % in Q3 2023* Difference in p.p. Change in ranking
1 Trojan-Banker.AndroidOS.Agent.eq 13.05 28.95 +15.90 +1
2 Trojan-Banker.AndroidOS.Bian.h 29.33 18.23 –11.10 –1
3 Trojan-Banker.AndroidOS.Agent.ma 0.00 5.68 +5.68 –3
4 Trojan-Banker.AndroidOS.Agent.cf 11.45 5.15 –6.29 –1
5 Trojan-Banker.AndroidOS.Agent.la 1.39 4.58 +3.19 +7
6 Trojan-Banker.AndroidOS.Anubis.ab 0.00 2.42 +2.42
7 Trojan-Banker.AndroidOS.Faketoken.pac 8.49 2.40 –6.09 –3
8 Trojan-Banker.AndroidOS.Svpeng.q 2.40 2.06 –0.34 –1
9 Trojan-Banker.AndroidOS.GodFather.i 0.00 1.55 +1.55
10 Trojan-Banker.AndroidOS.GodFather.h 0.00 1.50 +1.50

* Unique users who encountered this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

Despite the fall in the number of unique installation packages, the total number of Trojan-Banker malware attacks even rose slightly. In other words, one and the same files are increasingly being reused to carry out attacks on different users.

Mobile ransomware Trojans

Q3 saw a slight change in the number of new ransomware installation packages compared to the previous quarter.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q3 2022 — Q3 2023 (download)

TOP 10 most common mobile ransomware

Verdict % in Q2 2023* % in Q3 2023* Difference in p.p. Change in ranking
1 Trojan-Ransom.AndroidOS.Rasket.a 5.60 32.44 +26.84 +1
2 Trojan-Ransom.AndroidOS.Pigetrl.a 47.55 25.27 –22.27 –1
3 Trojan-Ransom.AndroidOS.Rkor.eg 0.35 10.56 +10.21 +59
4 Trojan-Ransom.AndroidOS.Rkor.ef 1.04 6.77 +5.73 +18
5 Trojan-Ransom.AndroidOS.Rkor.eh 0.00 1.61 +1.61
6 Trojan-Ransom.AndroidOS.Congur.cw 2.73 1.56 –1.17 0
7 Trojan-Ransom.AndroidOS.Small.as 3.02 1.51 –1.52 –3
8 Trojan-Ransom.AndroidOS.Congur.y 4.56 1.40 –3.16 –5
9 Trojan-Ransom.AndroidOS.Small.cj 0.94 1.32 +0.38 +16
10 Trojan-Ransom.AndroidOS.Agent.bw 1.44 1.27 –0.17 +4

* Unique users who encountered this malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

The Rasket.a Trojan (32.44%) leaped into first place by number of attacks among other malware of the same type. As usual, the remaining positions in the ranking are occupied by various modifications of Pigetrl, Rkor, Congur and Small.

IT threat evolution in Q3 2023. Mobile statistics

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox