Mobile Ad Trojans Evolve to Maximize Profits

Mobile advertising Trojans have begun to use monetization schemes involving paid SMS and WAP-billing services in order to preserve and increase profits.

Kaspersky Lab’s Mobile Malware Evolution 2017 found that while these Trojans, the top mobile malware threat from 2016, went into decline in 2017, the threat continued to aggressively spread. With root privileges, they have the capability to secretly install various applications or bombard an infected device with ads to make use of the smartphone impossible. In addition to having almost unlimited access, they are also extremely difficult to detect and remove.

Based on Kaspersky Lab observations, the decline in the overall number of mobile advertising Trojans exploiting super-user rights appears to have been triggered by an overall decrease in the number of mobile devices running older versions of Android, which are the main targets of these Trojans. Potentially exploited vulnerabilities are patched in newer versions.

According to Kaspersky Lab data, the proportion of users with devices running Android 5.0 or older dropped from more than 85% in 2016 to 57% in 2017. The proportion of Android 6.0 (or newer) users more than doubled, rising from 21% in 2016 to 50% in 2017.

In 2017, Kaspersky Lab discovered new modifications of advertising Trojans that were not exploiting root access vulnerabilities to show ads but were instead leveraging other methods, such as taking advantage of premium SMS services. For example, two Trojans related to the Ztorg malware family with such functionality were downloaded dozens of thousands of times from the Google Play Store.

Simultaneously, Kaspersky Lab researchers recorded a rise in the number of mobile Trojan clickers that are stealing money from Android users through WAP-billing, a type of direct mobile payment that does not require registration. These Trojans click on pages with paid services, and once a subscription is activated, money from a victim's account flows directly to the cybercriminals. Some of the WAP-clickers discovered in 2017 also incorporated modules for cryptocurrency mining.

The ransomware epidemics that hit the world in 2017 were also reflected in the mobile threat landscape. Kaspersky Lab discovered 544,107 installation packages for mobile ransomware Trojans last year, which is twice as high as in 2016 and 17 times more than in 2015. This increasing volume was detected during the first months of the year due to the high activity of the Congur Trojan family (83% of all installation packages in 2017), a blocker that sets or resets a device’s PIN or passcode and then demands money to unlock the device.

Although mobile ransomware capabilities and techniques remained primarily the same throughout the year, some ransomware functionality has been discovered among banking Trojan families, such as Svpeng and Faketoken, with the modifications able to encrypt people’s files.

Overall in 2017, Kaspersky Lab mobile security products reported 42.7 million attempted attacks by mobile malware (40 million in 2016); 94,368 mobile banking Trojans (1.3 times less than in 2016); 5,730,916 installation packages for mobile Trojans (1.5 times less than in 2016) and 110,184 unique users targeted by mobile ransomware (1.4 times lower than 2016).

Iran (57.25%), Bangladesh (42.76%) and Indonesia (41.14%) were the top three countries attacked by mobile malware last year.

“The mobile threat landscape is evolving in direct connection with what is happening in the global mobile market,” said Roman Unuchek, security expert at Kaspersky Lab. “Right now, mobile advertising Trojans that exploit root rights are in decline, but if new versions of Android firmware happened to be vulnerable, new opportunities will be presented and we will see their growth return. The same is true for cryptocurrency – with the increasing activity of miners around the world, we expect to see further modifications of mobile malware with mining modules inside, even though the performance power of mobile devices is not so high.”

What’s Hot on Infosecurity Magazine?