Image: danijelala, Getty Images/iStockPhoto

Recent events like the discovery of the Pegasus spyware have brought attention to the mobile malware threat, but it has been there for many years already. To get a picture of its status, Kaspersky just released a new report about the mobile malware threat evolution.


Nearly 3,5 million malicious installation packages have been detected by its products in 2021, which is about the same number as in 2019 but 2.2 million less than 2020 (Figure A).

Figure A 

The number of detected malicious installation packages for recent years — Source: Kaspersky

The number of attacks detected decreased steadily in 2021 from 5.5 million in January 2021 to 2.2 million in December 2021. Yet the attacks on mobile have gotten more sophisticated in terms of both malware functionality and vectors, according to Kaspersky.

The top three countries by share of users attacked by mobile malware are Iran, China and Saudi Arabia. Those results are largely a result of specific infections: adware (AdWare.AndroidOS.Notifyer affecting Iran and AdWare.AndroidOS.HiddenAd targeting Saudi Arabia) and PUA (potentially unwanted applications) RiskTool.AndroidOS.Wapron largely targeting China.

Those are not surprising results, since adware and PUA tend to use business models that facilitate spreading at wide scale on as many devices as possible — with adware representing as much as 42% of all detected mobile malware and PUA representing 35% of all detections (Figure B).

Figure B 

The categories of malware detected in 2021 — Source: Kaspersky

The third most detected category is Trojan malware, which represents only 8.86% of the detections but is considered far more dangerous than the two first categories. It is also worth noting that Trojan detections almost doubled between 2020 and 2021.

SEE: What are mobile VPN apps and why you should be using them (TechRepublic Premium)

The banking Trojan threat

Banking Trojan is a severe threat to mobile devices. It has different capabilities, which generally include stealing credit card information as it’s typed on the mobile device and gaining access to banking accounts.

To infect mobile devices, banking Trojans are generally disguised as legitimate applications, luring users into installing the software. The most effective banking Trojans can impersonate several different banking applications interfaces in addition to other applications, like payment and cryptocurrency handling applications.

Once a banking Trojan is launched on a mobile device, it generally starts displaying its own interface over the legitimate banking app from the user, stealing information that includes the user’s credentials. Banking Trojan malware on mobile devices also can deal with SMS 2-factor authentication (2FA).

The top 10 banking Trojan detections reported by Kaspersky are all Android applications. It has mostly targeted Japan and Spain, followed by Turkey, France and Australia.

Kaspersky’s report reveals a decrease in the number of attacks in 2021 for the banking Trojan category (Figure C).

Figure C 

The number of attacks by mobile banking Trojan — Source: Kaspersky

The ransomware threat

The top 10 ransomware threats detected were all Android operating system-based. In 2021, the number of detections mostly remained at the same level, with a slight decrease in the last months of the year (Figure D).

Figure D 

The number of detections for the mobile ransomware category — Source: Kaspersky

The most widely spread malware in this category was Trojan-Ransom.AndroidOS.Pigetrl.a, which locks the devices and asks for a code but provides no instruction on how to get it — it is embedded in the body of the malware.

The second one is named Trojan-Ransom.AndroidOS.Rkor, and it asks the user to pay a fine for viewing prohibited content.

As for the geographical location of the detections, most are from Kazakhstan, Yemen, Kyrgyzstan and Sweden.

2021 mobile malware evolution

New infection methods are growing, such as malicious code injection in legitimate applications through ads software development kits (SDKs) and more complex hiding in application stores.

New functionalities have also appeared. The Fakecalls banking Trojan, dedicated to targeting Korean users, drops outgoing calls to the target’s real banking company and plays prerecorded operator responses. The Vultur backdoor uses virtual network computing (VNC) to record the victim’s screen when they launch an application of interest to the attackers, allowing the monitoring of onscreen events.

SEE: 9 key security threats that organizations will face in 2022 (TechRepublic)

How to protect yourself from mobile malware

  • Avoid unknown stores. Unknown stores typically have no malware detection processes, unlike the Google Play Store. Don’t install software on your Android device that comes from untrusted sources.
  • Reboot often. Some high-stealth malware does not have persistent mechanisms, in order to stay undetected, so rebooting often might clean your device of that threat.
  • Carefully check requested permissions when installing an app. Applications should only request permissions for necessary APIs. A QR Code scanner should not ask for permission to send SMS, for example. Before installing an application from the Google Play Store, scroll down on the app description and click on App Permissions to check what it requests. Users should be extra cautious when an application asks for permission to handle SMS. Almost no application needs this feature, but it is used for banking Trojans to bypass 2FA that uses SMS.
  • Note that immediate requests for update after installation are suspicious. An application that is downloaded from the Play Store is supposed to be the latest version. If the app asks for update permission at the first run, immediately after its installation, it is suspicious.
  • Check the context of the application. Is the application the first one from a developer? Has it very few reviews, maybe only five-star reviews?
  • Use security applications on your Android device. Comprehensive security applications should be installed on your device to protect it.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday