Académique Documents
Professionnel Documents
Culture Documents
ITthreatevolutioninQ22016.StatisticsSecurelist
Downloadthefullreport(PDF)
AllthestatisticsusedinthisreportwereobtainedusingKasperskySecurityNetwork(KSN),adistributed
antivirusnetworkthatworkswithvariousantimalwareprotectioncomponents.Thedatawascollectedfrom
KSNuserswhoagreedtoprovideit.MillionsofKasperskyLabproductusersfrom213countriesand
territoriesworldwideparticipateinthisglobalexchangeofinformationaboutmaliciousactivity.
Q2 gures
AccordingtoKSNdata,KasperskyLabsolutionsdetectedandrepelled171,895,830maliciousattacks
fromonlineresourceslocatedin191countriesallovertheworld.
54,539,948uniqueURLswererecognizedasmaliciousbywebantiviruscomponents.
KasperskyLabswebantivirusdetected16,119,489uniquemaliciousobjects:scripts,exploits,
executablefiles,etc.
Attemptedinfectionsbymalwarethataimstostealmoneyviaonlineaccesstobankaccountswere
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
1/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
registeredon1,132,031usercomputers.
Cryptoransomwareattackswereblockedon311,590computersofuniqueusers.
KasperskyLabsfileantivirusdetectedatotalof249,619,379uniquemaliciousandpotentially
unwantedobjects.
KasperskyLabmobilesecurityproductsdetected:
3,626,458maliciousinstallationpackages
27,403mobilebankerTrojans(installationpackages)
83,048mobileransomwareTrojans(installationpackages).
Mobile threats
InQ22016,KasperskyLabdetected3,626,458maliciousinstallationpackages1.7timesmorethanin
thepreviousquarter.
Numberofdetectedmaliciousinstallationpackages(Q32015Q22016)
2/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
Asofthisquarter,wewillcalculatethedistributionofmobilemalwarebytypebasedonthenumberof
detectedmaliciousinstallationpackagesratherthanmodifications,aswasthecaseinearlierreports.
Distributionofnewmobilemalwarebytype(Q12016andQ22016)
InQ22016,RiskToolsoftware,orlegalapplicationsthatarepotentiallydangeroustousers,toppedthe
rankingofdetectedmaliciousobjectsformobiledevices.Theirshareincreasedfrom31.6%inQ1to
45.1%thisquarter.
Adwareoccupiessecondplace.Theshareoftheseprogramsfell1.4p.p.comparedtotheprevious
quarter,andaccountedfor14.2%.
TheshareofSMSTrojansfellfrom18.5%to10.8%,pushingthiscategoryofmaliciousprogramsdown
fromsecondtothirdplaceintheranking.TrojanSMS.AndroidOS.Agent.quandTrojan
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
3/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
SMS.AndroidOS.Agent.faccountedformostofthedetectedSMSTrojans,withbothaccountingfor
approximately30%ofallmaliciousfilesinthiscategory.
TheTrojanDroppersharealsofellfrom14.5%inQ1to9.2%.TrojanDropper.AndroidOS.Agent.vled
theway:wedetectedmorethan50,000installationpackagesrelatedtothisTrojan.
Name
%ofattackedusers*
DangerousObject.Multi.Generic
80.87
Trojan.AndroidOS.Iop.c
11.38
Trojan.AndroidOS.Agent.gm
7.71
TrojanRansom.AndroidOS.Fusob.h
6.59
Backdoor.AndroidOS.Ztorg.a
5.79
Backdoor.AndroidOS.Ztorg.c
4.84
TrojanRansom.AndroidOS.Fusob.pac
4.41
Trojan.AndroidOS.Iop.t
4.37
TrojanDropper.AndroidOS.Gorpo.b
4.3
10
Trojan.AndroidOS.Ztorg.a
4.30
11
Trojan.AndroidOS.Ztorg.i
4.25
12
Trojan.AndroidOS.Iop.ag
4.00
13
TrojanDropper.AndroidOS.Triada.d
3.10
14
TrojanDropper.AndroidOS.Rootnik.f
3.07
15
Trojan.AndroidOS.Hiddad.v
3.03
16
TrojanDropper.AndroidOS.Rootnik.h
2.94
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
4/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
17
Trojan.AndroidOS.Iop.o
2.91
18
Trojan.AndroidOS.Rootnik.ab
2.91
19
Trojan.AndroidOS.Triada.e
2.85
20
TrojanSMS.AndroidOS.Podec.a
2.83
*Percentageofuniqueusersattackedbythemalwareinquestion,relativetoallusersofKasperskyLabs
mobilesecurityproductthatwereattacked.
FirstplaceisoccupiedbyDangerousObject.Multi.Generic(80.87%),theclassificationusedformalicious
programsdetectedbycloudtechnologies.Cloudtechnologiesworkwhentheantivirusdatabasecontains
neitherthesignaturesnorheuristicstodetectamaliciousprogram,butthecloudoftheantiviruscompany
alreadycontainsinformationabouttheobject.Thisisbasicallyhowtheverylatestmalwareisdetected.
Asinthepreviousquarter,16Trojansthatuseadvertisingastheirmainmeansofmonetization
(highlightedinblueinthetable)madeitintotheTOP20.Theirgoalistodeliverasmanyadvertsas
possibletotheuser,employingvariousmethods,includingtheinstallationofnewadware.TheseTrojans
mayusesuperuserprivilegestoconcealthemselvesinthesystemapplicationfolder,fromwhichitwillbe
verydifficulttodeletethem.
Trojan.AndroidOS.Iop.c(11.38%)movedfromthirdtosecondintheTOP20andbecamethesinglemost
popularmaliciousprogramofthequarter.OverthereportingperiodwedetectedthisTrojanin180
countries,butthemajorityofattackeduserswereinRussia,IndiaandAlgeria.Iop.ccanexploitavarietyof
vulnerabilitiesinthesystemtogainsuperuserprivileges.Themainmethodofmonetizationisdisplaying
advertisingandinstalling(usuallysecretly)variousprogramsontheusersdevice,includingother
maliciousprograms.
Tweet
Q216,@kasperskyrepelled172Mmalicious
attacksviaonlineresourceslocatedin191
countries#KLreport#Infosec
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
5/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
RepresentativesoftheTrojanRansom.AndroidOS.Fusobransomwarefamilyclaimedfourthandseventh
places.TheseTrojansdemandaransomof$100200fromvictimstounblocktheirdevices.Attacksusing
thisTrojanwereregisteredinover120countriesworldwideinQ2,withasubstantialnumberofvictims
locatedinGermanyandtheUS.
TrojanSMS.AndroidOS.Podec.a(2.83%)hasnowspentoverayearinthemobilemalwareTOP20,
althoughitisstartingtoloseground.ItusedtobeaneverpresentintheTOP5mobilethreats,butforthe
secondquarterinarowithasonlymadeitintothebottomhalfoftheranking.Itsfunctionalityhas
remainedpracticallyunchangeditsmainmeansofmonetizationistosubscribeuserstopaidservices.
ThegeographyofattemptedmobilemalwareinfectionsinQ22016(percentageofallusers
attacked)
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
6/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
TOP10countiesattackedbymobilemalware(rankedbypercentageofusersattacked)
Country*
%ofusersattacked**
China
36.31
Bangladesh
32.66
Nepal
30.61
Uzbekistan
22.43
Algeria
22.16
Nigeria
21.84
India
21.64
Indonesia
21.35
Pakistan
19.49
10
Iran
19.19
*WeeliminatedcountriesfromthisrankingwherethenumberofusersofKasperskyLabsmobilesecurity
productislowerthan10,000.
**PercentageofuniqueusersattackedineachcountryrelativetoallusersofKasperskyLabsmobile
securityproductinthecountry.
Chinatoppedtheranking,withmorethan36%ofusersthereencounteringamobilethreatatleastonce
duringthequarter.ChinaalsocamefirstinthisrankinginQ12016.
Inallthecountriesofthisranking,exceptChina,themostpopularmobilemalwarewasthesame
advertisingTrojansthatappearedintheTOP20mobilemalware,andAdWare.Themostpopular
maliciousprogramwasTrojan.AndroidOS.Iop.c.InChina,asignificantproportionofattacksalsoinvolved
advertisingTrojans,butthemajorityofusersthereencounteredtheBackdoor.AndroidOS.GinMasterand
Backdoor.AndroidOS.Fakengryfamilies,whileTrojan.AndroidOS.Iop.conlyoccupiedsixteenthplace.
Russia(10.4%)was26thinthisranking,Germany(8.5%)38th,Italy(6.2%)49th,andFrance(5.9%)52th.
TheUS(5.0%)came59thandtheUK(4.6%)64th.
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
7/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
ThesafestcountrieswereAustria(3.6%),Sweden(2.9%)andJapan(1.7%).
NumberofmobilebankingTrojansdetectedbyKasperskyLabsolutions(Q32015Q22016)
TheTOP5mostpopularmobilebankingTrojansinQ2consistedofrepresentativesfromjusttwofamilies
TrojanBanker.AndroidOS.AsacubandTrojanBanker.AndroidOS.Svpeng.
TrojanBanker.AndroidOS.Asacub.iwasthemostpopularmobilebankingTrojanofthequarter.Ituses
differentmethodstotrickusersandbypasssystemconstraints.InQ1weidentifiedamodificationofthis
mobileTrojanthatoverlaidtheregularsystemwindowrequestingdeviceadministratorprivilegeswithits
ownwindowcontainingbuttons.TheTrojantherebyconcealsthefactthatitisgainingelevatedprivileges
inthesystemfromtheuser,andtrickstheuserintoapprovingtheseprivileges.InQ2,wedetecteda
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
8/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
modificationthatrequestedtheuserspermissiontobecomethemainSMSapplication.
DialogwindowofTrojanBanker.AndroidOS.Asacub.iaskingfortheusersapprovaltobecomethe
mainSMSapplication
ThisallowstheTrojantobypassthesystemconstraintsintroducedinAndroid4.4,andtohideincoming
SMSsfromtheuser(asarule,ithidesmessagesfrombanksandpaymentsystems).Inordertomake
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
9/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
userssavethismaliciousprograminthesettingsasthemainSMSapplication,theTrojanauthorshadto,
amongotherthings,implementamessengerinterface.
TheTrojanBanker.AndroidOS.Asacub.iinterfaceusedtocreateandsendmessages
AsacubisactivelydistributedviaSMSspam.
RussiaandGermanyleadintermsofthenumberofusersattackedbymobilebankingTrojans:
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
10/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
GeographyofmobilebankingthreatsinQ22016(percentageofallusersattacked)
Thenumberofattackedusersdependsontheoverallnumberofuserswithineachindividualcountry.To
assesstheriskofamobilebankerTrojaninfectionineachcountry,andtocompareitacrosscountries,we
createdacountryrankingaccordingtothepercentageofusersattackedbymobilebankerTrojans.
TOP10countiesattackedbymobilebankerTrojans(rankedbypercentageofusersattacked)
Country*
%ofusersattacked**
Russia
1.51
Australia
0.73
Uzbekistan
0.45
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
11/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
Korea
0.35
China
0.34
Ukraine
0.33
Denmark
0.28
Germany
0.24
Turkey
0.23
10
Kyrgyzstan
0.17
*WeeliminatedcountriesfromthisrankingwherethenumberofusersofKasperskyLabsmobilesecurity
productislowerthan10,000.
**PercentageofuniqueusersineachcountryattackedbymobilebankerTrojans,relativetoallusersof
KasperskyLabsmobilesecurityproductinthecountry.
InQ22016,firstplacewasoccupiedbyRussia(1.51%)wherethemajorityofaffectedusersencountered
theTrojanBanker.AndroidOS.Asacub,TrojanBanker.AndroidOS.SvpengandTrojan
Banker.AndroidOS.FaketokenfamiliesofmobilebankerTrojans.
China,lastquartersleader,felltofifthplacethisquarter.
InsecondplaceagainwasAustraliawheretheTrojanBanker.AndroidOS.Acecardfamilywasreplacedby
theTrojanBanker.AndroidOS.Marcherfamilyasthemostpopularthreat.
BankingTrojanswereespeciallypopularwithattackersinRussiaandAustralia.Thepercentageofusers
attackedbythismalwareinthetwocountriesrelativetoallattackedusersaccountedfor14%.
Mobile Trojan-Ransomware
Asofthisquarter,wewillcalculatethedistributionofmobilemalwarebytypebasedonthenumberof
detectedmaliciousinstallationpackagesratherthanmodifications,aswasthecaseinearlierreports.
InQ22016,wedetected83,048mobileTrojanRansomwareinstallationpackages,whichisaboutthe
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
12/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
samenumberasthepreviousquarterandseventimesmorethaninQ42015.
NumberofmobileTrojanRansomwareinstallationpackagesdetectedbyKasperskyLab
(Q32015Q22016)
ThesharpriseinthenumberofmobileTrojanRansomwareinstallationpackagesin2016wascausedby
theactiveproliferationoftheTrojanRansom.AndroidOS.FusobfamilyofTrojans.Inthefirstquarterof
2016,thisfamilyaccountedfor96%ofusersattackedbymobileransomware.InQ2itssharewas85%.
Tweet
InQ22016,54.5MuniquemaliciousURLs
wererecognizedby@kasperskywebantivirus
components#KLreport#IT
TrojanRansom.AndroidOS.Fusob.hbecamethemostpopularmobileTrojanRansomwareinthesecond
quarteritaccountedfornearly60%ofusersattackedbymobileransomware.Oncerun,theTrojan
requestsadministratorprivileges,collectsinformationaboutthedevice,includingtheGPScoordinates
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
13/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
andcallhistory,anddownloadsthedatatoamaliciousserver.Afterthat,itmaygetacommandtoblock
thedevice.Inthesecondquarterweregisteredagrowthinthenumberofinstallationpackagesrelatedto
TrojanRansom.AndroidOS.Congur.b:theirsharegrewfrom0.8%to8.8%.ThisTrojan,targetingChinese
speakingusers,changesthesystempassword(PIN),orinstallsitifnopasswordwasinstalledearlier,thus
makingitimpossibletousethedevice.Thenotificationcontainingtheransomdemandisdisplayedonthe
screenoftheblockeddevice.
Germany,theUSandRussiahadthehighestnumberofusersattackedbyTrojanRansomwarethis
quarter:
GeographyofmobileTrojanRansomwareinQ22016(percentageofallusersattacked)
ToassesstheriskofamobilebankerTrojaninfectionineachcountry,andtocompareitacrosscountries,
wecreatedacountryrankingaccordingtothepercentageofusersattackedbymobileTrojan
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
14/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
Ransomware.
TOP10countiesattackedbymobileTrojanRansomware(rankedbypercentageofusers
attacked)
Country*
%ofusersattacked**
Canada
2.01
Germany
1.89
US
1.66
Switzerland
1.63
Mexico
1.55
UK
1.51
Denmark
1.35
Italy
1.35
Kazakhstan
1,35
10
Netherlands
1.15
*WeeliminatedcountriesfromthisrankingwherethenumberofusersofKasperskyLabsmobilesecurity
productislowerthan10,000.
**PercentageofuniqueusersineachcountryattackedbymobileTrojanRansomware,relativetoall
usersofKasperskyLabsmobilesecurityproductinthecountry.
InallthecountriesoftheTOP10,exceptforKazakhstan,themostpopularTrojanRansomfamilywas
Fusob.IntheUS,theTrojanRansom.AndroidOS.Svpengfamilywasalsopopular.TheseTrojansdemand
aransomof$100500fromvictimstounblocktheirdevices.
InKazakhstanandUzbekistan,themainthreattousersoriginatedfromrepresentativesoftheSmall
mobileTrojanRansomfamily.Thisisafairlysimpleransomwareprogramthatblocksoperationofadevice
byoverlayingallthewindowsonthedevicewithitsownwindowanddemanding$10tounblockit.
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
15/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
Tweet
InQ22016,@kasperskyweb#antivirus
detected16,119,489uniquemaliciousobjects
#KLreport#netsec
ThemaineventthisquarterwasthedemiseofthelongtermmarketleaderstheAnglerandNuclear
exploitkits.Anglersdepartureresultedinmarketplayersshiftingtootherkitstodistributemalware.In
particular,weregisteredadramaticgrowthinthepopularityoftheNeutrinoexploitkit.
Thisishowtheoverallpicturefortheuseofexploitsinthesecondquarterlooks:
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
16/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
Distributionofexploitsusedinattacksbythetypeofapplicationattacked,Q22016
Thechartshowsthatdespitetheexitofthemarketleadersthebreakdownofexploitswasalmost
unchangedfromthepreviousquarter:theproportionofexploitsforMicrosoftOffice(14%)andJava(7%)
fellby1p.p.,whiletheshareforAndroidgrew2p.p.andreached24%.Thissuggeststhatdemandfor
exploitkitshasbeenspreadamongtheremainingplayers:RIG,MagnitudeandNeutrino.Thelatterwas
theundisputedleaderthisquarterintermsofthenumberofattemptstodownloadmalware.
17/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
Numberofusersattackedbymalwaretargetingfinances,Q22016
Geography of attack
ToevaluateandcomparetheriskofbeinginfectedbybankingTrojansworldwide,wecalculatethe
percentageofKasperskyLabproductuserswhoencounteredthistypeofthreatduringthereporting
periodinthecountry,relativetoallusersofourproductsinthecounty.
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
18/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
GeographyofbankingmalwareattacksinQ22016(percentageofattackedusers)
TOP10countriesbypercentageofattackedusers
Country*
%ofattackedusers**
Turkey
3.45
Russia
2.92
Brazil
2.63
Pakistan
2.60
Venezuela
1.66
Tunisia
1.62
Japan
1.61
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
19/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
Singapore
1.58
Libya
1.57
10
Argentina
1.48
Thesestatisticsarebasedonthedetectionverdictsreturnedbytheantivirusmodule,receivedfromusers
ofKasperskyLabproductswhohaveconsentedtoprovidetheirstatisticaldata.
*WeexcludedthosecountriesinwhichthenumberofKasperskyLabproductusersisrelativelysmall
(lessthan10,000).
**UniqueuserswhosecomputershavebeentargetedbybankingTrojanattacksasapercentageofall
uniqueusersofKasperskyLabproductsinthecountry.
ThehighestpercentageofKasperskyLabusersattackedbybankingTrojanswasinTurkey.Oneofthe
reasonsforthegrowthinfinancialthreatstherewasaburstofactivitybytheGozibankingTrojanwhose
developershavejoinedforceswiththecreatorsoftheNymaimTrojan.
InRussia,2.92%ofusersencounteredabankingTrojanatleastonceinQ2,placingitsecondinthis
ranking.
Brazilroundsoffthetopthree.WeexpectasurgeinfinancialthreatsinLatinAmericainthenextquarter
duetotheOlympicGamesinBrazil.Thiseventisjusttootemptingforcybercriminalstoignorethey
regularlyusethethemeofmajorsportingeventsintheirattackstolurepotentialvictims.
ThetopfivecountrieswhereuserswereleastaffectedbybankingTrojanswereCanada(0.33%),theUS
(0.4%),theUK(0.4%),France(0.43%)andtheNetherlands(0.5%).
ThepercentageofbankingTrojanvictimsinItalywas0.62%,inSpainitwas0.83%,whileinGermanythe
figurewas1.03%.
TheTOP10bankingmalwarefamilie>
Thetablebelowshowsthetop10malwarefamiliesmostcommonlyusedinQ22016toattackonline
bankingusers(asapercentageofusersattacked):
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
20/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
Name*
Percentageofusersattacked**
TrojanSpy.Win32.Zbot
15.72
TrojanBanker.Win32.Gozi
3.28
Trojan.Win32.Qhost
2.35
TrojanBanker.Win32.Shiotob
2.27
TrojanBanker.Win32.BestaFera
2.12
Trojan.Win32.Nymaim
1.98
TrojanBanker.Win32.ChePro
1.90
TrojanBanker.Win32.Banbra
1.77
Trojan.Win32.Neurevt
0.67
10
Backdoor.Win32.Shiz
0.66
*ThedetectionverdictsofKasperskyLabproducts,receivedfromusersofKasperskyLabproductswho
haveconsentedtoprovidetheirstatisticaldata.
**Uniqueuserswhosecomputershavebeentargetedbythemalwareinquestionasapercentageofall
usersattackedbyfinancialmalware.
TrojanSpy.Win32.Zbotinfirstplaceisapermanentfixtureintheleadingpositionsofthisranking,anditis
nocoincidence:thesourcecodesofthisTrojanbecamepubliclyavailablebackin2012.Thishasresulted
intheemergenceofnewbankingTrojansthathaveadoptedfragmentsoftheZbotcode.
Thesecondquarterof2016sawasurgeinmaliciousactivitybyTrojan.Win32.Nymaim.Asaresult,this
Trojanmadeitintothetop10forthefirsttime,goingstraightinatsixthplace.Nymaimwasinitially
designedtoblockaccesstovaluabledataandthendemandaransom(ransomware)tounblockit,butthe
latestversionnowalsoincludesbankingTrojanfunctionalityforstealingfinancialinformation.Thiscanbe
explainedbythefactthatthecreatorsofNymaimandGozi(whichalsoappearsintheQ2TOP10financial
risks)havejoinedforces.NymaimssourcecodenowincludesfragmentsofGozicodethatprovide
attackerswithremoteaccesstoinfectedcomputers.
InQ22016,Attemptedinfectionsbyfinancial
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
21/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
Tweet
#malwarewereregisteredon1.1Muser
computers#KLreport#banking
ApermanentresidentinthisrankingandoneofthereasonsfinancialthreatsaresoprominentinBrazilis
theTrojanBanker.Win32.CheProfamily.Thisbankingmalwareletscybercriminalstakescreenshots,
registerkeystrokes,andreadthecontentsoftheclipboard,i.e.,itpossessfunctionalitycapableof
attackingalmostanyonlinebankingsystem.Criminalsaretryingtoimplementnewtechniquestoavoid
detectionforaslongaspossible.SomeoftheTrojansfromthisfamilyusegeolocationoraskforthetime
zoneandtheWindowsversionfromthesysteminordertoinfectusersinaparticularregion.
Yetanothernewcomertothetop10mostactivefinancialthreatsinQ2wastheTrojan.Win32.Neurevt
family.Representativesofthisfamilywerefirstdiscoveredin2013andareusedbycybercriminalsnotonly
tostealuserpaymentdatainonlinebankingsystemsbutalsotosendoutspam(someversions,for
example,sentspammessagesonSkype)andimplementDDoSattacks(withtheadditionoffunctionality
capableofperformingtheSlowlorisHTTPfloodingscenario).
Ransomware Trojans
Theoverallnumberofcryptormodificationsinourviruscollectiontodateisapproximately26,000.Atotal
of28newcryptorfamiliesand9,296newmodificationsweredetectedinQ2.
Thefollowinggraphshowstheriseinthenumberofnewlycreatedcryptormodificationsoverthelasttwo
quarters.
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
22/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
NumberofTrojanRansomcryptormodifications(Q12016vsQ22016)
SomeofthemorehighprofileorunusualTrojansdetectedinQ22016arelistedbelow:
CryptXXX(TrojanRansom.Win32.CryptXXX)
ThiscryptorhasbeenwidelydistributedviaexploitkitssinceApril2016.Itsearlierversionscontained
gapsinthefileencryptionalgorithmwhichallowedKasperskyLabtoreleaseautilitytodecryptthem.
Unfortunately,theattackershavemadeadjustmentstosubsequentversions,makingitimpossibleto
decryptthefilesaffectedbylaterCryptXXXmodifications.
ZCryptor(TrojanRansom.MSIL.Zcryptor)
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
23/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
Thismalwarecombinescryptorfunctionalityandawormdistributionmethod.Trojanransomwaredoes
notusuallyincludetoolsforselfpropagation,andZCryptorjusthappenstobeanexceptiontothis
rule.Likeaclassicworm,whileinfecting,itcreatescopiesofitsbodyonremovablemediaand
generatestheautorun.inffiletoimplementtheautomaticlaunchofitsexecutablefileoncethemediais
connectedtoanothersystem(if,ofcourse,autorunisnotdisabled).
RAA(TrojanRansom.JS.RaaCrypt)
Sometimeswecomeacrosscryptorsthatdifferfromtheirpeersintermsoffunctionality,and
sometimesanunusualimplementationwillcatchtheattentionofananalyst.InthecaseofRAA,the
choiceofprogramminglanguagewascurious:itwaswrittenentirelyinJavaScript.Thewholebodyof
theprogramwasincludedinasingle.jsfiledeliveredtothevictimasanattachmentinaspam
message.Whenrun,itdisplaysafakeerrormessage,andinthemeantime,encryptstheusersfiles.
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
24/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
Bart(TrojanRansom.Win32.Bart)
ThiscryptorputsthevictimsfilesinpasswordprotectedZIParchivesanditcreatespasswordsusing
theDiffieHellmanalgorithmonanellipticcurve.Thedesignoftheransomnoteandthepaymentsite
isanexactcopyofthatusedbythenotoriousLocky.
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
25/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
Satana(TrojanRansom.Win32.Satan)
ThisisacombinationofMBRblockerandfilecryptor,probablyinspiredbysimilarfunctionalityinthe
notoriousPetya+MischaTrojans.Satana,unlikePetya,doesnotencryptMFTinfact,itsMBR
moduleisobviouslyincompletebecausetheprocessofcheckingthepasswordenteredbythevictim
resultsinnothingmorethanacontinuouscycle.Belowisafragmentofthecodedemonstratingthis.
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
26/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
NumberofusersattackedbyTrojanRansomcryptormalware(Q22016)
InQ22016,311,590uniqueuserswereattackedbycryptors,whichis16%lessthanthepreviousquarter.
Approximately21%ofthoseattackedwereinthecorporatesector.
Itisimportanttokeepinmindthattherealnumberofincidentsisseveraltimeshigher:thestatisticsreflect
onlytheresultsofsignaturebasedandheuristicdetections,whileinmostcasesKasperskyLabproducts
detectencryptionTrojansbasedonbehaviorrecognitionmodelsandissuetheGenericverdict,which
doesnotdistinguishthetypeofmalicioussoftware.
%ofusersattackedbycryptors**
Japan
2.40
Italy
1.50
Djibouti
1.46
Luxembourg
1.36
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
27/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
Bulgaria
1.34
Croatia
1.25
Maldives
1.22
Korea
1.21
Netherlands
1.15
10
Taiwan
1.04
*WeexcludedthosecountrieswherethenumberofKasperskyLabproductusersisrelativelysmall(less
than10,000).
**Uniqueuserswhosecomputershavebeentargetedbyransomwareasapercentageofalluniqueusers
ofKasperskyLabproductsinthecountry.
InQ2,halfofthetop10wereEuropeancountriesonelessthanthepreviousquarter.
Japan,whichcameninthinQ1,toppedtherankingofcountriesattackedbycryptorswith2.40%:themost
widespreadcryptorfamiliesinthecountrywereTeslacrypt,LockyandCryakl.
NewcomerstothisrankingwereDjibouti(1.46%),Korea(1.21%)andTaiwan(1.04%).
Verdict*
Percentage
ofusers**
CTB
TrojanRansom.Win32.Onion/Trojan
Locker
Ransom.NSIS.Onion
Teslacrypt
TrojanRansom.Win32.Bitman
8.36
Locky
TrojanRansom.Win32.Locky
3.34
Shade
TrojanRansom.Win32.Shade
2.14
TrojanRansom.Win32.Cryrar
2.02
Cryrar/
ACCDFISA
14.59
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
28/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
Cryptowall
TrojanRansom.Win32.Cryptodef
1.98
Cryakl
TrojanRansom.Win32.Cryakl
1.93
Cerber
TrojanRansom.Win32.Zerber
1.53
TrojanRansom.BAT.Scatter/Trojan
9
Scatter
Downloader.JS.Scatter/Trojan
1.39
Dropper.JS.Scatter/TrojanRansom.Win32.Scatter
10 Rakhni
TrojanRansom.Win32.Rakhni/Trojan
Downloader.Win32.Rakhni
1.13
*ThesestatisticsarebasedondetectionverdictsreceivedfromusersofKasperskyLabproductswho
haveconsentedtoprovidetheirstatisticaldata.
**UniqueuserswhosecomputershavebeentargetedbyaspecificTrojanRansomfamilyasapercentage
ofallusersofKasperskyLabproductsattackedbyTrojanRansommalware.
FirstplaceinQ2wasoccupiedbytheCTBLocker(TrojanRansom.Win32/NSIS.Onion)family.Insecond
placewastheTeslaCryptfamilyrepresentedbyoneverdict:TrojanRansom.Win32.Bitman.TheTrojan
Ransom.JS.Cryptoloadverdict,whichinthepastdownloadedmalwareandwasassociatedwith
TeslaCrypt,isnolongercharacteristicofthisfamilyonly.TeslaCryptwasearlieramajorcontributortothe
statistics,butfortunatelyceasedtoexistinMay2016theownersdisabledtheirserversandposteda
masterkeytodecryptfiles.
Tweet
InQ22016,#crypto#ransomwareattacks
wereblockedon311,590computersofunique
users#KLreport
CerberandCryrararetheonlychangestothisrankingcomparedtothepreviousquarter.
TheCerbercryptorspreadsviaspamandexploitkits.ThecryptorssiteontheTornetworkistranslated
intolotsoflanguages.Cerbersspecialfeaturesincludethefollowing:
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
29/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
Itexplorestheinfectedsystemmeticulously:checksforthepresenceofanantivirus,ifitisrunning
underavirtualmachine(Parallels,VmWare,QEMU,VirtualBox)orWine,checksforutilitiesfrom
variousresearchersandanalysts(itdoesthisbysearchingforcertainprocessesandfilesonthedisk
drive),itevenhasablacklistofsystemdriveserialnumbers.
ItchecksthekeyboardlayoutandtheIPaddressoftheinfectedsystem.Ifitdetectsthatthemachine
islocatedinaCIScountry,itstopsinfectingit.
Itattemptstobypassantivirusprotectionbyterminatingtheirprocesses,interruptingservices,deleting
files.
InadditiontonotifyingusersaboutencryptionintheformofTXTandHTMLfiles,asisthecasewith
otherfamilies,italsorunstheVBSscriptwhichreproducesthefollowingvoicemessage:Attention!
Attention!Attention!Yourdocuments,photos,databasesandotherimportantfileshavebeen
encrypted!
TheCryrarcryptoralsoknownastheAntiCyberCrimeDepartmentofFederalInternetSecurityAgency
(ACCDFISA),AntiChildPornSpamProtection,etc.firstappearedbackin2012.Ithasthedistinctive
featureofplacingthevictimsfilesinpasswordprotectedselfextractingRARarchives.AccordingtoKSN
statistics,itshowsnosignsofconcedingitspositiontonewerrivals.
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
30/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
81%ofnotificationsaboutblockedwebattacksweretriggeredbyattackscomingfromwebresources
locatedin10countries.
Distributionofwebattacksourcesbycountry,Q22016
TheUS(35.44%)returnedtothetopofthisrankinginthesecondquarter.Russia(10.28%)movedup
oneplacetosecond.Thepreviousquartersleader,theNetherlands,droppedtofourthplaceafterits
sharefellby17.7percentagepoints.GermanycompletedtheTop3withashareof8.9%.Bulgarialeftthe
Top10,whileCanadawasanewcomerinninthplacewith0.96%.
31/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
Inordertoassesstheriskofonlineinfectionfacedbyusersindifferentcountries,wecalculatedthe
percentageofKasperskyLabusersineachcountrywhoencountereddetectionverdictsontheir
machinesduringthequarter.Theresultingdataprovidesanindicationoftheaggressivenessofthe
environmentinwhichcomputersworkindifferentcountries.
Country*
%ofuniqueusersattacked**
Azerbaijan
32.10
Russia
30.80
China
29.35
Slovenia
27.54
Ukraine
27.46
Kazakhstan
27.03
Vietnam
26.02
Algeria
25.63
Armenia
25.09
10
Belarus
24.60
11
Brazil
24.05
12
France
22.45
13
Moldova
22.34
14
Kyrgyzstan
22.13
15
Bulgaria
22.06
16
Italy
21.68
17
Chile
21.56
18
Qatar
20.10
19
India
20.00
20
Portugal
19.84
Thesestatisticsarebasedonthedetectionverdictsreturnedbythewebantivirusmodule,
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
32/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
receivedfromusersofKasperskyLabproductswhohaveconsentedtoprovidetheirstatistical
data.
*ThesecalculationsexcludedcountrieswherethenumberofKasperskyLabusersisrelativelysmall
(fewerthan10,000users).
**Uniqueuserswhosecomputershavebeentargetedbywebattacksasapercentageofalluniqueusers
ofKasperskyLabproductsinthecountry.
InQ2,Azerbaijanmovedupfromfourthtofirstplaceandbecamethenewleaderofthisrankingwith
32.1%.Russia(30.8%)droppedfromfirsttosecond,whileKazakhstan(27.03%)fellfromsecondtosixth
place.
Sincethepreviousquarter,Spain,Lithuania,CroatiaandTurkeyhavealllefttheTOP20.Thenewcomers
tothisrankingwereBulgaria(22.06%),Chile(21.56%),Qatar(20.10%)andPortugal(19.84%).
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
33/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
ThecountrieswiththesafestonlinesurfingenvironmentsincludedCanada(15%),Romania(14.6%),
Belgium(13.7%),Mexico(13.2%),theUS(12.8%),Switzerland(12.4%),NewZealand(12.1%),Czech
Republic(12%),Argentina(9.9%),Japan(9.5%),theNetherlands(8.3),Sweden(8.2%)andGermany
(8%).
Onaverage,19.4%ofcomputersconnectedtotheInternetgloballyweresubjectedtoatleastoneweb
attackduringthethreemonths.Thisisafallof1.8p.p.comparedtoQ12016.
Local threats
Localinfectionstatisticsforusercomputersareaveryimportantindicator:theyreflectthreatsthathave
penetratedcomputersystemsbyinfectingfilesorremovablemedia,orinitiallygotonthecomputerinan
encryptedformat(forexample,programsintegratedincomplexinstallers,encryptedfiles,etc.).
Datainthissectionisbasedonanalyzingstatisticsproducedbyantivirusscansoffilesontheharddrive
atthemomenttheywerecreatedoraccessed,andtheresultsofscanningremovablestoragemedia.
InQ22016,KasperskyLabsfileantivirusdetected249,619,379uniquemaliciousandpotentially
unwantedobjects.
Country*
%ofuniqueusers**
Somalia
65.80
Vietnam
63.33
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
34/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
Tajikistan
62.00
Russia
61.56
Kyrgyzstan
60.80
Bangladesh
60.19
Afghanistan
60.00
Armenia
59,74
Ukraine
59.67
10
Nepal
59.66
11
Ethiopia
59.63
12
Laos
58.43
13
Kazakhstan
57.72
14
Rwanda
57.33
15
Djibouti
56.07
16
Yemen
55.98
17
Venezuela
55.76
18
Algeria
55.58
19
Cambodia
55.56
20
Iraq
55.55
Thesestatisticsarebasedonthedetectionverdictsreturnedbyonaccessandondemandantivirus
modules,receivedfromusersofKasperskyLabproductswhohaveconsentedtoprovidetheirstatistical
data.Thedataincludedetectionsofmaliciousprogramslocatedonuserscomputersoronremovable
mediaconnectedtothecomputers,suchasflashdrives,cameraandphonememorycards,orexternal
harddrives.
*ThesecalculationsexcludecountrieswherethenumberofKasperskyLabusersisrelativelysmall(fewer
than10,000users).
**Thepercentageofuniqueusersinthecountrywithcomputersthatblockedlocalthreatsasa
percentageofalluniqueusersofKasperskyLabproducts.
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
35/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
SomaliaremainedtheleaderofthisrankinginQ22016with65.8%.Yemen(55.98%)fellfromsecondto
sixteenthplace,whileVietnam(63.33%)jumpedfromeighthtosecond.Tajikistan(62%)roundedoffthe
TOP3.Russiamoveduponeplacefromfifthtofourth,althoughthefigureforthatcountrydeclinedby
2.62percentagepointsto61.56%.
Tweet
InQ22016,27,403#mobile#bankingTrojans
weredetectedby@kasperskymobilesecurity
products#KLreport
NewcomerstothisrankingareDjiboutiinfifteenthplace(56.07%),Venezuelainseventeenth(55.76%),
andCambodiainnineteenth(55.56%).
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
36/37
9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
ThesafestcountriesintermsoflocalinfectionriskswereCroatia(29%),Singapore(28.4%),
Germany(28.1%),Norway(27.6%),theUS(27.1%),Switzerland(26.3%),Japan(22.1%),Denmark
(21.4%)andSweden(21.3%).
Anaverageof43.3%ofcomputersgloballyfacedatleastonelocalthreatduringQ22016,whichis1.2
p.p.lessthaninthepreviousquarter.
Related Articles
THE BANKER THAT CAN
STEAL ANYTHING
THERE IS 1 COMMENT
ROOTING POKMONS IN
GOOGLE PLAY STORE
If you would like to comment on this article you must rst login
HarmKuiper
PostedonAugust18,2016.7:32am
Thanks,greatreport!Feelfreetocontactmeifyouwantmoreinput.
Reply
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
37/37