Top 20 Mobile Trojans - It Threat Evolution in q2 2016

9/20/2016
ITthreatevolutioninQ22016.StatisticsSecurelist
IT threat evolution in Q2 2016.

Statistics
By Roman Unuchek, Maria Garnaeva, Anton Ivanov, Denis Makrushin, Fedor Sinitsyn on August
11, 2016. 10:57 am
QUARTERLY MALWARE REPORTS
APT CYBER ESPIONAGE FINANCIAL MALWARE INTERNET BANKING MALWARE STATISTICS MOBILE MALWARE TROJAN-BANKERS
VULNERABILITIES AND EXPLOITS
Downloadthefullreport(PDF)
AllthestatisticsusedinthisreportwereobtainedusingKasperskySecurityNetwork(KSN),adistributed
antivirusnetworkthatworkswithvariousantimalwareprotectioncomponents.Thedatawascollectedfrom
KSNuserswhoagreedtoprovideit.MillionsofKasperskyLabproductusersfrom213countriesand
territoriesworldwideparticipateinthisglobalexchangeofinformationaboutmaliciousactivity.
Q2 gures
AccordingtoKSNdata,KasperskyLabsolutionsdetectedandrepelled171,895,830maliciousattacks
fromonlineresourceslocatedin191countriesallovertheworld.
54,539,948uniqueURLswererecognizedasmaliciousbywebantiviruscomponents.
KasperskyLabswebantivirusdetected16,119,489uniquemaliciousobjects:scripts,exploits,
executablefiles,etc.
Attemptedinfectionsbymalwarethataimstostealmoneyviaonlineaccesstobankaccountswere
https://securelist.com/analysis/quarterlymalwarereports/75640/itthreatevolutioninq22016statistics/#top20mobilemalwareprograms
1/37
9/20/2016
registeredon1,132,031usercomputers.
Cryptoransomwareattackswereblockedon311,590computersofuniqueusers.
KasperskyLabsfileantivirusdetectedatotalof249,619,379uniquemaliciousandpotentially
unwantedobjects.
KasperskyLabmobilesecurityproductsdetected:
3,626,458maliciousinstallationpackages
27,403mobilebankerTrojans(installationpackages)
83,048mobileransomwareTrojans(installationpackages).
Mobile threats
InQ22016,KasperskyLabdetected3,626,458maliciousinstallationpackages1.7timesmorethanin
thepreviousquarter.
Numberofdetectedmaliciousinstallationpackages(Q32015Q22016)
Distribution of mobile malware by type

2/37
9/20/2016
Asofthisquarter,wewillcalculatethedistributionofmobilemalwarebytypebasedonthenumberof
detectedmaliciousinstallationpackagesratherthanmodifications,aswasthecaseinearlierreports.
Distributionofnewmobilemalwarebytype(Q12016andQ22016)
InQ22016,RiskToolsoftware,orlegalapplicationsthatarepotentiallydangeroustousers,toppedthe
rankingofdetectedmaliciousobjectsformobiledevices.Theirshareincreasedfrom31.6%inQ1to
45.1%thisquarter.
Adwareoccupiessecondplace.Theshareoftheseprogramsfell1.4p.p.comparedtotheprevious
quarter,andaccountedfor14.2%.
TheshareofSMSTrojansfellfrom18.5%to10.8%,pushingthiscategoryofmaliciousprogramsdown
fromsecondtothirdplaceintheranking.TrojanSMS.AndroidOS.Agent.quandTrojan
3/37
9/20/2016
SMS.AndroidOS.Agent.faccountedformostofthedetectedSMSTrojans,withbothaccountingfor
approximately30%ofallmaliciousfilesinthiscategory.
TheTrojanDroppersharealsofellfrom14.5%inQ1to9.2%.TrojanDropper.AndroidOS.Agent.vled
theway:wedetectedmorethan50,000installationpackagesrelatedtothisTrojan.
TOP 20 mobile malware programs

Pleasenotethatthisrankingofmaliciousprogramsdoesnotincludepotentiallydangerousorunwanted
programssuchasRiskTooloradware.
Name
%ofattackedusers*
DangerousObject.Multi.Generic
80.87
Trojan.AndroidOS.Iop.c
11.38
Trojan.AndroidOS.Agent.gm
7.71
TrojanRansom.AndroidOS.Fusob.h
6.59
Backdoor.AndroidOS.Ztorg.a
5.79
Backdoor.AndroidOS.Ztorg.c
4.84
TrojanRansom.AndroidOS.Fusob.pac
4.41
Trojan.AndroidOS.Iop.t
4.37
TrojanDropper.AndroidOS.Gorpo.b
4.3
10
Trojan.AndroidOS.Ztorg.a
4.30
11
Trojan.AndroidOS.Ztorg.i
4.25
12
Trojan.AndroidOS.Iop.ag
4.00
13
TrojanDropper.AndroidOS.Triada.d
3.10
14
TrojanDropper.AndroidOS.Rootnik.f
3.07
15
Trojan.AndroidOS.Hiddad.v
3.03
16
TrojanDropper.AndroidOS.Rootnik.h
2.94
4/37
9/20/2016
17
Trojan.AndroidOS.Iop.o
2.91
18
Trojan.AndroidOS.Rootnik.ab
2.91
19
Trojan.AndroidOS.Triada.e
2.85
20
TrojanSMS.AndroidOS.Podec.a
2.83
*Percentageofuniqueusersattackedbythemalwareinquestion,relativetoallusersofKasperskyLabs
mobilesecurityproductthatwereattacked.
FirstplaceisoccupiedbyDangerousObject.Multi.Generic(80.87%),theclassificationusedformalicious
programsdetectedbycloudtechnologies.Cloudtechnologiesworkwhentheantivirusdatabasecontains
neitherthesignaturesnorheuristicstodetectamaliciousprogram,butthecloudoftheantiviruscompany
alreadycontainsinformationabouttheobject.Thisisbasicallyhowtheverylatestmalwareisdetected.
Asinthepreviousquarter,16Trojansthatuseadvertisingastheirmainmeansofmonetization
(highlightedinblueinthetable)madeitintotheTOP20.Theirgoalistodeliverasmanyadvertsas
possibletotheuser,employingvariousmethods,includingtheinstallationofnewadware.TheseTrojans
mayusesuperuserprivilegestoconcealthemselvesinthesystemapplicationfolder,fromwhichitwillbe
verydifficulttodeletethem.
Trojan.AndroidOS.Iop.c(11.38%)movedfromthirdtosecondintheTOP20andbecamethesinglemost
popularmaliciousprogramofthequarter.OverthereportingperiodwedetectedthisTrojanin180
countries,butthemajorityofattackeduserswereinRussia,IndiaandAlgeria.Iop.ccanexploitavarietyof
vulnerabilitiesinthesystemtogainsuperuserprivileges.Themainmethodofmonetizationisdisplaying
advertisingandinstalling(usuallysecretly)variousprogramsontheusersdevice,includingother
maliciousprograms.
Tweet
Q216,@kasperskyrepelled172Mmalicious
attacksviaonlineresourceslocatedin191
countries#KLreport#Infosec
5/37
9/20/2016
RepresentativesoftheTrojanRansom.AndroidOS.Fusobransomwarefamilyclaimedfourthandseventh
places.TheseTrojansdemandaransomof$100200fromvictimstounblocktheirdevices.Attacksusing
thisTrojanwereregisteredinover120countriesworldwideinQ2,withasubstantialnumberofvictims
locatedinGermanyandtheUS.
TrojanSMS.AndroidOS.Podec.a(2.83%)hasnowspentoverayearinthemobilemalwareTOP20,
althoughitisstartingtoloseground.ItusedtobeaneverpresentintheTOP5mobilethreats,butforthe
secondquarterinarowithasonlymadeitintothebottomhalfoftheranking.Itsfunctionalityhas
remainedpracticallyunchangeditsmainmeansofmonetizationistosubscribeuserstopaidservices.
The geography of mobile threats
ThegeographyofattemptedmobilemalwareinfectionsinQ22016(percentageofallusers
attacked)
6/37
9/20/2016
TOP10countiesattackedbymobilemalware(rankedbypercentageofusersattacked)
Country*
%ofusersattacked**
China
36.31
Bangladesh
32.66
Nepal
30.61
Uzbekistan
22.43
Algeria
22.16
Nigeria
21.84
India
21.64
Indonesia
21.35
Pakistan
19.49
10
Iran
19.19
*WeeliminatedcountriesfromthisrankingwherethenumberofusersofKasperskyLabsmobilesecurity
productislowerthan10,000.
**PercentageofuniqueusersattackedineachcountryrelativetoallusersofKasperskyLabsmobile
securityproductinthecountry.
Chinatoppedtheranking,withmorethan36%ofusersthereencounteringamobilethreatatleastonce
duringthequarter.ChinaalsocamefirstinthisrankinginQ12016.
Inallthecountriesofthisranking,exceptChina,themostpopularmobilemalwarewasthesame
advertisingTrojansthatappearedintheTOP20mobilemalware,andAdWare.Themostpopular
maliciousprogramwasTrojan.AndroidOS.Iop.c.InChina,asignificantproportionofattacksalsoinvolved
advertisingTrojans,butthemajorityofusersthereencounteredtheBackdoor.AndroidOS.GinMasterand
Backdoor.AndroidOS.Fakengryfamilies,whileTrojan.AndroidOS.Iop.conlyoccupiedsixteenthplace.
Russia(10.4%)was26thinthisranking,Germany(8.5%)38th,Italy(6.2%)49th,andFrance(5.9%)52th.
TheUS(5.0%)came59thandtheUK(4.6%)64th.
7/37
9/20/2016
ThesafestcountrieswereAustria(3.6%),Sweden(2.9%)andJapan(1.7%).
Mobile banking Trojans

Overthereportingperiod,wedetected27,403mobileTrojans,whichis1.2timeslessthaninQ1.
NumberofmobilebankingTrojansdetectedbyKasperskyLabsolutions(Q32015Q22016)
TheTOP5mostpopularmobilebankingTrojansinQ2consistedofrepresentativesfromjusttwofamilies
TrojanBanker.AndroidOS.AsacubandTrojanBanker.AndroidOS.Svpeng.
TrojanBanker.AndroidOS.Asacub.iwasthemostpopularmobilebankingTrojanofthequarter.Ituses
differentmethodstotrickusersandbypasssystemconstraints.InQ1weidentifiedamodificationofthis
mobileTrojanthatoverlaidtheregularsystemwindowrequestingdeviceadministratorprivilegeswithits
ownwindowcontainingbuttons.TheTrojantherebyconcealsthefactthatitisgainingelevatedprivileges
inthesystemfromtheuser,andtrickstheuserintoapprovingtheseprivileges.InQ2,wedetecteda
8/37
9/20/2016
modificationthatrequestedtheuserspermissiontobecomethemainSMSapplication.
DialogwindowofTrojanBanker.AndroidOS.Asacub.iaskingfortheusersapprovaltobecomethe
mainSMSapplication
ThisallowstheTrojantobypassthesystemconstraintsintroducedinAndroid4.4,andtohideincoming
SMSsfromtheuser(asarule,ithidesmessagesfrombanksandpaymentsystems).Inordertomake
9/37
9/20/2016
userssavethismaliciousprograminthesettingsasthemainSMSapplication,theTrojanauthorshadto,
amongotherthings,implementamessengerinterface.
TheTrojanBanker.AndroidOS.Asacub.iinterfaceusedtocreateandsendmessages
AsacubisactivelydistributedviaSMSspam.
RussiaandGermanyleadintermsofthenumberofusersattackedbymobilebankingTrojans:
10/37
9/20/2016
GeographyofmobilebankingthreatsinQ22016(percentageofallusersattacked)
Thenumberofattackedusersdependsontheoverallnumberofuserswithineachindividualcountry.To
assesstheriskofamobilebankerTrojaninfectionineachcountry,andtocompareitacrosscountries,we
createdacountryrankingaccordingtothepercentageofusersattackedbymobilebankerTrojans.
TOP10countiesattackedbymobilebankerTrojans(rankedbypercentageofusersattacked)
Country*
%ofusersattacked**
Russia
1.51
Australia
0.73
Uzbekistan
0.45
11/37
9/20/2016
Korea
0.35
China
0.34
Ukraine
0.33
Denmark
0.28
Germany
0.24
Turkey
0.23
10
Kyrgyzstan
0.17
**PercentageofuniqueusersineachcountryattackedbymobilebankerTrojans,relativetoallusersof
KasperskyLabsmobilesecurityproductinthecountry.
InQ22016,firstplacewasoccupiedbyRussia(1.51%)wherethemajorityofaffectedusersencountered
theTrojanBanker.AndroidOS.Asacub,TrojanBanker.AndroidOS.SvpengandTrojan
Banker.AndroidOS.FaketokenfamiliesofmobilebankerTrojans.
China,lastquartersleader,felltofifthplacethisquarter.
InsecondplaceagainwasAustraliawheretheTrojanBanker.AndroidOS.Acecardfamilywasreplacedby
theTrojanBanker.AndroidOS.Marcherfamilyasthemostpopularthreat.
BankingTrojanswereespeciallypopularwithattackersinRussiaandAustralia.Thepercentageofusers
attackedbythismalwareinthetwocountriesrelativetoallattackedusersaccountedfor14%.
Mobile Trojan-Ransomware
InQ22016,wedetected83,048mobileTrojanRansomwareinstallationpackages,whichisaboutthe
12/37
9/20/2016
samenumberasthepreviousquarterandseventimesmorethaninQ42015.
NumberofmobileTrojanRansomwareinstallationpackagesdetectedbyKasperskyLab
(Q32015Q22016)
ThesharpriseinthenumberofmobileTrojanRansomwareinstallationpackagesin2016wascausedby
theactiveproliferationoftheTrojanRansom.AndroidOS.FusobfamilyofTrojans.Inthefirstquarterof
2016,thisfamilyaccountedfor96%ofusersattackedbymobileransomware.InQ2itssharewas85%.
Tweet
InQ22016,54.5MuniquemaliciousURLs
wererecognizedby@kasperskywebantivirus
components#KLreport#IT
TrojanRansom.AndroidOS.Fusob.hbecamethemostpopularmobileTrojanRansomwareinthesecond
quarteritaccountedfornearly60%ofusersattackedbymobileransomware.Oncerun,theTrojan
requestsadministratorprivileges,collectsinformationaboutthedevice,includingtheGPScoordinates
13/37
9/20/2016
andcallhistory,anddownloadsthedatatoamaliciousserver.Afterthat,itmaygetacommandtoblock
thedevice.Inthesecondquarterweregisteredagrowthinthenumberofinstallationpackagesrelatedto
TrojanRansom.AndroidOS.Congur.b:theirsharegrewfrom0.8%to8.8%.ThisTrojan,targetingChinese
speakingusers,changesthesystempassword(PIN),orinstallsitifnopasswordwasinstalledearlier,thus
makingitimpossibletousethedevice.Thenotificationcontainingtheransomdemandisdisplayedonthe
screenoftheblockeddevice.
Germany,theUSandRussiahadthehighestnumberofusersattackedbyTrojanRansomwarethis
quarter:
GeographyofmobileTrojanRansomwareinQ22016(percentageofallusersattacked)
ToassesstheriskofamobilebankerTrojaninfectionineachcountry,andtocompareitacrosscountries,
wecreatedacountryrankingaccordingtothepercentageofusersattackedbymobileTrojan
14/37
9/20/2016
Ransomware.
TOP10countiesattackedbymobileTrojanRansomware(rankedbypercentageofusers
attacked)
Country*
%ofusersattacked**
Canada
2.01
Germany
1.89
US
1.66
Switzerland
1.63
Mexico
1.55
UK
1.51
Denmark
1.35
Italy
1.35
Kazakhstan
1,35
10
Netherlands
1.15
**PercentageofuniqueusersineachcountryattackedbymobileTrojanRansomware,relativetoall
usersofKasperskyLabsmobilesecurityproductinthecountry.
InallthecountriesoftheTOP10,exceptforKazakhstan,themostpopularTrojanRansomfamilywas
Fusob.IntheUS,theTrojanRansom.AndroidOS.Svpengfamilywasalsopopular.TheseTrojansdemand
aransomof$100500fromvictimstounblocktheirdevices.
InKazakhstanandUzbekistan,themainthreattousersoriginatedfromrepresentativesoftheSmall
mobileTrojanRansomfamily.Thisisafairlysimpleransomwareprogramthatblocksoperationofadevice
byoverlayingallthewindowsonthedevicewithitsownwindowanddemanding$10tounblockit.
15/37
9/20/2016
Vulnerable applications exploited by cybercriminals

InQ22016,exploitsforAdobeFlashPlayerremainedpopular.Duringthereportingperiodtwonew
vulnerabilitieswerediscoveredinthissoftware:
VE20164117
CVE20164171
AnexploitforCVE20164117wasaddedtotheMagnitudeandNeutrinoexploitkits.TheCVE20164171
vulnerabilitywasusedbytheScarCruftgrouptocarryouttargetedattacks.Wewroteamoredetailed
accountofthisgroupsactivitiesinablogpublishedinmidJune.
Tweet
InQ22016,@kasperskyweb#antivirus
detected16,119,489uniquemaliciousobjects
#KLreport#netsec
ThemaineventthisquarterwasthedemiseofthelongtermmarketleaderstheAnglerandNuclear
exploitkits.Anglersdepartureresultedinmarketplayersshiftingtootherkitstodistributemalware.In
particular,weregisteredadramaticgrowthinthepopularityoftheNeutrinoexploitkit.
Thisishowtheoverallpicturefortheuseofexploitsinthesecondquarterlooks:
16/37
9/20/2016
Distributionofexploitsusedinattacksbythetypeofapplicationattacked,Q22016
Thechartshowsthatdespitetheexitofthemarketleadersthebreakdownofexploitswasalmost
unchangedfromthepreviousquarter:theproportionofexploitsforMicrosoftOffice(14%)andJava(7%)
fellby1p.p.,whiletheshareforAndroidgrew2p.p.andreached24%.Thissuggeststhatdemandfor
exploitkitshasbeenspreadamongtheremainingplayers:RIG,MagnitudeandNeutrino.Thelatterwas
theundisputedleaderthisquarterintermsofthenumberofattemptstodownloadmalware.
Online threats (Web-based attacks)

Thestatisticsinthissectionwerederivedfromwebantiviruscomponentsthatprotectusersfromattempts
todownloadmaliciousobjectsfromamalicious/infectedwebsite.Maliciouswebsitesarecreated
deliberatelybymalicioususersinfectedsitesincludethosewithusercontributedcontent(suchas
forums),aswellascompromisedlegitimateresources.
Inthesecondquarterof2016,KasperskyLabswebantivirusdetected16,119,489uniquemalicious
objects:scripts,exploits,executablefiles,etc.54,539,948uniqueURLswererecognizedasmaliciousby
webantiviruscomponents.
Online threats in the banking sector

ThesestatisticsarebasedonthedetectionverdictsofKasperskyLabproducts,receivedfromusersof
KasperskyLabproductswhohaveconsentedtoprovidetheirstatisticaldata.
17/37
9/20/2016
Number of users attacked by malware targeting nances<

DuetotheconstantemergenceofnewrepresentativesofbankingTrojansandfunctionalchangesin
existingbankingTrojans,inthesecondquarterof2016wehavesignificantlyupdatedthelistofverdicts
classedasbankingrisks.Thismeansthenumberoffinancialmalwarevictimshaschangedsignificantly
comparedtothedatapublishedinpreviousquarters.Asacomparison,wehaverecalculatedthestatistics
forthepreviousquarter,takingintoaccountallthemalwarefromtheupdatedlist.
KasperskyLabsolutionsblockedattemptstolaunchmalwarecapableofstealingmoneyviaonline
bankingon1,132,031computersinQ22016.Thequartersawanincreaseinfinancialmalwareactivity:
thefigureforQ2is15.6%higherthanthatforthepreviousquarter(979,607).
Numberofusersattackedbymalwaretargetingfinances,Q22016
Geography of attack
ToevaluateandcomparetheriskofbeinginfectedbybankingTrojansworldwide,wecalculatethe
percentageofKasperskyLabproductuserswhoencounteredthistypeofthreatduringthereporting
periodinthecountry,relativetoallusersofourproductsinthecounty.
18/37
9/20/2016
GeographyofbankingmalwareattacksinQ22016(percentageofattackedusers)
TOP10countriesbypercentageofattackedusers
Country*
%ofattackedusers**
Turkey
3.45
Russia
2.92
Brazil
2.63
Pakistan
2.60
Venezuela
1.66
Tunisia
1.62
Japan
1.61
19/37
9/20/2016
Singapore
1.58
Libya
1.57
10
Argentina
1.48
Thesestatisticsarebasedonthedetectionverdictsreturnedbytheantivirusmodule,receivedfromusers
ofKasperskyLabproductswhohaveconsentedtoprovidetheirstatisticaldata.
*WeexcludedthosecountriesinwhichthenumberofKasperskyLabproductusersisrelativelysmall
(lessthan10,000).
**UniqueuserswhosecomputershavebeentargetedbybankingTrojanattacksasapercentageofall
uniqueusersofKasperskyLabproductsinthecountry.
ThehighestpercentageofKasperskyLabusersattackedbybankingTrojanswasinTurkey.Oneofthe
reasonsforthegrowthinfinancialthreatstherewasaburstofactivitybytheGozibankingTrojanwhose
developershavejoinedforceswiththecreatorsoftheNymaimTrojan.
InRussia,2.92%ofusersencounteredabankingTrojanatleastonceinQ2,placingitsecondinthis
ranking.
Brazilroundsoffthetopthree.WeexpectasurgeinfinancialthreatsinLatinAmericainthenextquarter
duetotheOlympicGamesinBrazil.Thiseventisjusttootemptingforcybercriminalstoignorethey
regularlyusethethemeofmajorsportingeventsintheirattackstolurepotentialvictims.
ThetopfivecountrieswhereuserswereleastaffectedbybankingTrojanswereCanada(0.33%),theUS
(0.4%),theUK(0.4%),France(0.43%)andtheNetherlands(0.5%).
ThepercentageofbankingTrojanvictimsinItalywas0.62%,inSpainitwas0.83%,whileinGermanythe
figurewas1.03%.
TheTOP10bankingmalwarefamilie>
Thetablebelowshowsthetop10malwarefamiliesmostcommonlyusedinQ22016toattackonline
bankingusers(asapercentageofusersattacked):
20/37
9/20/2016
Name*
Percentageofusersattacked**
TrojanSpy.Win32.Zbot
15.72
TrojanBanker.Win32.Gozi
3.28
Trojan.Win32.Qhost
2.35
TrojanBanker.Win32.Shiotob
2.27
TrojanBanker.Win32.BestaFera
2.12
Trojan.Win32.Nymaim
1.98
TrojanBanker.Win32.ChePro
1.90
TrojanBanker.Win32.Banbra
1.77
Trojan.Win32.Neurevt
0.67
10
Backdoor.Win32.Shiz
0.66
*ThedetectionverdictsofKasperskyLabproducts,receivedfromusersofKasperskyLabproductswho
haveconsentedtoprovidetheirstatisticaldata.
**Uniqueuserswhosecomputershavebeentargetedbythemalwareinquestionasapercentageofall
usersattackedbyfinancialmalware.
TrojanSpy.Win32.Zbotinfirstplaceisapermanentfixtureintheleadingpositionsofthisranking,anditis
nocoincidence:thesourcecodesofthisTrojanbecamepubliclyavailablebackin2012.Thishasresulted
intheemergenceofnewbankingTrojansthathaveadoptedfragmentsoftheZbotcode.
Thesecondquarterof2016sawasurgeinmaliciousactivitybyTrojan.Win32.Nymaim.Asaresult,this
Trojanmadeitintothetop10forthefirsttime,goingstraightinatsixthplace.Nymaimwasinitially
designedtoblockaccesstovaluabledataandthendemandaransom(ransomware)tounblockit,butthe
latestversionnowalsoincludesbankingTrojanfunctionalityforstealingfinancialinformation.Thiscanbe
explainedbythefactthatthecreatorsofNymaimandGozi(whichalsoappearsintheQ2TOP10financial
risks)havejoinedforces.NymaimssourcecodenowincludesfragmentsofGozicodethatprovide
attackerswithremoteaccesstoinfectedcomputers.
InQ22016,Attemptedinfectionsbyfinancial
21/37
9/20/2016
Tweet
#malwarewereregisteredon1.1Muser
computers#KLreport#banking
ApermanentresidentinthisrankingandoneofthereasonsfinancialthreatsaresoprominentinBrazilis
theTrojanBanker.Win32.CheProfamily.Thisbankingmalwareletscybercriminalstakescreenshots,
registerkeystrokes,andreadthecontentsoftheclipboard,i.e.,itpossessfunctionalitycapableof
attackingalmostanyonlinebankingsystem.Criminalsaretryingtoimplementnewtechniquestoavoid
detectionforaslongaspossible.SomeoftheTrojansfromthisfamilyusegeolocationoraskforthetime
zoneandtheWindowsversionfromthesysteminordertoinfectusersinaparticularregion.
Yetanothernewcomertothetop10mostactivefinancialthreatsinQ2wastheTrojan.Win32.Neurevt
family.Representativesofthisfamilywerefirstdiscoveredin2013andareusedbycybercriminalsnotonly
tostealuserpaymentdatainonlinebankingsystemsbutalsotosendoutspam(someversions,for
example,sentspammessagesonSkype)andimplementDDoSattacks(withtheadditionoffunctionality
capableofperformingtheSlowlorisHTTPfloodingscenario).
Ransomware Trojans
Theoverallnumberofcryptormodificationsinourviruscollectiontodateisapproximately26,000.Atotal
of28newcryptorfamiliesand9,296newmodificationsweredetectedinQ2.
Thefollowinggraphshowstheriseinthenumberofnewlycreatedcryptormodificationsoverthelasttwo
quarters.
22/37
9/20/2016
NumberofTrojanRansomcryptormodifications(Q12016vsQ22016)
SomeofthemorehighprofileorunusualTrojansdetectedinQ22016arelistedbelow:
CryptXXX(TrojanRansom.Win32.CryptXXX)
ThiscryptorhasbeenwidelydistributedviaexploitkitssinceApril2016.Itsearlierversionscontained
gapsinthefileencryptionalgorithmwhichallowedKasperskyLabtoreleaseautilitytodecryptthem.
Unfortunately,theattackershavemadeadjustmentstosubsequentversions,makingitimpossibleto
decryptthefilesaffectedbylaterCryptXXXmodifications.
ZCryptor(TrojanRansom.MSIL.Zcryptor)
23/37
9/20/2016
Thismalwarecombinescryptorfunctionalityandawormdistributionmethod.Trojanransomwaredoes
notusuallyincludetoolsforselfpropagation,andZCryptorjusthappenstobeanexceptiontothis
rule.Likeaclassicworm,whileinfecting,itcreatescopiesofitsbodyonremovablemediaand
generatestheautorun.inffiletoimplementtheautomaticlaunchofitsexecutablefileoncethemediais
connectedtoanothersystem(if,ofcourse,autorunisnotdisabled).
RAA(TrojanRansom.JS.RaaCrypt)
Sometimeswecomeacrosscryptorsthatdifferfromtheirpeersintermsoffunctionality,and
sometimesanunusualimplementationwillcatchtheattentionofananalyst.InthecaseofRAA,the
choiceofprogramminglanguagewascurious:itwaswrittenentirelyinJavaScript.Thewholebodyof
theprogramwasincludedinasingle.jsfiledeliveredtothevictimasanattachmentinaspam
message.Whenrun,itdisplaysafakeerrormessage,andinthemeantime,encryptstheusersfiles.
24/37
9/20/2016
Bart(TrojanRansom.Win32.Bart)
ThiscryptorputsthevictimsfilesinpasswordprotectedZIParchivesanditcreatespasswordsusing
theDiffieHellmanalgorithmonanellipticcurve.Thedesignoftheransomnoteandthepaymentsite
isanexactcopyofthatusedbythenotoriousLocky.
25/37
9/20/2016
Satana(TrojanRansom.Win32.Satan)
ThisisacombinationofMBRblockerandfilecryptor,probablyinspiredbysimilarfunctionalityinthe
notoriousPetya+MischaTrojans.Satana,unlikePetya,doesnotencryptMFTinfact,itsMBR
moduleisobviouslyincompletebecausetheprocessofcheckingthepasswordenteredbythevictim
resultsinnothingmorethanacontinuouscycle.Belowisafragmentofthecodedemonstratingthis.
The number of users attacked by ransomware
26/37
9/20/2016
NumberofusersattackedbyTrojanRansomcryptormalware(Q22016)
InQ22016,311,590uniqueuserswereattackedbycryptors,whichis16%lessthanthepreviousquarter.
Approximately21%ofthoseattackedwereinthecorporatesector.
Itisimportanttokeepinmindthattherealnumberofincidentsisseveraltimeshigher:thestatisticsreflect
onlytheresultsofsignaturebasedandheuristicdetections,whileinmostcasesKasperskyLabproducts
detectencryptionTrojansbasedonbehaviorrecognitionmodelsandissuetheGenericverdict,which
doesnotdistinguishthetypeofmalicioussoftware.
Top 10 countries attacked by cryptors

Country*
%ofusersattackedbycryptors**
Japan
2.40
Italy
1.50
Djibouti
1.46
Luxembourg
1.36
27/37
9/20/2016
Bulgaria
1.34
Croatia
1.25
Maldives
1.22
Korea
1.21
Netherlands
1.15
10
Taiwan
1.04
*WeexcludedthosecountrieswherethenumberofKasperskyLabproductusersisrelativelysmall(less
than10,000).
**Uniqueuserswhosecomputershavebeentargetedbyransomwareasapercentageofalluniqueusers
ofKasperskyLabproductsinthecountry.
InQ2,halfofthetop10wereEuropeancountriesonelessthanthepreviousquarter.
Japan,whichcameninthinQ1,toppedtherankingofcountriesattackedbycryptorswith2.40%:themost
widespreadcryptorfamiliesinthecountrywereTeslacrypt,LockyandCryakl.
NewcomerstothisrankingwereDjibouti(1.46%),Korea(1.21%)andTaiwan(1.04%).
Top 10 most widespread cryptor families

Name
Verdict*
Percentage
ofusers**
CTB
TrojanRansom.Win32.Onion/Trojan
Locker
Ransom.NSIS.Onion
Teslacrypt
TrojanRansom.Win32.Bitman
8.36
Locky
TrojanRansom.Win32.Locky
3.34
Shade
TrojanRansom.Win32.Shade
2.14
TrojanRansom.Win32.Cryrar
2.02
Cryrar/
ACCDFISA
14.59
28/37
9/20/2016
Cryptowall
TrojanRansom.Win32.Cryptodef
1.98
Cryakl
TrojanRansom.Win32.Cryakl
1.93
Cerber
TrojanRansom.Win32.Zerber
1.53
TrojanRansom.BAT.Scatter/Trojan
9
Scatter
Downloader.JS.Scatter/Trojan
1.39
Dropper.JS.Scatter/TrojanRansom.Win32.Scatter
10 Rakhni
TrojanRansom.Win32.Rakhni/Trojan
Downloader.Win32.Rakhni
1.13
*ThesestatisticsarebasedondetectionverdictsreceivedfromusersofKasperskyLabproductswho
haveconsentedtoprovidetheirstatisticaldata.
**UniqueuserswhosecomputershavebeentargetedbyaspecificTrojanRansomfamilyasapercentage
ofallusersofKasperskyLabproductsattackedbyTrojanRansommalware.
FirstplaceinQ2wasoccupiedbytheCTBLocker(TrojanRansom.Win32/NSIS.Onion)family.Insecond
placewastheTeslaCryptfamilyrepresentedbyoneverdict:TrojanRansom.Win32.Bitman.TheTrojan
Ransom.JS.Cryptoloadverdict,whichinthepastdownloadedmalwareandwasassociatedwith
TeslaCrypt,isnolongercharacteristicofthisfamilyonly.TeslaCryptwasearlieramajorcontributortothe
statistics,butfortunatelyceasedtoexistinMay2016theownersdisabledtheirserversandposteda
masterkeytodecryptfiles.
Tweet
InQ22016,#crypto#ransomwareattacks
wereblockedon311,590computersofunique
users#KLreport
CerberandCryrararetheonlychangestothisrankingcomparedtothepreviousquarter.
TheCerbercryptorspreadsviaspamandexploitkits.ThecryptorssiteontheTornetworkistranslated
intolotsoflanguages.Cerbersspecialfeaturesincludethefollowing:
29/37
9/20/2016
Itexplorestheinfectedsystemmeticulously:checksforthepresenceofanantivirus,ifitisrunning
underavirtualmachine(Parallels,VmWare,QEMU,VirtualBox)orWine,checksforutilitiesfrom
variousresearchersandanalysts(itdoesthisbysearchingforcertainprocessesandfilesonthedisk
drive),itevenhasablacklistofsystemdriveserialnumbers.
ItchecksthekeyboardlayoutandtheIPaddressoftheinfectedsystem.Ifitdetectsthatthemachine
islocatedinaCIScountry,itstopsinfectingit.
Itattemptstobypassantivirusprotectionbyterminatingtheirprocesses,interruptingservices,deleting
files.
InadditiontonotifyingusersaboutencryptionintheformofTXTandHTMLfiles,asisthecasewith
otherfamilies,italsorunstheVBSscriptwhichreproducesthefollowingvoicemessage:Attention!
Attention!Attention!Yourdocuments,photos,databasesandotherimportantfileshavebeen
encrypted!
TheCryrarcryptoralsoknownastheAntiCyberCrimeDepartmentofFederalInternetSecurityAgency
(ACCDFISA),AntiChildPornSpamProtection,etc.firstappearedbackin2012.Ithasthedistinctive
featureofplacingthevictimsfilesinpasswordprotectedselfextractingRARarchives.AccordingtoKSN
statistics,itshowsnosignsofconcedingitspositiontonewerrivals.
Top 10 countries where online resources are seeded with malware

Thefollowingstatisticsarebasedonthephysicallocationoftheonlineresourcesthatwereusedin
attacksandblockedbyourantiviruscomponents(webpagescontainingredirectstoexploits,sites
containingexploitsandothermalware,botnetcommandcenters,etc.).Anyuniquehostcouldbethe
sourceofoneormorewebattacks.
Inordertodeterminethegeographicalsourceofwebbasedattacks,domainnamesarematchedagainst
theiractualdomainIPaddresses,andthenthegeographicallocationofaspecificIPaddress(GEOIP)is
established.
InQ22016,KasperskyLabsolutionsblocked171,895,830attackslaunchedfromwebresourceslocated
in191countriesaroundtheworld.54,539,948uniqueURLswererecognizedasmaliciousbywebantivirus
components.
30/37
9/20/2016
81%ofnotificationsaboutblockedwebattacksweretriggeredbyattackscomingfromwebresources
locatedin10countries.
Distributionofwebattacksourcesbycountry,Q22016
TheUS(35.44%)returnedtothetopofthisrankinginthesecondquarter.Russia(10.28%)movedup
oneplacetosecond.Thepreviousquartersleader,theNetherlands,droppedtofourthplaceafterits
sharefellby17.7percentagepoints.GermanycompletedtheTop3withashareof8.9%.Bulgarialeftthe
Top10,whileCanadawasanewcomerinninthplacewith0.96%.
Countries where users faced the greatest risk of online infection

31/37
9/20/2016
Inordertoassesstheriskofonlineinfectionfacedbyusersindifferentcountries,wecalculatedthe
percentageofKasperskyLabusersineachcountrywhoencountereddetectionverdictsontheir
machinesduringthequarter.Theresultingdataprovidesanindicationoftheaggressivenessofthe
environmentinwhichcomputersworkindifferentcountries.
Country*
%ofuniqueusersattacked**
Azerbaijan
32.10
Russia
30.80
China
29.35
Slovenia
27.54
Ukraine
27.46
Kazakhstan
27.03
Vietnam
26.02
Algeria
25.63
Armenia
25.09
10
Belarus
24.60
11
Brazil
24.05
12
France
22.45
13
Moldova
22.34
14
Kyrgyzstan
22.13
15
Bulgaria
22.06
16
Italy
21.68
17
Chile
21.56
18
Qatar
20.10
19
India
20.00
20
Portugal
19.84
Thesestatisticsarebasedonthedetectionverdictsreturnedbythewebantivirusmodule,
32/37
9/20/2016
receivedfromusersofKasperskyLabproductswhohaveconsentedtoprovidetheirstatistical
data.
*ThesecalculationsexcludedcountrieswherethenumberofKasperskyLabusersisrelativelysmall
(fewerthan10,000users).
**Uniqueuserswhosecomputershavebeentargetedbywebattacksasapercentageofalluniqueusers
ofKasperskyLabproductsinthecountry.
InQ2,Azerbaijanmovedupfromfourthtofirstplaceandbecamethenewleaderofthisrankingwith
32.1%.Russia(30.8%)droppedfromfirsttosecond,whileKazakhstan(27.03%)fellfromsecondtosixth
place.
Sincethepreviousquarter,Spain,Lithuania,CroatiaandTurkeyhavealllefttheTOP20.Thenewcomers
tothisrankingwereBulgaria(22.06%),Chile(21.56%),Qatar(20.10%)andPortugal(19.84%).
33/37
9/20/2016
ThecountrieswiththesafestonlinesurfingenvironmentsincludedCanada(15%),Romania(14.6%),
Belgium(13.7%),Mexico(13.2%),theUS(12.8%),Switzerland(12.4%),NewZealand(12.1%),Czech
Republic(12%),Argentina(9.9%),Japan(9.5%),theNetherlands(8.3),Sweden(8.2%)andGermany
(8%).
Onaverage,19.4%ofcomputersconnectedtotheInternetgloballyweresubjectedtoatleastoneweb
attackduringthethreemonths.Thisisafallof1.8p.p.comparedtoQ12016.
Local threats
Localinfectionstatisticsforusercomputersareaveryimportantindicator:theyreflectthreatsthathave
penetratedcomputersystemsbyinfectingfilesorremovablemedia,orinitiallygotonthecomputerinan
encryptedformat(forexample,programsintegratedincomplexinstallers,encryptedfiles,etc.).
Datainthissectionisbasedonanalyzingstatisticsproducedbyantivirusscansoffilesontheharddrive
atthemomenttheywerecreatedoraccessed,andtheresultsofscanningremovablestoragemedia.
InQ22016,KasperskyLabsfileantivirusdetected249,619,379uniquemaliciousandpotentially
unwantedobjects.
Countries where users faced the highest risk of local infection

Foreachofthecountries,wecalculatedthepercentageofKasperskyLabproductusersonwhose
computersthefileantiviruswastriggeredduringthequarter.Thesestatisticsreflectthelevelofpersonal
computerinfectionindifferentcountries.
Top20countrieswiththehighestlevelsofcomputerinfection
Country*
%ofuniqueusers**
Somalia
65.80
Vietnam
63.33
34/37
9/20/2016
Tajikistan
62.00
Russia
61.56
Kyrgyzstan
60.80
Bangladesh
60.19
Afghanistan
60.00
Armenia
59,74
Ukraine
59.67
10
Nepal
59.66
11
Ethiopia
59.63
12
Laos
58.43
13
Kazakhstan
57.72
14
Rwanda
57.33
15
Djibouti
56.07
16
Yemen
55.98
17
Venezuela
55.76
18
Algeria
55.58
19
Cambodia
55.56
20
Iraq
55.55
Thesestatisticsarebasedonthedetectionverdictsreturnedbyonaccessandondemandantivirus
modules,receivedfromusersofKasperskyLabproductswhohaveconsentedtoprovidetheirstatistical
data.Thedataincludedetectionsofmaliciousprogramslocatedonuserscomputersoronremovable
mediaconnectedtothecomputers,suchasflashdrives,cameraandphonememorycards,orexternal
harddrives.
*ThesecalculationsexcludecountrieswherethenumberofKasperskyLabusersisrelativelysmall(fewer
than10,000users).
**Thepercentageofuniqueusersinthecountrywithcomputersthatblockedlocalthreatsasa
percentageofalluniqueusersofKasperskyLabproducts.
35/37
9/20/2016
SomaliaremainedtheleaderofthisrankinginQ22016with65.8%.Yemen(55.98%)fellfromsecondto
sixteenthplace,whileVietnam(63.33%)jumpedfromeighthtosecond.Tajikistan(62%)roundedoffthe
TOP3.Russiamoveduponeplacefromfifthtofourth,althoughthefigureforthatcountrydeclinedby
2.62percentagepointsto61.56%.
Tweet
InQ22016,27,403#mobile#bankingTrojans
weredetectedby@kasperskymobilesecurity
products#KLreport
NewcomerstothisrankingareDjiboutiinfifteenthplace(56.07%),Venezuelainseventeenth(55.76%),
andCambodiainnineteenth(55.56%).
36/37
9/20/2016
ThesafestcountriesintermsoflocalinfectionriskswereCroatia(29%),Singapore(28.4%),
Germany(28.1%),Norway(27.6%),theUS(27.1%),Switzerland(26.3%),Japan(22.1%),Denmark
(21.4%)andSweden(21.3%).
Anaverageof43.3%ofcomputersgloballyfacedatleastonelocalthreatduringQ22016,whichis1.2
p.p.lessthaninthepreviousquarter.
Related Articles
THE BANKER THAT CAN
STEAL ANYTHING
THERE IS 1 COMMENT
ROOTING POKMONS IN
GOOGLE PLAY STORE
GUGI: FROM AN SMS

TROJAN TO A MOBILEBANKING TROJAN
If you would like to comment on this article you must rst login
HarmKuiper
PostedonAugust18,2016.7:32am
Thanks,greatreport!Feelfreetocontactmeifyouwantmoreinput.
Reply
37/37

Top 20 Mobile Trojans - It Threat Evolution in q2 2016

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Top 20 Mobile Trojans - It Threat Evolution in q2 2016

Transféré par

Droits d'auteur :

Formats disponibles

9/20/2016

IT threat evolution in Q2 2016.

Distribution of mobile malware by type

TOP 20 mobile malware programs

The geography of mobile threats

Mobile banking Trojans

Vulnerable applications exploited by cybercriminals

Online threats (Web-based attacks)

Online threats in the banking sector

Number of users attacked by malware targeting nances<

The number of users attacked by ransomware

Top 10 countries attacked by cryptors

Top 10 most widespread cryptor families

Top 10 countries where online resources are seeded with malware

Countries where users faced the greatest risk of online infection

Countries where users faced the highest risk of local infection

GUGI: FROM AN SMS

Vous aimerez peut-être aussi