Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security

8/8/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Banking Trojans on the Rise in Q2, Kaspersky Report Finds

Kaspersky Labs saw a record number of new installation packages in the second quarter of this year, with modification to help the malware avoid security solutions.

Mobile banking Trojans were the most prominent cybersecurity threats in the second quarter, with the rise driven in part by modifications designed to help the malware run under the radar of security tools, according to researchers at Kaspersky Lab.

In the company's "Q2 IT Threat Evolution Report" released this week, analysts said the number of installation packages for mobile banking hit 61,045, the highest they have seen since tracking such threats. The total was three times higher than what was seen in the first quarter this year and more than double the installations in the first quarter of 2017.

The focus by cybercriminals on mobile banking malware was a change over what analysts had been seeing in the threat landscape, according to Victor Chebyshev, security expert at Kaspersky.

"It seems that cybercriminals still pay attention to massive malware distribution: the more they create and distribute, the more possibility of successful infection," Chebyshev told Security Now in an email. "In Q2 2018, we saw the opposite situation, where cybercriminals paid more attention to the quality of their creations instead of quantity."

Other cybersecurity researchers are seeing the same renewed focus on banking Trojans.

Analysts at Proofpoint late last month noted the return of the Kronos banking Trojan, with campaigns featuring new versions of Kronos -- which may have been rebranded as "Osiris" -- being seen in Germany, Poland and Japan. It was part of a larger trend of an increasing number of banking Trojans being used in attacks during the first half of the year, with Proofpoint researchers saying that threat actors were essentially going to where the money is. (See Kronos Returns as Banking Trojan Attacks Ramp Up.)

Mobile banking Trojans are designed to steal money directly from the bank accounts of mobile device users, most often disguised as a legitimate app that is installed by the unwitting victim. Once the app is launched, the Trojan's interface is put on top of the app's interface and when the user puts in credentials, the malware steals the information, according to Kaspersky researchers.

(Source: Kaspersky)
(Source: Kaspersky)

Modifications made by bad actors are making the mobile banking Trojans more difficult to detect, enabling the malware to hang around longer and allowing attackers to expand their arsenals, according to the report.

"We are seeing modifications that are the typical toolsets of banking malware, which includes SMS interception, phishing windows and Device Administrator privileges to ensure its persistence in the system," Chebyshev noted. "Modifications are new unique samples of a known malware family. Usually the difference between modifications consists of several code changes and obfuscation, but the main behavior will be the same."

About half of the new modifications that were seen were made by the authors of the Hqwar Trojan, according to Kaspersky researchers. The Agent malware saw the second-most modifications, with about 5,000 packages, they said.

The US saw the largest share of users attacked with mobile banking malware -- in proportion to all users attacked with any kind of mobile malware -- at 0.79%. Russia was next with 0.7% and Poland third with 0.28%. The list in the first quarter was different, with Russia taking the top spot followed by the US. Chebyshev said that cybercriminals always want to grow the geographical distribution of their malware, "but in Q2 2018 we saw that they just rose their distribution in the US."

The growth in the use of mobile banking Trojans is likely part of a larger increase in overall mobile malware, according to Kaspersky analysts. The number of mobile malware installation packages grew by more than 421,000 over the first quarter.

"We saw an increase inside several classes of threats," Chebyshev noted. "There are several reasons for that increase. First, some cybercriminals created more composite threats (for example, Trojan-Dropper dropped Trojan-Banker). In addition, some cybercriminals switched to potential unwanted application creation (for example, we saw an increase of RISKTOOL threat class). The third reason is because more people started to use Android based devices, so the total count of Android devices increased."

Kaspersky analysts also saw other trends in the second quarter, including a 24% growth in unique URLs that were recognized as malicious by web anti-virus components.

To reduce risks, they said users should only install applications from trusted sources like official app stores and should not click on links from spam emails or perform the rooting procedure of devices that will give cybercriminals limitless capabilities. They also said that if an app requests permissions that don't correspond with the app's task, such as asking to access messages and calls, that should raise suspicions.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-22864
PUBLISHED: 2021-10-26
A cross site scripting (XSS) vulnerability in the Insert Video function of Froala WYSIWYG Editor 3.1.0 allows attackers to execute arbitrary web scripts or HTML.
CVE-2021-23877
PUBLISHED: 2021-10-26
Privilege escalation vulnerability in the Windows trial installer of McAfee Total Protection (MTP) prior to 16.0.34_x may allow a local user to run arbitrary code as the admin user by replacing a specific temporary file created during the installation of the trial version of MTP.
CVE-2021-41866
PUBLISHED: 2021-10-26
MyBB before 1.8.28 allows stored XSS because the displayed Template Name value in the Admin CP's theme management is not escaped properly.
CVE-2019-3556
PUBLISHED: 2021-10-26
HHVM supports the use of an "admin" server which accepts administrative requests over HTTP. One of those request handlers, dump-pcre-cache, can be used to output cached regular expressions from the current execution context into a file. The handler takes a parameter which specifies where o...
CVE-2021-35499
PUBLISHED: 2021-10-26
The Web Reporting component of TIBCO Software Inc.'s TIBCO Nimbus contains easily exploitable Stored Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim...