The number of financial malware attacks against Android users grew three-fold in 2014.
Following an initial decrease in March 2014, the Kaspersky Lab study Financial Cyber-threats in 2014 registered a significant increase in the number of attacks by Trojan-SMS malware during the second half of the year.
The study made the following findings:
* 48,15% of the attacks against users of Android-based devices, that were blocked by Kaspersky Lab products, used malware targeting financial data (Trojan-SMS and Trojan-Banker);
* The number of financial attacks against Android users in 2014 increased 3,25 times (from 711 993 to 2 317 194 attacks) compared with 2013, and the number of users attacked rose 3,64 times (up from 212 890 to 775 887); and
* 98,02% of all attacks by Android banking malware were accounted for by only three malicious families.
Android is one of the most popular mobile operating systems in the world, and therefore attracts the attention of cybercriminals targeting users’ private information and money.
During 2014, Kaspersky Lab’s Android products blocked a total of 2 317 194 financial attacks against 775 887 users around the world. The lion’s share of these (2 217 979 attacks against 750 327 users) used Trojan-SMS malware, and the rest (99 215 attacks against 59 200 users) used Trojan-Banker malware.
Although the Trojan-Banker contribution to the overall volume of financial attacks against Android users is relatively small, it continues to grow. During the year Kaspersky Lab products detected 20 different malicious Trojan-Banker programmes.
But there were only three star performers among them: Faketoken, Svpeng and Marcher. Svpeng and Marcher are capable of stealing credentials for online banking as well as credit card information by replacing the authentication fields of mobile banking apps and app stores apps on an infected device. And Faketoken is made for intercepting mTAN codes used in multifactor authentication systems and forwarding it to criminals. These three families accounted for 98,02% of all Trojan-Banker attacks.
During Spring in Europe in 2014, Kaspersky Lab researchers noticed a significant decrease in the number of attacks by Trojan-SMS malware. One possible reason for this fall was the introduction by mobile-phone operators in Russia (the main source of Trojan-SMS threat) of an Advice of Charge (AoC) mechanism. This means that every time a customer (or an SMS Trojan) attempts to send a message to a premium number, the operator notifies the customer how much the service will cost and requests additional confirmation from the user.
The decrease ended in July and was followed by a steady increase throughout the rest of the year. The growth sped up in December, traditionally a “high” season for online shopping and online payment transactions and for criminals targeting financial data.
“During the year our cumulative Android user base grew significantly, which led to a rise in the number of financial malware detections and affected users,” says Roman Unuchek, senior malware analyst at Kaspersky Lab. “However, the overall growth rate of attacks with financial malware was faster and greater than could be explained by the increased number of Android devices alone.
“This growth rate is mainly down to Trojan-SMS. We believe that the main reason of the Trojan-SMS comeback is the appearance of malware capable of infection and theft even with AoC implemented in the cellular network. For example, we discovered such functionality in Opfake.a and Fakeinst malware modifications. Both are very active Trojan-SMS representatives.”
