Quote:

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

The year in figures

In 2020, Kaspersky mobile products and technologies detected:

• 5,683,694 malicious installation packages,
  
• 156,710 new mobile banking Trojans,
  
• 20,708 new mobile ransomware Trojans.
  

Trends of the year

In their campaigns to infect mobile devices, cybercriminals always resort to social engineering tools, the most common of these passing a malicious application off as another, popular and desirable one. All they need to do is correctly identify the application, or at least, the type of applications, that are currently in demand. Therefore, attackers constantly monitor the situation in the world, collecting the most interesting topics for potential victims, and then use these for infection or cheating users out of their money. It just so happened that the year 2020 gave hackers a large number of powerful news topics, with the COVID-19 pandemic as the biggest of these.

Pandemic theme in mobile threats

The word “covid” in various combinations was typically used in the names of packages hiding spyware and banking Trojans, adware or Trojan droppers. Names we encountered included covid.apk, covidMapv8.1.7.apk, tousanticovid.apk, covidMappia_v1.0.3.apk and coviddetect.apk. These apps were placed on malicious websites, hyperlinks were distributed through spam, etc.

The mobile malware Trojan-Ransom.AndroidOS.Agent.aq often hid behind another popular term, “corona”. Here are a few names of malicious files: ir.corona.viruss.apk, coronalocker.zip, com.coronavirus.inf.apk, coronaalert.apk, corona.apk, corona-virusapps.com.zip, com.coronavirus.map.1.1.apk, coronavirus.china.

Of course, this was not limited to naming: the pandemic theme was also used in application user interfaces. For example, the GINP banking Trojan pretended to be an app that searched for COVID-19-infected individuals: the victim was coaxed into providing their bank card details under the pretext of a €0.75 fee charge.

The creators of another banking Trojan, Cebruser, simply named it “Coronavirus”, probably to echo the disturbing news coming from all over the world and to make some money along the way. As in the previous case, the attackers were after the bank card details and the owner’s personal information.They came up with nothing new in terms of technique. So-called “web injectors”, which had been perfected for years, were used in both cases. When certain events are detected, the banking Trojan opens a window that displays a web page with a request for bank card details. The page can have any type of design: we have seen a request from a large bank in one case and a message about a search for COVID-19-infected individuals in another. The flexibility allows attackers to efficiently manipulate potential victims, adapting attacks to the situation both on a particular device and in the world at large.

We could conclude that the pandemic as a global phenomenon had a major effect on the mobile threat landscape, but to be true to facts, this is not entirely the case. If you look at the dynamics of attacks on mobile users in 2020, you will see that the average monthly number of attacks decreased by 865,000 compared to 2019. That number seems large, but it is only about 1.07% of total attacks, so we cannot call it a significant decrease.

Besides, we have seen a decrease in attacks in the first half of 2020, which can be attributed to the confusion of the first months of the pandemic: hackers had other things to worry about. However, in the second half of the year, when the situation became calmer and more predictable despite lockdowns in a number of countries, we saw a clear increase in attacks.

In addition, our telemetry has shown significant growth in mobile financial threats in 2020. More on that later.

Adware

Last year was notable for both malware and adware, the two very close in terms of capabilities. Typically, code that runs ads was embedded in a carrier application, e.g. a mobile game or torch, as long as it was popular enough. After the application ran, it could follow one of several scenarios, depending on its creator’s greed and the advertising module’s capabilities. If the user was lucky, they saw an advertising banner at the bottom of the carrier application window, and if not, the advertising module subscribed to USER_PRESENT (device unlock) events, using a SYSTEM_ALERT_WINDOW window for displaying full-screen banners at random intervals.
...