Kyberzločin zneužíval popularitu Bitcoinu a fotbalu

10.3.2018 SecurityWorld Kriminalita
V roce 2017 sledovali kyberzločinci aktuální světové dění a události, které se následně snažili využít k oklamání uživatelů. Podle reportu „Spam a phishing v roce 2017“ společnosti Kaspersky Lab mezi takové události patřilo například blížící se mistrovství světa ve fotbale nebo stoupající popularita Bitcoinu. Falešnými zprávami o těchto událostech se z uživatelů snažili vylákat peníze nebo osobní údaje.

Spammeři prokázali velkou míru přizpůsobivosti a mazanosti. V průběhu celého roku sledovali celospolečenská témata a významné události, jejich prostřednictvím chtěli upoutat pozornost uživatelů, od kterých by následně podvodně získali peníze či cenné informace.

Společnost Kaspersky Lab dlouhodobě pozoruje trendy v oblasti spamu a phishingu, a může bohužel potvrdit, že jsou tyto metody kyberzločinců velmi účinné. Je to způsobeno především klesající ostražitostí uživatelů a jejich bezvýhradnou důvěrou. Často se totiž řídí instrukcemi podvodníků, které od nich obdrží do svých e-mailových schránek. Zločinci je pak bez jejich vědomí okrádají o peníze nebo osobní údaje.

V minulém roce se pozornost velké části sportovních fanoušků upírala k probíhající kvalifikaci na nadcházející mistrovství světa ve fotbale, které proběhne letos v Rusku. Toho využili spammeři k rozesílání podvodných e-mailů. Uživatelům posílali falešné zprávy jménem organizátorů nebo sponzorů této akce, které obsahovaly i oficiální logo mistrovství. E-maily většinou upozorňovaly na výhry v loterii nebo dokonce slibovaly vstupenky na mistrovství zdarma.

Dalším velmi oblíbeným tématem objevujícím se v roce 2017 v phishingových zprávách byly kryptoměny. Hlavním důvodem pro to byla strmě stoupající cena Bitconu. Především ve třetím čtvrtletí roku 2017 zaznamenali odborníci Kaspersky Lab zvýšený výskyt podvodných e-mailů s tématikou blockchainu.

Jak zjistili odborníci z Kaspersky Lab, kyberzločinci využívali poměrně nové techniky, kdy například podvodné stránky maskovali jako kryptoměnovou burzu. V jiném případě zase nabízeli cloudové servery a služby pro těžbu kryptoměn. V podvodných e-mailech lákali uživatele, že si prostřednictvím jejich služeb vydělají velké peníze. Stal se ale pravý opak – z uživatelů se stali oběti. I v jiných, už osvědčených podvodných praktikám, jako jsou falešné loterie, využívali kyberzločinci Bitcoin jako návnadu. Ve spamech zacílených díky široké databázi adres podvodníci nabízeli k odkupu kryptoměny, které slibovaly velké zisky.

Zločinci navíc v e-mailových spamech šířili různé typy malwaru, které se tvářily jako nástroje pro získání Bitcoinu nebo jako návody, jak s kryptoměnami obchodovat. Dobrou zprávou ale je, že se ve spamu oproti roku 2016 méně často objevovaly známé Cryptlockery. Ty uzamkly obsah na uživatelově počítači, za jehož opětovné odemčení požadovaly výkupné v Bitcoinech.

Na jednu stranu se v roce 2017 oproti předchozímu roku snížil objem spamu o 1,68 procentního bodu na 56,63 %. Na druhou stranu se ale zvýšil počet phishingových útoků – systém Anti-Phishing společnosti Kaspersky Lab zaznamenal 246 231 645 útoků na počítače uživatelů těchto řešení, což je o 59 % více než v roce 2016.

„Letos očekáváme další nárůst a vývoj spamu i phishingu zaměřeného na kryptoměny. Kyberzločinci se na rozdíl od roku 2017 zaměří i na další kryptoměny než pouze Bitcoin a budou využívat techniky označované jako „pump and dump,“ říká Darya Gudková, spamová analytička ve společnosti Kaspersky Lab.

Mezi další zajímavá zjištění reportu „Spam a phishing v roce 2017“ patří:

Nejčastějším zdrojem spamu byly USA (13,21 %), Čína (11,25 %) a Vietnam (9,85 %). Zbývajícími státy v top 10 jsou Indie, Německo, Rusko, Brazílie, Francie a Itálie.
Nejvíce spamem zasažených cílů se naopak objevilo v Německu (16,25 %), kde počet obětí meziročně stoupl o 2,12 procentního bodu. Dalšími státy v top 10 jsou Čína, Rusko, Japonsko, Velká Británie, Itálie, Brazílie, Vietnam, Francie a Spojené arabské emiráty.
Největší zastoupení obětí phishingu zaznamenala Brazílie (29,02 %). Celosvětově bylo napadeno phishingem 15,9 % uživatelů produktů společnosti Kaspersky Lab.


North Korean Hidden Cobra APT targets Turkish financial industry with new Bankshot malware
10.3.2018 securityaffairs APT

McAfee Advanced Threat Research team discovered that the Hidden Cobra APT group is targeting financial organizations in Turkey.
North Korea-linked APT group Hidden Cobra (aka Lazarus Group) is targeting the Turkish financial system.

Experts from McAfee observed the hackers using the Bankshot implant in targeted attacks against the financial organizations in Turkey. The attack resembles previous attacks conducted by Hidden Cobra against the global payment network SWIFT.

Bankshot was first reported by the US DHS in December, now new variants of the malicious code were observed in the wild The sample analyzed by McAfee is 99% similar to the variants detected in 2017.

The hackers used spear-phishing messages with a weaponized Word document containing an embedded Flash exploit that triggers the CVE-2018-4878, Flash vulnerability that was disclosed in late January.

Adobe promptly patched the vulnerability with an emergency patch, but many computers are still vulnerable because the owners did not apply the patch,

According to McAfee, the implant’s first target was a major government-controlled financial organization that was targeted on March 2 and 3.

Later, the same malware implant infected a Turkish government organization involved in finance and trade and a large financial institution.

The implant has so far not surfaced in any other sector or country. This campaign suggests the attackers may plan a future heist against these targets by using Bankshot to gather information.

McAfee’s report on the campaign says that one government-controlled financial organization, a government organization involved in finance and trade, and three large financial organizations.

The attackers leveraged the Flash exploit to deliver the Bankshot RAT.

“Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similarly named domain is not associated with the legitimate entity.” reads the analysis published by McAfee.

“The malicious domain falcancoin.io was created December 27, 2017, and was updated on February 19, only a few days before the implants began to appear. These implants are variations of earlier forms of Bankshot, a remote access tool that gives an attacker full capability on a victim’s system. “

Spear phishing messaged used a Word document with the filename Agreement.docx, that appears as a template for Bitcoin distribution.

Hidden Cobra bait document

When the open it, the code it contains download malicious DLLs from falcancoin.io domain.

Experts discovered that the DLLs communicate with three control servers whom URLs are hardcoded in the implants’ code.

“The implants (DLLs) are disguised as ZIP files and communicate with three control servers, two of them Chinese-language online gambling sites. These URLs can be found hardcoded in the implants’ code” continues McAfee.

The malicious code is able to perform several malicious operations, including file deletion, process injection, and exfiltration over command and control channel.

Further details, included the Indicators of Compromise (IoCs) are included in the analysis.


Russian hackers stole 860,000 euros from 32 ATMs belonging to the Raiffeisen Romania in just one night
10.3.2018 securityaffairs
Virus

In just one night a Russian crime gang stole 3.8 million slopes (860,000 euros) from 32 ATMs belonging to the Raiffeisen Romania bank.
Cybercriminals stole 3.8 million slopes (860,000 euros) from 32 ATMs belonging to the Raiffeisen Romania bank using an infected RTF document. The criminal organization led by Dmitriy Kvasov operated in Romania, the gang stole the money in just one night in 2016.

“One night Raiffeisen Bank lost control of all ATMs in Romania • Although it seems impossible, the control of ATMs across the country was taken over by a group of Russian hackers • It is one of the biggest thefts of cash money in the history of Romania, and the authorities did not blow a word” reported the website bzi.ro.

The Organized Crime and Counterterrorism Office (DIICOT) who investigated the culprits managed to arrest the leader of the criminal organization.

The Russian hackers launched a spear-phishing attack against Raiffeisen Romania between August 9, 2016, and September 4, 2016, they sent email messaging using a weaponized RTF document.
The bait document that appeared as sent on behalf of the European Central Bank
contained the code to trigger a vulnerability in the target systems.
In this way the attackers took control over the whole network of the bank, then they were able to control the ATMs.

“The extremely well-coordinated criminal organization, wearing sunglasses and hooded anoraks waiting for the command, waited for bags and bags in their hands before the Raiffeisen Iasi, Bucharest, Suceava, Timeshare, Constanta, Plitvice, Saxon and Crevedia automats.” states the Maszol.ru. “At the hands of their leaders, at least a few buttons, 32 cars released them all the money. If more men had been involved with the criminal organization, they could have virtually eliminated all the automatons of the bank.”

Raiffeisen cyber heist

According to the report, the attackers were able to instruct the 32 ATMs to dispense the cash, the investigators highlighted that the attackers only targeted systems in Romania, but once compromised the network of the bank they were also able to control any ATM worldwide belonging to the financial institution.

The bank confirmed that hackers did not access the customers’ account after the security breach.


Sophisticated Cyberspies Target Middle East, Africa via Routers

9.3.2018 securityweek CyberSpy

CANCUN - KASPERSKY SECURITY ANALYST SUMMIT - A cyber espionage group whose members apparently speak English has been targeting entities in the Middle East and Africa by hacking into their routers.

Researchers at Kaspersky Lab have analyzed this threat actor’s operations and determined that it has likely been active since at least 2012, its most recent attacks being observed in February.

Roughly 100 Slingshot victims have been identified, a majority located in Kenya and Yemen, but targets have also been spotted in Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. While the campaign seems to focus on individuals, the security firm has also observed attacks aimed at government organizations and, strangely, some internet cafés.

The main piece of malware used by this group — dubbed Slingshot based on internal strings found by researchers — is interesting due to the fact that it infects computers through compromised routers, specifically ones made by Latvia-based Mikrotik.

It’s unclear how the targeted routers get compromised, but Kaspersky pointed out that the WikiLeaks Vault7 files, which are believed to be tools developed and used by the CIA, do include a Mikrotik exploit. The vendor claims to have patched the vulnerability leveraged by the Vault7 exploit and it’s unclear if that is the initial vector used by the attackers.

Once they gain access to a router, hackers can abuse a legitimate piece of software called WinBox, a management tool provided by Mikrotik that downloads some DLL files from the router and loads them directly into the computer’s memory.

By abusing this functionality, the Slingshot hackers can deliver the malware to the targeted router’s administrator.

The malware is basically a first-stage loader that replaces legitimate DLL files in Windows with malicious versions that have the exact same size. The malicious DLLs are loaded by the services.exe process, which has SYSTEM privileges.

The main modules downloaded by Slingshot are called Cahnadr and GollumApp. Cahnadr, also known as Ndriver, is a kernel-mode payload and it provides all the capabilities required by user-mode modules, including anti-debugging, rootkit functionality, injecting modules into the services.exe process, network communications, and sniffing capabilities for various protocols.

GollumApp is the main user-mode module and it’s designed to manage other user-mode modules while constantly interacting with Cahnadr. It includes a wide range of spying-focused functionality that allows attackers to capture screenshots, log keystrokes, collect system and network data, harvest passwords, manipulate clipboard data, run new processes with SYSTEM privileges, and inject other malicious modules into a specified process.

Since it can run in kernel mode, a feature typically present in sophisticated threats, the malware allows attackers to take full control of the infected machine.

Slingshot attempts to evade detection by using various methods, including calling system services directly in an effort to bypass security product hooks, encrypting strings in its modules, and selectively injecting processes depending on what security product is present.

Slingshot also employs some clever techniques when it comes to command and control (C&C) communications – the malware hides its traffic in legitimate communication protocols, keeping an eye out for packets that contain a special mark.

As for who is behind Slingshot, Kaspersky says it bears the hallmarks of a state-sponsored cyber espionage campaign. Its level of sophistication rivals the one of actors such as ProjectSauron and Regin.

Researchers said most of the debug messages are written in perfect English and several strings in the code reference Lord of the Rings characters.

“Slingshot is a sophisticated threat, employing a wide range of tools and techniques, including kernel mode modules that have to date only been seen in the most advanced predators,” said Alexey Shulmin, lead malware analyst at Kaspersky Lab. “The functionality is very precious and profitable for the attackers, which could explain why it has been around for at least six years.”


Researchers Demonstrate Ransomware Attack on Robots
9.3.2018 securityweek
Ransomware

CANCUN - KASPERSKY SECURITY ANALYST SUMMIT - IOActive security researchers today revealed a ransomware attack on robots, demonstrating not only that such assaults are possible, but also their potential financial impact.

Ransomware incidents are usually associated with personal computers, servers, mobiles, healthcare systems, and even industrial systems, but IOActive researchers Cesar Cerrudo and Lucas Apa set out to prove that robots too are prone to such attacks.

According to them, over 50 vulnerabilities discovered last year in robots from several vendors could allow for a broad range of assaults, such as abusing a robot’s cameras and microphones for spying purposes, leaking data, or even causing physical harm.

With robots becoming increasingly popular, cyberattacks targeting them might soon become a common thing, with great financial losses and brand damage to businesses. Not only are robots expensive to purchase, but repairs aren’t usually easy to perform, and a hacking operation could result in a unit being taken offline for weeks, the researchers argue.

Cerrudo and Apa performed their attacks on commercially-available Pepper and NAO robots from SoftBank Robotics, which has already sold over 30,000 units worldwide.

A ransomware attack on a robot is different from that on a computer, mainly because the robot doesn’t usually store data, but only handles it. Regardless, such an attack could result in a business losing access to data, production being shut down, or weeks of interrupted operations until the robot is fixed.

The security researchers created their own ransomware to target the NAO robot model, which runs the same operating system as the Pepper model. The experts showed that by injecting custom code into any of the classes included in behavior files, they could cause the robot to behave maliciously.

An infected robot could be repurposed to display adult content to customers, to insult customers when interacting with them, or even perform violent movements. While unable to target valuable data, an attacker could target the robot’s components, thus interrupting its service until a ransom is paid.

“The infected robot could also be an entryway into other internal networks at a business, offering backdoor access to hackers and an entry point for layer penetration to steal sensitive data,” IOActive says.

The injected malicious code could also disable administration features and monitor the robot’s audio and video, directing data from these components to the attacker’s command and control (C&C) server. Changing SSH settings and passwords to prevent remote access to the robot and disabling the factory reset mechanism would also be possible.

“It’s no secret that ransomware attacks have become a preferred method for cybercriminals to get monetary profit by encrypting victim information and requiring a ransom to get the information back,” Apa said. “What we found was pretty astonishing: ransomware attacks could be used against business owners to interrupt their businesses and coerce them into paying ransom to recover their valuable assets.”

During their investigation, the security researchers also discovered that a malfunction in the robot is not as easy to fix, given that technicians aren’t always readily available. Their robot had to be sent back to the vendor for repairs, a process that took three weeks.

“The robots could also malfunction which may take weeks to return them to operational status. Unfortunately, every second a robot is non-operational, businesses and factories are losing lots of money,” Apa said.

The security researcher also argues that, while their ransomware targets SoftBank’s NAO and Pepper robots, any vulnerable robot is susceptible to this type of attack. Thus, vendors should focus on improving not only the security of their robots, but also the restore and update mechanisms in order to minimize the ransomware threat.

In their attack, the researchers exploited a vulnerability that was disclosed to SoftBank in January 2017, but which appears to have not been addressed as of now. An undocumented function allows for the remote execution of commands by “instantiating a NAOqi object using the ALLauncher module and calling the internal _launch function.”

IOActive is presenting a proof-of-concept on Friday at the 2018 Kaspersky Security Analyst Summit (SAS) in Cancun, Mexico. The company has also published a video demonstrating the attack.


Sofacy Attacks Overlap With Other State-Sponsored Operations
9.3.2018 securityweek BigBrothers  APT 
Attack

Kurt Baumgartner details latest Sofacy attacks at Kaspersky SAS

CANCUN - KASPERSKY SECURITY ANALYST SUMMIT - Attacks carried out by a Russian threat group appear to overlap with campaigns conducted by other cyberspies, including ones linked by researchers to China and the United States.

Kaspersky Lab revealed last month that the Russian threat actor known as Sofacy, APT28, Fancy Bear, Pawn Storm, Sednit and Strontium had shifted its focus from NATO member countries and Ukraine to Central Asia and further east, including China.

On Friday, at Kaspersky’s Security Analyst Summit (SAS), researcher Kurt Baumgartner revealed that the group appears to be particularly interested in military, defense and diplomatic entities in the far east.

Baumgartner also revealed that the attacks launched by Sofacy sometimes overlap with the operations of other state-sponsored cyberspies in terms of victims.

For instance, researchers discovered Sofacy’s Zerbrocy malware on machines that had also been compromised by Mosquito, a backdoor associated with Turla, a different threat actor linked to Russia. Shared victims include diplomatic and commercial organizations in Europe and Asia.

Sofacy’s SPLM malware (aka CHOPSTICK and X-Agent) was found on devices that had also been infected with other Turla malware, which often precedes SPLM.

SPLM has also been spotted on the same systems as malware known to have been used by a China-linked actor known as Danti.

According to Kaspersky, overlaps were generally found on systems belonging to government, technology, science, and military organizations in or based in Central Asia.

Another interesting overlap was between Sofacy and the English-speaking Lamberts group, which is also known as Longhorn. Security firms revealed last year that this cyber espionage group had been using some of the Vault 7 tools leaked by WikiLeaks. These tools are believed to have been developed and used by the U.S. Central Intelligence Agency (CIA).

Kaspersky said it had identified Sofacy backdoors and malware associated with the Lamberts, specifically Grey Lambert, on a server belonging to a military and aerospace conglomerate in China.

Researchers admit, however, that the presence of both Lamberts and Sofacy malware on the server could simply mean that the former planted a false flag, considering that the original delivery vector for the Sofacy tool remains unknown. It’s also possible that the Russian group exploited a previously unknown vulnerability, or that it somehow harnessed the Grey Lambert malware to download its own tools. The most likely scenario, according to experts, is that the Sofacy malware was delivered using an unknown PowerShell script or a legitimate app in which the attackers discovered a flaw.

“Sofacy is sometimes portrayed as wild and reckless, but as seen under our visibility, the group can be pragmatic, measured and agile. Their activity in the East has been largely under-reported, but they are clearly not the only threat actor interested in this region, or even in the same targets,” Baumgartner said. “As the threat landscape grows ever more crowded and complex, we may encounter more examples of target overlap and it could explain why many threat actors check victim systems for the presence of other intruders before fully launching their attacks.”

Kaspersky recently spotted the SPLM malware being used in an attack aimed at major air defense organization in China, while the Zebrocy tool has been used in high volume campaigns targeting entities in Armenia, Turkey, Tajikistan, Kazakhstan, Afghanistan, Mongolia, Japan and China.


New North Korea-linked Cyberattacks Target Financial Institutions
9.3.2018 securityweek APT

New North Korean Hidden Cobra / Lazarus Campaign Targets Financial Institutions in Turkey

Hidden Cobra, also known as the Lazarus Group from North Korea, is now targeting the Turkish financial system with a new and 'aggressive' operation that resembles earlier attacks against the global SWIFT financial network.

An analysis published by senior analyst of major campaigns, Ryan Sherstobitoff, says McAfee believes this operation is intended to gain access to specific Turkish financial organizations via targeted spear-phishing, using a weaponized Word document containing an embedded Flash exploit. The Flash vulnerability only surfaced at the end of January 2018, but is thought to have been exploited by North Korean actors since mid-November 2017. It was patched by Adobe within a week; but any computer that has not yet updated Flash to the latest version will remain vulnerable.

McAfee's report on the campaign says that one government-controlled financial organization, a government organization involved in finance and trade, and three large financial organizations are victims of the attack -- which occurred on March 2 and 3. In this attack, the Flash exploit drops the Bankshot implant, a RAT that gives the attacker full capability on a victim's system.

Nortk Korea FlagUS-CERT issued a malware analysis report (MAR) on Bankshot (PDF) in December 2017. It describes it as malware used by the North Korean government, whose cyber activity is conducted by actors it calls Hidden Cobra. McAfee says the variant it has analyzed "is 99% similar to the documented Bankshot variants from 2017."

In the spear-phishing campaign, the Bankshot implant was associated with a Word document with the filename Agreement.docx. It masquerades as an agreement template for Bitcoin distribution. Once activated, malicious DLLs are downloaded from falcancoin.io -- a lookalike domain name to the legitimate cryptocurrency-lending platform Falcon Coin.

The DLLs communicate with three control servers (the URLs are hardcoded in the implants' code), two of them Chinese-language online gambling sites. Based on the response received from the control server, the malware can carry out a wide range of malicious tasks centered on gathering system data and controlling system processes. It also contains two methods of file deletion capable of erasing evidence of presence and other destructive actions. After every action, the malware sends a response to the control server indicating whether the action was successful.

Hidden Cobra has been linked to several attacks against financial institutions. "This implant has been connected to a major Korean bank attack and is also known as Trojan Manuscript," writes Sherstobitoff. That variant contained the capability to search for hosts related to the SWIFT network and the same control server strings as the variant we found targeting the Turkish financial sector."

North Korean actors are credited with the 2015/2016 attacks on the SWIFT network. No evidence was found to suggest that this version is designed to conduct financial transactions; "rather," writes Sherstobitoff, "it is a channel into the victim's environment, in which further stages of implants can be deployed for financial reconnaissance."

McAfee is confident that it has uncovered a new Hidden Cobra (ie, North Korean government) reconnaissance campaign against Turkish financial institutions. In February, the Winter Olympic Games held in South Korea were hit by cyber-attacks dubbed Olympic Destroyer. Many commentators assumed the attacks came from North Korea -- an assumption supported by indicators within the malware.

By mid-February, Recorded Future warned against hasty attribution for Olympic Destroyer, despite the presence of code fragments previously used by North Korean actors. "The co-occurrence of code overlap in the malware," wrote Recorded Future, "may be indicative of a false flag operation, attempting to dilute evidence and confuse researchers."

More recently, Kaspersky Lab concluded that despite the presence of a unique fingerprint tying Olympic Destroyer to Lazarus (Hidden Cobra), there is other evidence suggesting the involvement of the Russian group known as Sofacy or APT28. One possible scenario is that the Russian hackers attempted to frame Lazarus for the attack after the North Korean group tried to pin one of its own campaigns on Russian actors.

Given the relative ease and increasing frequency of so-called 'false flag' cyber-attacks, SecurityWeek asked McAfee how certain it is that Hidden Cobra is the group behind the Turkish attacks. "McAfee takes attribution very seriously," relied Ryan Sherstobitoff. "As such, McAfee Advanced Threat Research analysis and conclusions are based on multiple indicators. While the private sector can rarely claim 100% confidence in attack attribution without access to the same resources possessed by government and law enforcement agencies, we can say that the code and target similarities between the malicious files uncovered in this campaign and earlier attacks publicly attributed to Hidden Cobra by the United States Government, are very strong indicators of the acting group."

"We have found," concludes McAfee, "what may be an early data-gathering stage for future possible heists from financial organizations in Turkey (and possibly other countries)." It warns that the attack has a high chance of success against victims with an unpatched version of Flash. "Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal."


Mobile Malware Attacks Surged in 2017: Kaspersky
9.3.2018 securityweek Mobil 
Virus

The number of mobile malware attacks detected in 2017 has increased to 42.7 million, according to a new report from Kaspersky Lab.

The surge in attacks was in contradiction to evolution of detected mobile malicious installation packages, which amounted to 5,730,916 in 2017, almost 1.5 times lower than 2016.

The number of attacked users, however, increased 1.2 times compared to the previous year. According to Kaspersky, they protected 4,909,900 unique users of Android devices from the beginning of January until the end of December 2017.

The Moscow-based security firm also says that it detected 94,368 mobile banking Trojans in 2017, 1.3 times less than in the previous year. This type of malware attacked 259,828 users in 164 countries, with Russia, Australia, and Turkey being hit the most.

544,107 mobile ransomware Trojans were detected last year, twice as much as in 2016 and 17 times more than in 2015. Ransomware hit 110,184 Android users in 161 countries, with the United States, Kazakhstan and Belgium being hit the most.

The number of users attacked by rooting malware decreased last year, yet this type of malware continued to be popular, accounting for nearly half of the Trojans in the company’s Top 20 list. Such malware usually attempts to gain super-user rights by exploiting system vulnerabilities.

Their decline in popularity among cybercriminals can be explained mainly by the decline in the number of devices still running older Android versions. Android 5.0 or older was found on 57% of the devices in 2017, while Android 6.0 or newer doubled in 2017 compared to 2016.

“Newer versions of Android don’t yet have common vulnerabilities that allow super-user rights to be gained, which is disrupting the activity of rooting malware,” Kaspersky notes.

Despite that, rooting malware continues to be a major threat to Android users, as they are difficult to detect and pack a variety of capabilities. Rooting malware installs modules in system folders to ensure persistency and can sometimes even resist a reset to factory settings.

Notable mentions in the rooting malware category include Ztorg, which infected 100 apps in Google Play and was downloaded tens of thousands of times, and Dvmap, which was downloaded over 50,000 times from the official application store.

In 2017, Kaspersky also discovered new WAP Trojans, malware families that usually follow links received from the command and control (C&C) server and then ‘click’ on page elements using a specially created JS file. Such malware can visit regular advertising sites or pages with WAP subscriptions.

Mobile banking malware also evolved in 2017, “offering new ways to steal money,” Kaspersky says. A modification of FakeToken, for example, was observed targeting apps for booking taxis, hotels, tickets, and the like, in addition to the usually attacked financial apps. The malware overlays the legitimate applications with its phishing windows.

While the latest Android releases attempt to prevent malware from performing malicious actions, banking Trojans last year found new ways to bypass these protections. A Svpeng variant observed last year was abusing accessibility services to grant itself some permissions such as the ability to send and receive SMSs, make calls, and read contacts, in addition to adding itself to the list of device admins to prevent removal.

Last year, both Svpeng and Faketoken “acquired modifications capable of encrypting user files,” Kaspersky reports. However, the encryptor functionality wasn’t that popular among mobile Trojans.

Mobile ransomware Trojans were highly active last year and even registered massive growth during the first half of the year, when detections were up 1.6 times than the entire 2016. Starting June, however, the activity of these malware families returned to normal.

The segment, Kaspersky says, was dominated by the Congur ransomware, with over 83% of all installation packages in 2017 belonging to this family. This simple malware changes device’s PIN code and instructs the owner to contact the attackers via the QQ messenger.

Last year, Trojan-Ransom malware experienced the highest overall growth, followed by RiskTool threats. Trojan-SMS installation packages and Trojan-Dropper malware decreased.

Overall, users in over 230 countries and territories were targeted by malware in 2017, with Iran, Bangladesh, and Indonesia emerging as the top attacked countries.