Criminals can buy mobile malware on the dark web
Criminals can buy mobile malware on the dark web

2016 saw detections of mobile malware nearly triple over 2015 – with a total of 8.5 million malicious installations identified. This means that, in the space of just one year, a volume equivalent to 50 percent of all the malware detected in the previous 11 years (15.77 million in 2004 -2015) was released.

These are the findings of Kaspersky Lab's annual Mobile Virusology report, which also found that mobile advertising Trojans now make up 16 of the top 20 malicious programs, up from 12 in 2015.

These Trojans are capable of seizing rooting rights, allowing the malware to not only aggressively display ads on the infected device, often making it impossible to use, but also to secretly install other applications. These Trojans can also buy apps on Google Play.

In many cases, the Trojans were able to exploit previously patched vulnerabilities because the user had not installed the latest update. Further, this malware simultaneously installs its modules in the system directory, making it more difficult to disinfect the device. 

Some advertising Trojans are even able to infect the recovery image, making it impossible to solve the problem by restoring the device to factory settings. Representatives of this class of malicious software have been repeatedly found in the official Google Play app store, for example, masquerading as a guide for Pokemon GO.

In this case, the app was downloaded over 500,000 times and is detectable as a Trojan.AndroidOS.Ztorg.ad.

In 2016, Kaspersky Lab mobile security products reported:

  • Nearly 40 million attack attempts by mobile malware, with over four million users of Android-based devices protected (vs 2.6 million in 2015)

  • Over 260,000 detections of installation packages for mobile ransomware Trojans (an increase of almost 8.5 times, year-on-year)

  • More than 153,000 unique users targeted by mobile ransomware (an increase of 1.6 times compared with 2015)

  • Over 128,000 mobile banking Trojans detected (nearly 1.6 times more than in 2015)

  • The most widespread type of Trojan in 2016 was the advertising variety, accounting for 16 of the top 20 malware programs

According to specialist officers from INTERPOL's Global Complex for Innovation, who contributed to the report, the dark web remains an attractive medium for conducting illicit businesses and activities.

Given its robust anonymity, low prices and client-oriented strategy, the dark web provides a means for criminal actors to communicate and engage in commercial transactions, buying and selling various products and services, including mobile malware kits.

Mobile malware is offered for sale as software packages (e.g. remote access Trojans - RATs), individual solutions and sophisticated tools, like those developed by professional firms or, on a smaller scale, as part of a “Bot as a Service” model. Mobile malware is also a “subject of interest” on vendor shops, forums and social media.

“In 2016, the growth in the number of advertising Trojans capable of exploiting super-user rights continued. Throughout the year, it was the top threat and we see no sign of this trend changing. Cyber-criminals are taking advantage of the fact that most devices do not receive OS updates (or receive them late), and are thus vulnerable to old, well-known and readily available exploits. Moreover, we see that the mobile landscape is getting a little crowded for cyber-criminals, and they are beginning to interact more with the world beyond smartphones. 

"Perhaps in 2017 we will see major attacks on IoT components launched from mobile devices,” concludes Roman Unuchek, senior malware analyst at Kaspersky Lab USA.