Professional Documents
Culture Documents
Android Malware and Unwanted Software Statistics For Q1 2024 Securelist
Android Malware and Unwanted Software Statistics For Q1 2024 Securelist
com/it-threat-evolution-q1-2024-mobile-statistics/112750/
MALWARE REPORTS
Table of Contents
Quarterly �gures
10.1 million attacks using malware, adware, or unwanted mobile software were blocked.
The most common threat to mobile devices was adware: 46% of all threats detected.
1 de 16 03/06/2024, 15:54
Android malware and unwanted software statistics for Q1 2024 | Securelist https://securelist.com/it-threat-evolution-q1-2024-mobile-statistics/112750/
Quarterly highlights
The number of attacks using malware, adware, or unwanted software on mobile devices increased
compared to the same period last year, but dropped slightly against Q4, to 10,100,510.
The rapid growth in the total number of attacks between Q2 and Q4 2023 is primarily attributed to
the surge in adware and Trojan activity, which roughly doubled in absolute terms during this period.
However, other types of malicious and unwanted apps also increased their activity, so the
distribution of threats by type showed no dramatic swings.
In Q1, the number of WhatsApp modi�cation attacks continued to grow. For example, we found
Trojan-Spy.AndroidOS.Agent.ahu, a Trojan hidden inside a WhatsApp mod, that steals encrypted
messenger databases along with their decryption keys. Another malicious WhatsApp mod, Trojan-
2 de 16 03/06/2024, 15:54
Android malware and unwanted software statistics for Q1 2024 | Securelist https://securelist.com/it-threat-evolution-q1-2024-mobile-statistics/112750/
We also discovered a noteworthy banking Trojan targeting users in Korea. When installed, it displays
a noti�cation claiming the app is unavailable and will be removed:
3 de 16 03/06/2024, 15:54
Android malware and unwanted software statistics for Q1 2024 | Securelist https://securelist.com/it-threat-evolution-q1-2024-mobile-statistics/112750/
In reality, the app hides its icon and continues to operate in the background, stealing text
messages, contacts, photos, and even online banking digital certi�cates. To conceal the malicious
code and hinder analysis, threat actors exploited numerous bugs and �aws in the Android OS code
responsible for parsing the app package. This enabled them to create �les that successfully install
on the device, but cause many analysis tools, including o�icial Google utilities, to go haywire.
The number of detected samples of Android malware and unwanted software fell in Q4 2023 and
climbed again in Q1 2024, reaching 389,178 installation packages.
The distribution of detected packages by type underwent no signi�cant changes, but the number
of Trojan droppers increased noticeably (by 8.76 p.p.). This sharp increase in their share is linked
primarily to the activity of the Wroba family, commonly employed to deliver banking Trojans in
countries in the Asia-Paci�c region.
4 de 16 03/06/2024, 15:54
Android malware and unwanted software statistics for Q1 2024 | Securelist https://securelist.com/it-threat-evolution-q1-2024-mobile-statistics/112750/
* Data for the previous quarter may di�er slightly from previously published data due to some
verdicts being retrospectively revised.
The most common threats remained adware (46.16%) and RiskTool-type unwanted apps (21.27%).
The most prevalent adware families were BrowserAd (28.5% of all adware), Adlo (15.3%), and
HiddenAd (12.65%).
5 de 16 03/06/2024, 15:54
Android malware and unwanted software statistics for Q1 2024 | Securelist https://securelist.com/it-threat-evolution-q1-2024-mobile-statistics/112750/
Share* of users attacked by the given type of malicious or unwanted software out of all
targeted users of Kaspersky mobile products (download)
*The sum may exceed 100% if the same users encountered multiple attack types.
The HiddenAd (60.5%), Adlo (17.5%), and TimeWaste (7.5%) adware families attacked the most
users. At the same time, the Triada adware Trojan, mentioned in our previous report and distributed
in WhatsApp mods, accounts for an increasingly large share of attacks by Trojan-type malware
(35.7%).
6 de 16 03/06/2024, 15:54
Android malware and unwanted software statistics for Q1 2024 | Securelist https://securelist.com/it-threat-evolution-q1-2024-mobile-statistics/112750/
Note that the malware rankings below exclude riskware or potentially unwanted software, such as
RiskTool or adware.
7 de 16 03/06/2024, 15:54
Android malware and unwanted software statistics for Q1 2024 | Securelist https://securelist.com/it-threat-evolution-q1-2024-mobile-statistics/112750/
* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky
mobile solutions.
The generalized cloud verdict DangerousObject.Multi.Generic yielded the top spot in the ranking of
the most common malicious apps to the WhatsApp modi�cation Trojan.AndroidOS.Triada.fd. Next
comes Fakemoney, a Trojan that scams users out of personal data by promising easy money in
return. Interestingly, Dwphon also made it into the Top 20. Pre-installed on some devices, this Trojan
collects the personal data of the device owner and can download arbitrary apps without the user’s
knowledge.
Region-speci�c malware
Verdict Country* %*
8 de 16 03/06/2024, 15:54
Android malware and unwanted software statistics for Q1 2024 | Securelist https://securelist.com/it-threat-evolution-q1-2024-mobile-statistics/112750/
Turkey continues to be �ooded with banking Trojan variants. In particular, users there are targeted
by Trojan-Banker.AndroidOS.Agent.nw, which opens VNC access to the device. It’s based on the
open-source library droidVNC-NG. Tambir also gives attackers VNC access. In addition, its
functionality includes keylogging, stealing texts, contacts, and app lists, as well as sending texts.
Besides VNC backdoors, we observed a concentration of BrowBot attacks in Turkey. The primary
functionality of that Trojan is stealing texts. As for Piom, it represents a collective verdict created
for various malware within the context of our automated systems. Speci�cally in Turkey, hiding
behind this verdict are modi�cations of the now infamous Godfather banking Trojan.
Two text-stealing Trojans are active in Indonesia: SmsThief.vb and UdangaSteal.b. They are often
sent to victims under the guise of wedding invitations.
The spread of FakePay applications is noticeable in Brazil. These applications visually simulate
payment but do not actually execute it. Unlike most Trojans, users often intentionally download
such apps in order to deceive sellers who accept payment by transfer. BRats is another banking
Trojan that continues to be distributed predominantly in Brazil.
9 de 16 03/06/2024, 15:54
Android malware and unwanted software statistics for Q1 2024 | Securelist https://securelist.com/it-threat-evolution-q1-2024-mobile-statistics/112750/
Users in Thailand encountered the EvilInst Trojan, which spreads under the guise of games but in
fact, just opens a website with cracked games and sends paid texts.
The number of new unique installation packages for banking Trojans remains low.
Nevertheless, the total number of Trojan-Banker attacks continues to grow, with Trojan-Banker
even moving up one spot in the distribution structure of malware and unwanted programs by the
number of a�ected users.
10 de 16 03/06/2024, 15:54
Android malware and unwanted software statistics for Q1 2024 | Securelist https://securelist.com/it-threat-evolution-q1-2024-mobile-statistics/112750/
* Unique users who encountered this malware as a percentage of all users of Kaspersky mobile
security solutions who encountered banking threats.
Following a surge in the number of ransomware installation packages in Q4 2023, linked to the
emergence of a large number of ransomware from the Rasket family, the number returned to its
usual level amid a decrease in Rasket activity. Rasket Trojans are built on Tasker automation scripts,
which are designed to automate routine actions on a device but have su�icient functionality to
write ransomware.
11 de 16 03/06/2024, 15:54
Android malware and unwanted software statistics for Q1 2024 | Securelist https://securelist.com/it-threat-evolution-q1-2024-mobile-statistics/112750/
The same dynamic is re�ected in the distribution of attacks for the most active samples: after a
sharp rise (to 74% of all ransomware attacks), the share of the Rasket Trojan in Q1 almost halved.
12 de 16 03/06/2024, 15:54
Android malware and unwanted software statistics for Q1 2024 | Securelist https://securelist.com/it-threat-evolution-q1-2024-mobile-statistics/112750/
Authors
ANTON KIVVA
Your email address will not be published. Required �elds are marked *
Name * Email *
Comment
// LATEST POSTS
13 de 16 03/06/2024, 15:54
Android malware and unwanted software statistics for Q1 2024 | Securelist https://securelist.com/it-threat-evolution-q1-2024-mobile-statistics/112750/
Threat landscape for industrial automation ShrinkLocker: Turning BitLocker into ransomware
systems, Q1 2024 CRISTIAN SOUZA, EDUARDO OVALLE, ASHLEY MUÑOZ,
// LATEST WEBINARS
14 de 16 03/06/2024, 15:54
Android malware and unwanted software statistics for Q1 2024 | Securelist https://securelist.com/it-threat-evolution-q1-2024-mobile-statistics/112750/
// REPORTS
APT trends report Q1 2024
The report features the most signi�cant developments relating to APT
groups in Q1 2024, including the new malware campaigns DuneQuixote and
Durian, and hacktivist activity.
Email Subscribe
15 de 16 03/06/2024, 15:54
Android malware and unwanted software statistics for Q1 2024 | Securelist https://securelist.com/it-threat-evolution-q1-2024-mobile-statistics/112750/
Threats
Categories
16 de 16 03/06/2024, 15:54