In 2017, new modifications of advertising trojans were discovered that did not exploit root access vulnerabilities to show ads, but tried other methods, such as premium SMS services. There has also been a return in the number of WAP clickers.
Mobile advertising trojans went into decline in 2017. Although they continue to infect users, the techniques they have been using have been modified in the last 12 months. According to Kaspersky Lab’s annual “Mobile Malware Evolution” report, some families of Trojans began to use monetization pathways involving WAP and SMS payment services in order to preserve and increase profits.
The total number of mobile advertising Trojans that exploit superuser rights decreased in 2017, compared to the previous year. This was caused by the general decrease in the number of mobile devices that run previous versions of Android, which are the main targets of Trojans, mainly because the exploited vulnerabilities are usually patched in the newer versions of the system. However, this type of Trojan remained the most popular among the top 20 mobile threats of 2017.
In 2017, Kaspersky Lab discovered new modifications of adware trojans that did not exploit root access vulnerabilities to show ads, but instead tried other methods, such as premium SMS services. Two Trojans related to the Ztorg malware family with this functionality were downloaded dozens of thousands of times from the Play Store.
At the same time, researchers have seen a rebound in the number of clickers that are stealing money from Android users through WAP billing, a type of direct mobile payment without registration. These Trojans click on the pages with paid services, and once a subscription is activated, the money from the victim’s account flows directly into the hacker’s accounts. Some of the discovered WAP clickers also had modules for cryptocurrency mining.
The ransomware epidemics that hit the world last year were also reflected in the mobile threat landscape. Kaspersky Lab discovered 544,107 mobile ransomware Trojan installation packages, twice as many as in 2016 and 17 times more than in 2015. This increasing volume was detected during the first months of the year due to the great activity of the Trojan Congur family, which it represented 83% of all installation packages in 2017.