Bitdefender Threat Debrief

Highlight of the month: New Mobile Banking Malware Campaigns Discovered

When we introduced Android reports in BDTD November 2021, we warned that multi-layered security is an important concept for all forms of devices, but it is often neglected for smartphones. As mobile malware gains popularity, access to cryptocurrency trading and banking on devices makes mobile platforms an attractive target for cybercriminals. This month Bitdefender Labs discovered new malware campaigns by banking trojans FluBot and TeaBot intercepting thousands of malicious SMS messages since the beginning of December.

Current App Store Control Under Pressure

Tight control over application approval by app store owners is the primary protection provided for mobile devices, but it’s becoming insufficient and challenged by authorities in Europe and the U.S. who have introduced legislation to open up the ecosystem. Microsoft already announced changes to their app store policies, titling the blog post “Adapting ahead of regulation: a principle approach to app stores”. Apple’s App Store is approaching five million applications, and the Google Play Store has close to three million which makes it unwieldy to control. While malicious applications are quickly removed after discovery by platform owners, they often have hundreds of thousands of downloads before they are flagged.

Whether an open or closed ecosystem – mobile malware will only increase and additional layers of protection on top of the gatekeeper-app-store model is recommended as part of basic mobile hygiene.

How To Protect Against FluBot

Scam Alert, a new feature of Bitdefender Mobile Security (available for Android and iOS platforms), detects malicious links arriving via SMS, various messaging apps or other types of notifications. Since the beginning of December, Bitdefender Labs intercepted over 100,000 malicious SMS messages trying to distribute FluBot malware.

Ransomware Report

Spear phishing attacks are often used as an initial attack vector and ransomware infection is often the final stage of the kill chain. For this report, we analyzed malware detections collected in January 2022 from our static anti-malware engines.

Note: we only count total cases, not the monetary impact of infection.

Opportunistic adversaries and some Ransomware-as-a-Service (RaaS) groups represent a higher percentage compared to groups that are more selective about their targets, since they prefer volume over higher value.

When looking at this data, remember these are ransomware detections, not infections.

Top 10 Ransomware Families

We analyzed 10.5 million malware detections from January 1 to January 30. In total, we identified 202 ransomware families. Number of detected ransomware families can vary each month, depending on the current ransomware campaigns in different countries.

Top 10 Countries

In total, we detected ransomware from 149 countries in our dataset this month. Ransomware continues to be a threat that touches almost the entire world. Below is a list of the top 10 countries most impacted by ransomware. Many ransomware attacks continue to be opportunistic, and the size of population is correlated to the number of detections.

Top 10 Industries

For our dataset, we have been able to assign 20% of detections to specific industries. Telecommunications services are particularly high as their customers are included within the detections.

Android trojans

Below are the top 10 trojans targeting Android we have seen in our telemetry during January 2022.

Downloader.DN – Repacked applications taken from Google App Store and bundled with aggressive adware. Some adware downloads other malware variants.

InfoStealer.XY – Obfuscated applications that masquerade as mobile antiviruses. When the malware app is first run, it checks if there is any AV solution installed and it tricks the user to uninstall it. It exfiltrates sensitive data, downloads and installs other malware and displays adware.

HiddenApp.AID - Aggressive adware that impersonates adblock applications. When running for the first time, it asks permission to display on top of other apps. With this permission, the application can hide from the launcher.

SpyAgent.DW - Applications that exfiltrate sensitive data like SMS messages, call logs, contacts, or GPS location.

SpyAgent.DW, EA – Applications that exfiltrate sensitive data. 

Dropper.AIF - Polymorphic applications that drop and install encrypted modules. After the first run, their icons are hidden from the launcher.

Banker.XX - Applications that impersonate Korean banking applications to record audio and video, collect sensitive information and upload it to a C&C server.

Banker.XJ, YM - Applications that drop and install encrypted modules. This trojan grants device admin privileges, and gains access to manage phone calls and text messages. After deploying, it maintains a connection with the C&C server to receive command and upload sensitive information. This detection includes variants of TeaBot and FluBot.

Banker.VF - Polymorphic applications that impersonate legit apps (Google, Facebook, Sagawa Express ...). Once installed, it locates banking applications installed on the device and tries to download a trojanized version from the C&C server.

Homograph Phishing Report

Homograph attacks work to abuse international domain names (IDN). Threat actors create international domain names that spoof a target domain name. When we talk about “target” of IDN homograph phishing attacks, we refer to the domain that threat actors are trying to impersonate. You can read more about this type of attack in one of our previous reports.

Below is the list of the top 10 most common targets for phishing sites.

About Bitdefender Threat Debrief

The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release, subscribe to the Business Insights blog, and follow us on Twitter. You can find all previous debriefs here.

We would like to thank bitdefenders Alin Damian, Mihai Leonte, Ioan Marculet, Andrei Mogage, Ioan Stan, Marius Tivadar, and Horia Zegheru (sorted alphabetically) for their help with putting this report together.