Cyber attacks tripled on Android in 2014

The number of financial malware attacks striking Android users rose more than threefold in 2014, Kaspersky Lab says.

Following an initial decrease in March 2014, Kaspersky Lab researchers registered a significant increase in the number of attacks by Trojan-SMS malware during the second half of the year.

Key findings include:

• Financial targeting. 48.15% of the attacks against users of Android-based devices, that were blocked by Kaspersky Lab products, used malware targeting financial data (Trojan-SMS and Trojan-Banker).

• 2014 blows away earlier levels. The number of financial attacks against Android users in 2014 increased 3.25 times—up from 711,993 to 2,317,194 attacks—compared with 2013, and the number of users attacked rose 3.64 times (up from 212,890 to 775,887).

• Tripling from a triple-threat. 98.02% of all attacks by Android banking malware were accounted for by only three malicious families.

Why Android’s a target

Android is one of the most popular mobile operating systems in the world, attracting the attention of cybercriminals targeting users’ private information and money. During 2014, Kaspersky Lab’s Android products blocked a total of 2,317,194 financial attacks against 775,887 users around the world. The lion’s share of these attacks (2,217,979 attacks against 750,327 users) used Trojan-SMS malware, and the rest (99,215 attacks against 59,200 users) used Trojan-Banker malware.

Although the Trojan-Banker contribution to the overall volume of financial attacks against Android users is relatively small, it continues to grow. During the year, Kaspersky Lab products detected 20 different malicious Trojan-Banker programs.

But there were only three “star” performers among them: Faketoken, Svpeng, and Marcher. Svpeng and Marcher are capable of stealing credentials for online banking as well as credit card information by replacing the authentication fields of mobile banking apps and app stores apps on an infected device. Faketoken is made for intercepting mTAN codes used in multifactor authentication systems and forwarding it to criminals. These three families accounted for 98.02% of all Trojan-Banker attacks.

Profile of attacks

In the spring of 2014, Kaspersky Lab researchers noticed a significant decrease in the number of attacks by Trojan-SMS malware. One possible reason for this fall was the introduction by mobile-phone operators in Russia (the main source of Trojan-SMS threat) of an Advice of Charge (AoC) mechanism. This means that every time a customer (or an SMS Trojan) attempts to send a message to a premium number, the operator notifies the customer how much the service will cost and requests additional confirmation from the user.

The decrease ended in July and was followed by a steady increase throughout the rest of the year. The growth sped up in December, which is traditionally a high season for online shopping and online payment transactions, driving an increase in criminals targeting financial data.