{ "id": "95e3f6df-d861-4704-b9a1-7a497caf5d4c", "created_at": "2026-04-06T00:18:58.049588Z", "updated_at": "2026-04-10T13:12:51.981007Z", "deleted_at": null, "sha1_hash": "213945e3c109001d78ca365e9b29f60d7e34ecba", "title": "Mobile malware evolution 2019", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4044223, "plain_text": "Mobile malware evolution 2019\r\nBy Victor Chebyshev\r\nPublished: 2020-02-25 · Archived: 2026-04-05 13:12:11 UTC\r\nThese statistics are based on detection verdicts of Kaspersky products received from users who consented to\r\nprovide statistical data.\r\nFigures of the year\r\nIn 2019, Kaspersky mobile products and technologies detected:\r\n3,503,952 malicious installation packages.\r\n69,777 new mobile banking Trojans.\r\n68,362 new mobile ransomware Trojans.\r\nTrends of the year\r\nIn summing up 2019, two trends in particular stick out:\r\nAttacks on users’ personal data became more frequent.\r\nDetections of Trojans on the most popular application marketplaces became more frequent.\r\nThis report discusses each in more detail below, with examples and statistics.\r\nAttacks on personal data: stalkerware\r\nOver the past year, the number of attacks on the personal data of mobile device users increased by half: from\r\n40,386 unique users in 2018 to 67,500 in 2019. This is not about classic spyware or Trojans, but so-called\r\nstalkerware.\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 1 of 25\n\nNumber of unique users attacked by stalkerware in 2018–2019\r\nStalkerware can be divided into two major categories:\r\nTrackers.\r\nFull-fledged tracking apps.\r\nThe creators of trackers generally focus on two main features: tracking victims’ coordinates and intercepting text\r\nmessages. Until recently, many such apps, mostly free, were available on the official Google Play marketplace.\r\nAfter Google Play changed its policy in late 2018, most of them were removed from the store, and most\r\ndevelopers pulled support for their products. However, such trackers can still be found on their developers’ and\r\nthird-party sites.\r\nIf such an app gets onto a device, messages and data about the user’s location become accessible to third parties.\r\nThese third parties are not necessarily only those tracking the user: the client-server interaction of some services\r\nignores even the minimum security requirements, allowing anyone to gain access to the accumulated data.\r\nThe situation of full-fledged stalkerware is somewhat different: there are no such apps on Google Play, but they\r\nare actively supported by developers. These tend to be commercial solutions with extensive spying capabilities.\r\nThey can harvest almost any data on a compromised device: photos (both entire archives and individual pictures,\r\nfor example, taken at a certain location), phone calls, texts, location information, screen taps (keylogging), and so\r\non.\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 2 of 25\n\nScreenshot from the site of a stalkerware app developer showing the capabilities of the software\r\nMany apps exploit root privileges to extract messaging history from protected storage in social networking and\r\ninstant messaging applications. If it cannot gain the required access, the stalkerware can take screenshots, log\r\nscreen taps and even extract the text of incoming and outgoing messages from the windows of popular services\r\nusing the Accessibility feature. One example is the commercial spyware app Monitor Minor.\r\nScreenshot from the site of a stalkerware app developer showing the software’s ability to intercept data from social\r\nnetworks and messengers\r\nThe developers of the commercial spyware FinSpy went one step further by adding a feature to intercept\r\ncorrespondence in secure messengers, such as Signal, Threema and others. To ensure interception, the app\r\nindependently obtains root privileges by exploiting the vulnerability CVE-2016-5195, aka “Dirty Cow”. The\r\nexpectation is that the victim is using an old device with an outdated operating system kernel in which the exploit\r\ncan escalate privileges to root.\r\nIt is worth noting that the user base of messaging apps includes hundreds of millions. Classic calls and texts are\r\nbeing used less and less, and communication — be it text messages or voice/video calls — is gradually moving to\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 3 of 25\n\ninstant messaging applications. Hence the rising interest in data stored in such apps.\r\nAttacks on personal data: advertising apps\r\nIn 2019, we observed a significant increase in the number of adware threats, one purpose being to harvest personal\r\ndata on mobile devices.\r\nThe statistics show that the number of users attacked by adware in 2019 is roughly unchanged from 2018.\r\nNumber of users attacked by adware in 2018 and 2019\r\nAt the same time, the number of detected adware installation packages almost doubled from 2018.\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 4 of 25\n\nNumber of detected adware installation packages in 2018 and 2019\r\nThese indicators typically correlate, but not in the case of adware. This can be explained by several factors:\r\nAdware installation packages are generated automatically and spread literally everywhere, but for some\r\nreason do not reach the target audience. It is possible that they get detected immediately after being\r\ngenerated and cannot propagate further.\r\nOften, such apps contain nothing useful — just an adware module; so the victim immediately deletes them,\r\nassuming that they allow removing themselves.\r\nNevertheless, it is the second successive year that adware has appeared in our Top 3 detected threats. KSN\r\nstatistics confirm it to be one of the most common types of threats: four places in our Top 10 mobile threats by\r\nnumber of users attacked in 2019 are reserved for adware-class apps, with one member of the family, HiddenAd,\r\ntaking the third.\r\nВердикт %*\r\n1 DangerousObject.Multi.Generic 35,83\r\n2 Trojan.AndroidOS.Boogr.gsh 8,30\r\n3 AdWare.AndroidOS.HiddenAd.et 4,60\r\n4 AdWare.AndroidOS.Agent.f 4,05\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 5 of 25\n\n5 Trojan.AndroidOS.Hiddapp.ch 3,89\r\n6 DangerousObject.AndroidOS.GenericML 3,85\r\n7 AdWare.AndroidOS.HiddenAd.fc 3,73\r\n8 Trojan.AndroidOS.Hiddapp.cr 2,49\r\n9 AdWare.AndroidOS.MobiDash.ap 2,42\r\n10 Trojan-Dropper.AndroidOS.Necro.n 1,84\r\n*Share of all users attacked by this type of malware in the total number of users attacked.\r\nIn 2019, mobile adware developers not only generated tens of thousands of packages, but also technically\r\nenhanced their products, in particular through the addition of techniques to bypass operating system restrictions.\r\nFor example, Android imposes certain restrictions on background operation of applications for battery-saving\r\nreasons. This negatively impacts the operation of various threats, including adware apps that like to lurk in the\r\nbackground and wait for, say, a new banner to arrive from C\u0026C. The introduction of such restrictions made it\r\nimpossible for apps to show ads outside the context of their own window, thus starving most adware of oxygen.\r\nThe creators of the KeepMusic adware family found a smart workaround. To bypass the restrictions, their software\r\ndoes not request permissions like, for example, malware does. Instead, the program starts looping an MP3 file that\r\nplays silence. The operating system decides that the music player is running, and does not terminate the\r\nKeepMusic background process. As a result, the adware can request a banner from the server and display it any\r\ntime.\r\nAttacks on personal data: exploiting access to Accessibility\r\nThe year 2019 saw the appearance of the first specimen of mobile financial malware (Trojan-Banker.AndroidOS.Gustuff.a), featuring enhanced autonomy. Until then, two methods had been used to steal\r\nmoney from bank accounts:\r\nVia SMS banking on the victim end. This is an autonomous theft technique that requires only\r\ninformation about the transfer recipient. This data the bot can either store in its body or receive as a\r\ncommand from C\u0026C. The Trojan infects the device and sends a text with a transfer request to a special\r\nbank phone number. The bank then automatically transfers the funds to the recipient from the device\r\nowner’s account. Due to the increase in such theft, limits on mobile transfers have been tightened, so this\r\nattack vector has been relegated to backup.\r\nBy stealing online banking credentials. This has been the dominant method in recent years.\r\nCybercriminals display a phishing window on the victim’s device that mimics the bank’s login page and\r\nreels in the victim’s credentials. In this case, the cybercriminals need to carry out the transaction\r\nthemselves, using the app on their own mobile device or a browser. It is possible that the bank’s anti-fraud\r\nsystems can detect the abnormal activity and block it, leaving the attackers empty-handed even if the\r\nvictim’s device is infected.\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 6 of 25\n\nIn 2019, cybercriminals mastered a third method: stealing by manipulating banking apps. First, the victim is\r\npersuaded to run the app and sign in, for example, using a fake push notification supposedly from the bank.\r\nTapping the notification does indeed open the banking app, which the attackers, using Accessibility, gain full\r\ncontrol over, enabling them to fill out forms, tap buttons, etc. Moreover, the bot operator does not need to do\r\nanything, because the malware performs all actions required. Such transactions are trusted by banks, and the\r\nmaximum transfer amount can exceed the limits of SMS banking by an order of magnitude. As a result, the\r\ncybercriminals can clean out the account in one go.\r\nStealing funds from bank accounts is just one malicious use of Accessibility. In effect, any malware with these\r\npermissions can control all on-screen processes, while any Android app is basically a visual representation of\r\nbuttons, data entry forms, information display, and so on. Even if developers implement their own control\r\nelements, such as a slider that needs to be moved at a certain speed, this too can be done using Accessibility\r\ncommands. Thus, cybercriminals have tremendous leeway to create what are perhaps the most dangerous classes\r\nof mobile malware: spyware, banking Trojans and ransomware Trojans.\r\nThe misuse of the Accessibility features poses a serious threat to users’ personal data. Where previously\r\ncybercriminals had to overlay phishing windows and request a bunch of permissions in order to steal personal\r\ninformation, now victims themselves output all necessary data to the screen or enter it in forms, where it can be\r\neasily gleaned. And if the malware needs more, it can open the Settings section by itself, tap a few buttons, and\r\nobtain the necessary permissions.\r\nMobile Trojans on popular marketplaces: Google Play\r\nSlipping malware into the main Android app store delivers much better results than social engineering victims into\r\ninstalling apps from third-party sources. In addition, this approach enables attackers to:\r\nBypass SafetyNet, Android’s built-in antivirus protection. If a user downloads an app from Google Play,\r\nthe likelihood that it will be installed without additional requests — for example, to disable the built-in\r\nprotection under an imaginary pretext — is very high. The only thing that can protect the user from\r\ninfection in that situation is a third-party security solution.\r\nOvercome psychological barriers. Official app stores enjoy far greater trust than third-party “markets,” and\r\nact as store windows of sorts that can be used for distributing software much more efficiently.\r\nTarget victims without unnecessary spending. Google Play can be used to host fakes that visually mimic,\r\nsay, popular banking apps. This was the distribution vector used in a spate of attacks on mobile users in\r\nBrazil: we detected numerous malicious programs on Google Play under the guise of mobile apps for\r\nBrazilian banks.\r\nIn addition to malicious doppelgangers, cybercriminals deployed several other tricks to maximize device infection\r\nrates:\r\nThe case of CamScanner showed that an app’s legitimate behavior can be supplemented with malicious\r\nfunctions by updating its code for handling advertising. This could be described as the most sophisticated\r\nattack vector, since its success depends on a large number of factors, including the user base of the host\r\napp, the developer’s trust in third-party advertising code and the type of malicious activity.\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 7 of 25\n\nAnother example demonstrates that attackers sometimes upload to Google Play fairly well-behaved apps\r\nfrom popular user categories. In this case, it was photo editors.\r\nThe most depressing case involves a Trojan from the Joker family, of which we have found many samples\r\non Google Play, and still are. Deploying the tactic of mass posting, cybercriminals uploaded apps under all\r\nkinds of guises: from wallpaper-changing tools and security solutions to popular games. In some cases, the\r\nTrojan scored hundreds of thousands of downloads. No other attack vector can reach this kind of audience\r\nwithin such a short space of time.\r\nThe good news is that Google and the antivirus industry have teamed up to fight threats on the site. This approach\r\nshould prevent most malware from penetrating the official Google app store.\r\nStatistics\r\nIn 2019, we discovered 3,503,952 mobile malicious installation packages, which is 1,817,190 less than in the\r\nprevious year. We have not detected so few mobile threats since 2015.\r\nNumber of mobile malicious installation packages for Android in 2015–2019\r\nFor three consecutive years, we have seen an overall decline in the number of mobile threats distributed as\r\ninstallation packages. The picture largely depends on specific cybercriminal campaigns: some have become less\r\nactive, others have completely ceased, and new players have yet to gain momentum.\r\nThe situation is similar with the number of attacks using mobile threats: whereas in 2018 we observed a total of\r\n116.5 million attacks, in 2019 the figure was down to 80 million.\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 8 of 25\n\nNumber of attacks defeated by Kaspersky mobile solutions in 2018–2019\r\nThe figures were back to the year before, before the start of the Asacub banking Trojan epidemic.\r\nSince the number of attacks correlates with the number of users attacked, we observed a similar picture for this\r\nindicator.\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 9 of 25\n\nNumber of users attacked by mobile malware in 2018–2019\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 10 of 25\n\nGeography of attacked users in 2019\r\nTop 10 countries by share of users attacked by mobile malware:\r\nCountry* %**\r\nIran 60.64\r\nPakistan 44.43\r\nBangladesh 43.17\r\nAlgeria 40.20\r\nIndia 37.98\r\nIndonesia 35.12\r\nNigeria 33.16\r\nTanzania 28.51\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 11 of 25\n\nSaudi Arabia 27.94\r\nMalaysia 27.36\r\n*Excluded from the rankings are countries with fewer than 25,000 active users of Kaspersky mobile security solutions in the reporting\r\nperiod.\r\n**Unique users attacked in the country as a percentage of all users of Kaspersky mobile security solutions in the country.\r\nIn 2019, Iran (60.64%) again topped the list for the third year in a row. The most common threats in that country\r\ncome from adware and potentially unwanted software: Trojan.AndroidOS.Hiddapp.bn,\r\nAdWare.AndroidOS.Agent.fa, and RiskTool.AndroidOS.Dnotua.yfe.\r\nPakistan (44.43%) climbed from seventh to second place, mainly on the back of a rise in the number of users\r\nattacked by adware. The largest contribution was made by members of the AdWare.AndroidOS.HiddenAd family.\r\nA similar picture can be seen in Bangladesh (43.17%), whose share has grown due to the same adware families.\r\nTypes of mobile threats\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 12 of 25\n\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 13 of 25\n\nDistribution of new mobile threats by type in 2018 and 2019\r\nIn 2019, the share of RiskTool-class threats decreased by 20 p.p. (32.46%). We believe the main reason to be the\r\nsharp drop in the generation of threats from the SMSreg family. A characteristic feature of this family is payments\r\nvia SMS: for example, money transfers or subscriptions to mobile services. Moreover, the user is not explicitly\r\ninformed of the payment or money being charged to their mobile account. Whereas in 2018, we picked up\r\n1,970,742 SMSreg installation packages, the number decreased by an order of magnitude to 193,043 in 2019. At\r\nthe same time, far from declining, the number of packages of other members of this class of threats increased\r\nnoticeably.\r\nName of family %*\r\n1 Agent 27.48\r\n2 SMSreg 16.89\r\n3 Dnotua 13.83\r\n4 Wapron 13.73\r\n5 SmsSend 9.15\r\n6 Resharer 4.62\r\n7 SmsPay 3.55\r\n8 PornVideo 2.51\r\n9 Robtes 1.23\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 14 of 25\n\n10 Yoga 1.03\r\n*Share of packages of this family in the total number of riskware-class packages detected in 2019.\r\nSkymobi and Paccy dropped out of the Top 10 families of potentially unwanted software; the number of\r\ninstallation packages of these families detected in 2019 decreased tenfold. Their creators likely minimized or even\r\nceased their development and distribution. However, a new player appeared: the Resharer family (4.62%), which\r\nranked sixth. This family is noted for its self-propagation through posting information about itself on various sites\r\nand mailing it to the victim’s contacts.\r\nAdware demonstrated the most impressive growth, up by 14 p.p. The main source of this growth was HiddenAd\r\n(26.81%); the number of installation packages of this family increased by two orders of magnitude against 2018.\r\nName of family %*\r\n1 HiddenAd 26.81\r\n2 MobiDash 20.45\r\n3 Ewind 16.34\r\n4 Agent 15.27\r\n5 Dnotua 5.51\r\n6 Kuguo 1.36\r\n7 Dowgin 1.28\r\n8 Triada 1.20\r\n9 Feiad 1.01\r\n10 Frupi 0.94\r\n*Share of packages of this family in the total number of adware-class packages detected in 2019.\r\nSignificant growth also came from the MobiDash (20.45%) and Ewind (16.34%) families. Meanwhile, the Agent\r\nfamily (15.27%), which held a leading position in 2018, dropped to fourth place.\r\nCompared to 2018, the number of mobile Trojans detected decreased sharply. A downward trend has been\r\nobserved for two consecutive years now, yet droppers remain one of the most numerous malware classes. The\r\nHqwar family showed the most notable decrease: down from 141,000 packages in 2018 to 22,000 in 2019. At the\r\nsame time, 2019 saw the debut of the Ingopack family: we detected 115,654 samples of this dropper.\r\nMeanwhile, the share of Trojan-class threats rose by 6 p.p., with the two most numerous malware families of this\r\nclass being Boogr and Hiddapp. The Boogr family contains various Trojans that have been detected using\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 15 of 25\n\nmachine-learning (ML) technology. A feature of the Hiddapp family is that it hides its icon in the list of installed\r\napps while continuing to run in the background.\r\nThe share of mobile ransomware Trojans slightly increased. The Top 3 families of this class of threats remained\r\nthe same as in 2018: Svpeng, Congur, and Fusob — in that order.\r\nTop 20 mobile malware programs\r\nThe following malware rankings omit potentially unwanted software, such as RiskTool and AdWare.\r\nVerdict %*\r\n1 DangerousObject.Multi.Generic 49.15\r\n2 Trojan.AndroidOS.Boogr.gsh 10.95\r\n3 Trojan.AndroidOS.Hiddapp.ch 5.19\r\n4 DangerousObject.AndroidOS.GenericML 5.08\r\n5 Trojan-Dropper.AndroidOS.Necro.n 3.45\r\n6 Trojan.AndroidOS.Hiddapp.cr 3.28\r\n7 Trojan-Banker.AndroidOS.Asacub.snt 2.35\r\n8 Trojan-Dropper.AndroidOS.Hqwar.bb 2.10\r\n9 Trojan-Dropper.AndroidOS.Lezok.p 1.76\r\n10 Trojan-Banker.AndroidOS.Asacub.a 1.66\r\n11 Trojan-Downloader.AndroidOS.Helper.a 1.65\r\n12 Trojan-Banker.AndroidOS.Svpeng.ak 1.60\r\n13 Trojan-Downloader.AndroidOS.Necro.b 1.59\r\n14 Trojan-Dropper.AndroidOS.Hqwar.gen 1.50\r\n15 Exploit.AndroidOS.Lotoor.be 1.46\r\n16 Trojan.AndroidOS.Hiddapp.cf 1.35\r\n17 Trojan.AndroidOS.Dvmap.a 1.33\r\n18 Trojan-Banker.AndroidOS.Agent.ep 1.31\r\n19 Trojan.AndroidOS.Agent.rt 1.28\r\n20 Trojan-Dropper.AndroidOS.Tiny.d 1.14\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 16 of 25\n\n*Share of users attacked by this type of malware out of all attacked users\r\nAs we wrap up the year 2019, first place in our Top 20 mobile malware, as in previous years, goes to the verdict\r\nDangerousObject.Multi.Generic (49.15%), which we use for malware detected with cloud technology. The verdict\r\nis applied where the antivirus databases still have no signatures or heuristics for malware detection. This way, the\r\nmost recent malware is uncovered.\r\nIn second place came the verdict Trojan.AndroidOS.Boogr.gsh (10.95%). This verdict is assigned to files\r\nrecognized as malicious by our ML-based system. Another result of this system’s work is objects with the verdict\r\nDangerousObject.AndroidOS.GenericML (5.08%, fourth place in the rating). This verdict is assigned to files\r\nwhose structure is identical to that of malicious files.\r\nThird, sixth, and sixteenth places were taken by members of the Hiddapp family. We assign this verdict to any app\r\nthat hides its icon in the list of apps immediately after starting. Subsequent actions of such apps may be anything\r\nfrom downloading or dropping other apps to displaying ads.\r\nFifth and thirteenth places went to members of the Necro family of droppers and loaders. In both threat classes,\r\nNecro members did not make it into the Top 10 by number of detected files. Even the weakened Hwar family of\r\ndroppers strongly outperformed Necro by number of generated objects. That said, users often encountered Necro\r\nmembers due to the family’s penetration of Google Play.\r\nSeventh and tenth places went to the Asacub family of banking Trojans. Whereas at the start of the year, the\r\nTrojan’s operators were still actively spreading the malware, starting in March 2019, we noticed a drop in this\r\nfamily’s activity.\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 17 of 25\n\nNumber of unique users attacked by the Asacub mobile banking Trojan in 2019\r\nEighth and fourteenth places were reserved for droppers in the Hqwar family. Their activity dropped significantly\r\nfrom 80,000 attacked users in 2018 to 28,000 in 2019. However, we continue to register infection attempts by this\r\nfamily, and do not rule out its return to the top.\r\nNumber of unique users attacked by the Hqwar mobile dropper in 2019\r\nIn ninth position is another dropper, this time from the Lezok family: Trojan-Dropper.AndroidOS.Lezok.p\r\n(1.76%). A notable difference between this Trojan and Hqwar is that the malware penetrates the device before it\r\narrives at the store. This is evidenced by KSN statistics showing that the Trojan was most often detected in the\r\nsystem directory under the names PhoneServer, GeocodeService, and similar.\r\nPath to the detected threat Number of unique users attacked\r\n1 /system/priv-app/PhoneServer/ 49,688\r\n2 /system/priv-app/GeocodeService/ 9747\r\n3 /system/priv-app/Helper/ 6784\r\n4 /system/priv-app/com.android.telephone/ 5030\r\n5 /system/priv-app/ 1396\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 18 of 25\n\n6 /system/priv-app/CallerIdSearch/ 1343\r\nWhen the device is turned on, Lezok dumps its payload into the system; it does so even if the victim deletes the\r\ndumped files using regular OS tools or resets the device to the factory settings. The trick is that the Trojan forms\r\npart of the factory firmware and can reload (restore) the deleted files.\r\nThe final Trojan worthy of attention is Trojan-Downloader.AndroidOS.Helper.a (1.56%), which finished eleventh\r\nin the rankings. Despite claims to the contrary, it can be removed. However, the infected system contains another\r\nTrojan that installs a helper app, which cannot be removed that easily. According to KSN statistics, members of\r\nthe Trojan-Downloader.AndroidOS.Triada and Trojan.AndroidOS.Dvmap families can act as delivery vehicles for\r\nthe helper. After the victim removes the helper, a member of one of these two families loads and reinstalls it.\r\nMobile banking Trojans\r\nIn 2019, we detected 69,777 installation packages for mobile banking Trojans, which is half last year’s figure.\r\nHowever, the share of banking Trojans out of all detected threats grew slightly as a consequence of the declining\r\nactivity of other classes and families of mobile malware.\r\nNumber of installation packages of mobile banking Trojans detected by Kaspersky in 2019\r\nThe number of detected installation packages for banking Trojans as well as the number of attacks were\r\ninfluenced by the campaign to distribute the Asacub Trojan, whose activity has plummeted starting in April 2019.\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 19 of 25\n\nNumber of attacks by mobile banking Trojans in 2018–2019\r\nIt is worth noting that the average number of attacks over the year was approximately 270,000 per month.\r\nTop 10 countries by share of users attacked by banking Trojans\r\nCountry %*\r\n1 Russia 0.72\r\n2 South Africa 0.66\r\n3 Australia 0.59\r\n4 Spain 0.29\r\n5 Tajikistan 0.21\r\n6 Turkey 0.20\r\n7 USA 0.18\r\n8 Italy 0.17\r\n9 Ukraine 0.17\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 20 of 25\n\n10 Armenia 0.16\r\n*Share of users attacked by mobile bankers out of all attacked users\r\nRussia (0.72%) has headed our Top 10 for three consecutive years: many different Trojan families are focused on\r\nstealing credentials from Russian banking apps. These Trojans operate in other countries as well. Thus, Asacub is\r\nthe number one threat in Tajikistan, Ukraine, and Armenia, while the Svpeng family of Trojans is active in Russia\r\nand the US.\r\nIn South Africa (0.66%), the most common Trojan was Trojan-Banker.AndroidOS.Agent.dx, accounting for 95%\r\nof all users attacked by banking threats.\r\nThe most widespread Trojan in Australia (0.59%) was Trojan-Banker.AndroidOS.Agent.eq (77% of all users\r\nattacked by banking threats).\r\nIn Spain (0.29%), banking malware from the Cebruser and Trojan-Banker.AndroidOS.Agent.ep families are\r\npopular with cybercriminals (49% and 22% of all users attacked by banking threats, respectively).\r\nTop 10 families of mobile bankers in 2019\r\nFamily %*\r\n1 Asacub 44.40\r\n2 Svpeng 22.40\r\n3 Agent 19.06\r\n4 Faketoken 12.02\r\n5 Hqwar 3.75\r\n6 Anubis 2.72\r\n7 Marcher 2.07\r\n8 Rotexy 1.46\r\n9 Gugi 1.34\r\n10 Regon 1.01\r\n*Share of users attacked by this family of mobile bankers out of all users attacked by mobile banking Trojans\r\nMobile ransomware Trojans\r\nIn 2019, we detected 68,362 installation packages for ransomware Trojans, which is 8,186 more than in the\r\nprevious year. However, we observed a decline in the generation of new ransomware packages throughout 2019.\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 21 of 25\n\nThe minimum was recorded in December.\r\nNumber of new installation packages for mobile banking Trojans in Q1–Q4 2019\r\nA similar picture is seen for attacked users. Whereas in early 2019, the number of attacked users peaked at 12,004,\r\nby the end of the year, the figure had decreased 2.6 times.\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 22 of 25\n\nNumber of users attacked by mobile ransomware Trojans in 2018–2019\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 23 of 25\n\nCountries by share of users attacked by mobile ransomware in 2019\r\nTop 10 countries by share of users attacked by ransomware Trojans\r\nCountry* %**\r\n1 USA 2.03\r\n2 Kazakhstan 0.56\r\n3 Iran 0.37\r\n4 Mexico 0.11\r\n5 Saudi Arabia 0.10\r\n6 Pakistan 0.10\r\n7 Canada 0.10\r\n8 Italy 0.09\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 24 of 25\n\n9 Indonesia 0.08\r\n10 Australia 0.06\r\n*Excluded from the rating are countries with fewer than 25,000 active users of Kaspersky mobile solutions in the reporting period.\r\n**Unique users attacked by mobile ransomware in the country as a percentage of all users of Kaspersky mobile solutions in the country.\r\nFor the third year in a row, first place by share of users attacked by mobile ransomware went to the US (2.03%).\r\nSame as last year, the Svpeng ransomware family was the most commonly encountered in the country. It was also\r\nthe most widespread in Iran (0.37%).\r\nThe situation in Kazakhstan (0.56%) was unchanged: the country still ranks second, and the most prevalent threat\r\nthere remains the Rkor family.\r\nConclusion\r\nThe year 2019 saw the appearance of several highly sophisticated mobile banking threats, in particular, malware\r\nthat can interfere with the normal operation of banking apps. The danger they pose cannot be overstated, because\r\nthey cause direct losses to the victim. It is highly likely that this trend will continue into 2020, and we will see\r\nmore such high-tech banking Trojans.\r\nAlso in 2019, attacks involving the use of mobile stalkerware became more frequent, the purpose being to monitor\r\nand collect information about the victim. In terms of sophistication, stalkerware is keeping pace with its malware\r\ncousins. It is quite likely that 2020 will see an increase in the number of such threats, with a corresponding rise in\r\nthe number of attacked users.\r\nJudging by our statistics, adware is gaining ever more popularity among cybercriminals. In all likelihood, going\r\nforward we will encounter new members of this class of threats, with the worst-case scenario involving adware\r\nmodules pre-installed on victims’ devices.\r\nSource: https://securelist.com/mobile-malware-evolution-2019/96280/\r\nhttps://securelist.com/mobile-malware-evolution-2019/96280/\r\nPage 25 of 25\n\n*Share of users attacked Mobile ransomware by this family of mobile Trojans bankers out of all users attacked by mobile banking Trojans \nIn 2019, we detected 68,362 installation packages for ransomware Trojans, which is 8,186 more than in the\nprevious year. However, we observed a decline in the generation of new ransomware packages throughout 2019.\n Page 21 of 25", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/mobile-malware-evolution-2019/96280/" ], "report_names": [ "96280" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "dcba8e2b-93e0-4d6e-a15f-5c44faebc3b1", "created_at": "2022-10-25T16:07:23.816991Z", "updated_at": "2026-04-10T02:00:04.758143Z", "deleted_at": null, "main_name": "Lurk", "aliases": [], "source_name": "ETDA:Lurk", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434738, "ts_updated_at": 1775826771, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/213945e3c109001d78ca365e9b29f60d7e34ecba.pdf", "text": "https://archive.orkl.eu/213945e3c109001d78ca365e9b29f60d7e34ecba.txt", "img": "https://archive.orkl.eu/213945e3c109001d78ca365e9b29f60d7e34ecba.jpg" } }