{
	"id": "0ac18813-93d0-4a40-bb50-d76e0c739a92",
	"created_at": "2026-04-06T00:10:17.994806Z",
	"updated_at": "2026-04-10T03:30:32.839315Z",
	"deleted_at": null,
	"sha1_hash": "974d2f054cec687cd2bfc6d0d1df170e46af2796",
	"title": "Mobile Malware Evolution: 2013",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 492064,
	"plain_text": "Mobile Malware Evolution: 2013\r\nBy Victor Chebyshev\r\nPublished: 2014-02-24 · Archived: 2026-04-05 15:00:50 UTC\r\nThe mobile malware sector is growing rapidly both technologically and structurally. It is safe to say that today’s\r\ncybercriminal is no longer a lone hacker but part of a serious business operation.\r\nThere are various types of actors involved in the mobile malware industry: virus writers, testers, interface\r\ndesigners of both the malicious apps and the web pages they are distributed from, owners of the partner programs\r\nthat spread the malware, and mobile botnet owners.\r\nThis division of labor among the cybercriminals can also be seen in the behavior of their Trojans. In 2013, there\r\nwas evidence of cooperation (most probably on a commercial basis) between different groups of virus writers. For\r\nexample, the botnet Trojan-SMS.AndroidOS.Opfake.a, in addition to its own activity, also spread\r\nBackdoor.AndroidOS.Obad.a by sending spam containing a link to the malware to the victim’s list of contacts.\r\nIt is now clear that a distinct industry has developed and is becoming more focused on extracting profits, which is\r\nclearly evident from the functionality of the malware.\r\n2013 in figures\r\nA total of 143,211 new modifications of malicious programs targeting mobile devices were detected in all\r\nof 2013 (as of January 1, 2014).\r\nIn 2013, 3,905,502 installation packages were used by cybercriminals to distribute mobile malware.\r\nOverall in 2012-2013 we detected approximately 10,000,000 unique malicious installation packages:\r\nhttps://securelist.com/mobile-malware-evolution-2013/58335/\r\nPage 1 of 15\n\nhttps://securelist.com/mobile-malware-evolution-2013/58335/\r\nPage 2 of 15\n\nThe number of installation packages detected in 2012-2013\r\nDifferent installation packages can install programs with the same functionality that differ only in terms of\r\nthe malicious app interface and, for instance, the content of the text messages it spreads.\r\nAndroid remains a prime target for malicious attacks. 98.05% of all malware detected in 2013 targeted this\r\nplatform, confirming both the popularity of this mobile OS and the vulnerability of its architecture.\r\nThe distribution of mobile malware detected in 2013 by platform\r\nMost mobile malware is designed to steal users’ money, including SMS-Trojans, and lots of backdoors and\r\nTrojans.\r\nhttps://securelist.com/mobile-malware-evolution-2013/58335/\r\nPage 3 of 15\n\nThe distribution of mobile malware by category\r\nOver the year, the number of mobile malware modifications designed for phishing, the theft of credit card\r\ninformation and money increased by a factor of 19.7. In 2013, Kaspersky Lab mobile products prevented\r\n2,500 infections by banking Trojans.\r\nMethods and techniques\r\n2013 not only saw a radical increase in output from mobile virus writers but also saw them actively applying\r\nmethods and technologies that allowed cybercriminals to use their malware more effectively. There were several\r\ndistinct areas where mobile malware underwent advances.\r\nDistribution\r\nCybercriminals made use of some exceptionally sophisticated methods to infect mobile devices.\r\nhttps://securelist.com/mobile-malware-evolution-2013/58335/\r\nPage 4 of 15\n\nInfecting legal web resources help spread mobile malware via popular websites. More and more smartphone and\r\ntablet owners use their devices to access websites, unaware that even the most reputable resources can be hacked.\r\nAccording to our data, 0.4% of the websites visited by users of our products were compromised sites.\r\nDistribution via alternative app stores. In Asia there are numerous companies producing Android-based devices\r\nand Android apps, and many of them offer users their own app stores containing programs that cannot be found in\r\nGoogle Play. The purely nominal control over the applications uploaded to these stores means attackers can\r\nconceal Trojans in apps made to look like innocent games or utilities.\r\nDistribution via botnets. As a rule, bots self-proliferate by sending out text messages with a malicious link to\r\naddresses in the victim’s address book. We also registered one episode of mobile malware spreading via a third-party botnet.\r\nResistance to anti-malware protection\r\nThe ability of malicious software to operate continuously on the victim’s mobile device is an important aspect of\r\nits development. The longer a Trojan “lives” on a smartphone, the more money it will make for the owner. This is\r\nan area where virus writers are actively working, resulting in a large number of technological innovations.\r\nCriminals are increasingly using obfuscation, the deliberate act of creating complex code to make it difficult to\r\nanalyze. The more complex the obfuscation, the longer it will take an antivirus solution to neutralize the malicious\r\ncode. Tellingly, current virus writers have mastered commercial obfuscators. This implies they have made\r\nconsiderable investments. For example, one commercial obfuscator, which cost €350, was used for Trojans and\r\nOpfak.bo Obad.a\r\nAndroid vulnerabilities are used by criminals for three reasons: to bypass the code integrity check when\r\ninstalling an application (vulnerability Master Key); to enhance the rights of malicious applications, considerably\r\nextending their capabilities; and to make it more difficult to remove malware. For example, Svpeng uses a\r\npreviously unknown vulnerability to protect itself from being removed manually or by the antivirus program.\r\nCybercriminals also exploit the Master Key vulnerability and have learned to embed unsigned executable files in\r\nAndroid installation packages. Digital signature verification can be bypassed by giving the malicious file exactly\r\nthe same name as a legitimate file and placing it on the same level in the archive. The system verifies the signature\r\nof the legitimate file while installing the malicious file.\r\nUnfortunately, there is a specific feature of Android vulnerabilities that means it is only possible to get rid of them\r\nby receiving an update from the device manufacturers. However, many users are in no hurry to update the\r\noperating systems of their products. If a smartphone or tablet was released more than a year ago, it is probably no\r\nlonger supported by the manufacturer and patching of vulnerabilities is no longer provided. In that case, the only\r\nhelp comes from an antivirus solution, for example, Kaspersky Internet Security for Android.\r\nEmbedding malicious code in legitimate programs helps conceal infections from the victim. Of course, this\r\ndoes not mean the digital signature of the software developer can be used. However, due to the absence of\r\ncertification centers verifying the digital signatures of Android programs, nothing prevents criminals from adding\r\nhttps://securelist.com/mobile-malware-evolution-2013/58335/\r\nPage 5 of 15\n\ntheir own signature. As a result, a copy of Angry Birds installed from an unofficial app store or downloaded from\r\na forum could easily contain malicious functionality.\r\nCapabilities and functionality\r\nIn 2013, we detected several technological innovations developed and used by criminals in their malicious\r\nsoftware. Below are descriptions of some of the most interesting.\r\nControl of malware from a single center provides maximum flexibility. Botnets can make considerably more\r\nmoney than autonomous Trojans. It comes as no surprise then that many SMS-Trojans include bot functionality.\r\nAccording to our estimates, about 60% of mobile malware are elements of both large and small mobile botnets.\r\nBy using Google Cloud Messaging botnet owners can operate without a C\u0026C server, thus eliminating the threat\r\nof the botnet being detected and blocked by law enforcement authorities. Google Cloud Messaging is designed to\r\nsend short message (up to 4 KB) to mobile devices via Google services. The developer simply has to register and\r\nreceive a unique ID for his applications. The commands received via GCM cannot be blocked immediately on an\r\ninfected device.\r\nWe have detected several malicious programs using GCM for command and control – the widespread Trojan-SMS.AndroidOS.FakeInst.a, Trojan-SMS.AndroidOS.Agent.ao, and Trojan-SMS.AndroidOS.OpFake.a among\r\nothers. Google is actively combating this use of the service, responding quickly to reports from antivirus\r\ncompanies and blocking the IDs of cybercriminals.\r\nAttacks on Windows XP allows mobile malware to infect a PC after connecting a smartphone or tablet. In early\r\n2013 we detected two identical applications on Google Play that were allegedly designed for cleaning the\r\noperating system of Android-based devices from unnecessary processes. In fact, the applications are designed to\r\ndownload the autorun.inf file, an icon file and the win32-Trojan file, which the mobile malicious program locates\r\nin the root directory of an SD card. On connecting a smartphone in the USB drive emulation mode to a computer\r\nrunning Windows XP, the system automatically starts the Trojan (if AutoPlay on the external media is not\r\ndisabled) and is infected. The Trojan allows the criminals to remotely control the victim’s computer and is capable\r\nof recording sound from a microphone. We would like to emphasize that this method of attack only works on\r\nWindows XP and Android versions prior to 2.2.\r\nThe most advanced mobile malicious programs today are Trojans targeting users’ bank accounts – the most\r\nattractive source of criminal earnings.\r\nTrend of the year: mobile banking Trojans\r\n2013 was marked by a rapid rise in the number of Android banking Trojans. The cyber industry of mobile\r\nmalware is becoming more focused on making profits more effectively, i.e., mobile phishing, theft of credit card\r\ninformation, money transfers from bank cards to mobile phones and from phones to the criminalas’ e-wallets.\r\nCybercriminals have become obsessed by this method of illegal earnings: at the beginning of the year we knew\r\nonly 67 banking Trojans, but by the end of the year there were already 1321 unique samples. Kaspersky Lab\r\nmobile products prevented 2,500 infections by banking Trojans.\r\nhttps://securelist.com/mobile-malware-evolution-2013/58335/\r\nPage 6 of 15\n\nThe number of mobile banking Trojans in our collection\r\nMobile banking Trojans can run together with Win-32 Trojans to bypass the two-factor authentication – mTAN\r\ntheft (the theft of banking verification codes that banks send their customers in SMS messages). However, in\r\n2013, autonomous mobile banking Trojans developed further. Currently, such Trojans attack a limited number of\r\nbank customers, but it is expected that cybercriminals will invent new techniques that will allow them to expand\r\nthe number and the geography of potential victims.\r\nhttps://securelist.com/mobile-malware-evolution-2013/58335/\r\nPage 7 of 15\n\nInfections caused by mobile banking programs\r\nToday, the majority of banking Trojan attacks affect users in Russia and the CIS. However, this situation will not\r\nlast long: given the cybercriminals’ interest in user bank accounts, the activity of mobile banking Trojans is\r\nexpected to grow in other countries in 2014.\r\nAs mentioned above, banking Trojans are perhaps the most complex of all mobile threats, and Svpeng is one of\r\nthe most striking examples.\r\nSvpeng\r\nIn mid-July, we detected Trojan-SMS.AndroidOS.Svpeng.a which, unlike its SMS Trojan counterparts, is focused\r\non stealing money from the victiim’s bank account rather than from his mobile phone. It cannot act independently\r\nand operates strictly in accordance with commands received from the C\u0026C server. This malicious program\r\nspreads via SMS spam and from compromised legitimate sites that redirect mobile users to a malicious resource.\r\nThere the user is prompted to download and install a Trojan imitating an Adobe Flash Player update.\r\nSvpeng is capable of doing lots of things.\r\nIt collects information about the smartphone (IMEI, country, service provider, operating system language) and\r\nsends it to the host via the HTTP POST request. This appears to be necessary to determine the number of banks\r\nthe victim may use. Svpeng is only currently attacking clients of Russian banks. Typically, however,\r\ncybercriminals first test-run a technology on the Russian sector of the Internet and then roll it out globally,\r\nattacking users in other countries.\r\nhttps://securelist.com/mobile-malware-evolution-2013/58335/\r\nPage 8 of 15\n\nIt steals SMS messages and information about voice calls. It helps the attacker find out which banks the owner\r\nof the smartphone calls – the Trojan receives a list of bank phone numbers from its C\u0026C server.\r\nIt steals money from the victim’s bank account. In Russia, some major banks offer their clients a special service\r\nthat allows them to transfer money from their bank card to their mobile phone account. Customers have to send a\r\nset text message from their phone to a specific bank number. Svpeng sends the corresponding messages to the\r\nSMS services of two banks. Svpeng does this to check if the cards from these banks are attached to the number of\r\nthe infected phone and to find out the account balance. If the phone is attached to a bank card, commands are sent\r\nfrom the C\u0026C server with instructions to transfer money from the user’s bank account to his/her mobile account.\r\nThe cybercriminals then send this money to a digital wallet or to a premium number and cash it in.\r\nIt steals logins and passwords to online banking accounts by substituting he window displayed by the bank\r\napplication. Currently, this only affects Russian banks, but the technology behind Svpeng could easily be used to\r\ntarget other banking applications.\r\nIt steals bank card information (the number, the expiry date, CVC2/CVV2) imitating the process of registering\r\nthe bank card with Google Play. If the user has launched Play Market, the Trojan intercepts the event and displays\r\na window on top of the Google Play window, prompting the user to enter his/her bank card details in the fake\r\nwindow. The data entered by the user is sent to the cybercriminals.\r\nIt extorts money from users by threatening to block the smartphone: it displays a message demanding $500 to\r\nunblock the device. In actual fact, the Trojan does not block anything and the phone can be used without any\r\nproblems.\r\nIt hides traces of its activity by masking the outgoing and incoming text messages and blocking calls and\r\nmessages from numbers belonging to the bank. The Trojan gets the list of bank phone numbers from its C\u0026C\r\nserver.\r\nIt protects itself from deletion by requesting Device Administrator rights during the installation. As a result, the\r\nTrojan delete button in the list of applications becomes inactive, which may cause problems for inexperienced\r\nusers. It is impossible to deprive it of these rights without the use of specialized tools (such as Kaspersky Internet\r\nhttps://securelist.com/mobile-malware-evolution-2013/58335/\r\nPage 9 of 15\n\nSecurity for Android). To protect itself from being removed, Svpeng uses a previously unknown vulnerability in\r\nAndroid. It uses the same trick to prevent the smartphone from being returned to its factory settings.\r\nThe Trojan is distributed in Russia and CIS countries. But, as we have already mentioned, the criminals could\r\neasily turn their attention to users in other countries.\r\nPerkele and Wroba\r\nForeign users have also been on the receiving end of several malicious innovations targeting bank accounts.\r\nThe Perkele Android Trojan not only attacks Russian users but also clients of several European banks. It is of\r\ninterest primarily because it operates in conjunction with various banking win32-Trojans. Its main task is to\r\nbypass the two-factor authentication of the client in the online banking system.\r\nDue to the specific nature of its activity, Perkele is distributed in a rather unusual way. When a user enters an\r\nInternet banking site on a computer infected by banking malware (ZeuS, Citadel), a request about the smartphone\r\nnumber and type of operating system is injected into the code of the authentication page. This data is immediately\r\nsent to the cybercriminals and the computer displays the QR code containing a link to the alleged certificate of the\r\nonline banking system. After scanning the QR code and installing a component downloaded from the link, the user\r\ninfects his smartphone with the Trojan program that boasts functionality that is of great interest to the attackers.\r\nPerkele intercepts mTANs (confirmation codes for banking operations) sent by the bank via text message. By\r\nusing the login and password stolen from the browser, the Windows Trojan initiates a fake transaction while\r\nPerkele intercepts (via the C\u0026C server) the mTAN sent by the bank to the user. Money then disappears from the\r\nvictim’s account and is cashed in without the owner’s knowledge.\r\nThe Korean malware Wroba, in addition to the traditional vector of infection via file-sharing services, spreads via\r\nalternative app stores. Once it infects a device, Wroba behaves very aggressively. It searches for mobile banking\r\napplications, removes them and uploads counterfeit versions. From the outside, they are indistinguishable from the\r\nlegitimate applications. However, they possess no banking functions, and merely steal the logins and passwords\r\nentered by users.\r\nTOP 10 mobile threats detected in 2013\r\nName* % of all attacks\r\n1 DangerousObject.Multi.Generic 40.42%\r\n2 Trojan-SMS.AndroidOS.OpFake.bo 21.77%\r\n3 AdWare.AndroidOS.Ganlet.a 12.40%\r\n4 Trojan-SMS.AndroidOS.FakeInst.a 10.37%\r\n5 RiskTool.AndroidOS.SMSreg.cw 8.80%\r\n6 Trojan-SMS.AndroidOS.Agent.u 8.03%\r\nhttps://securelist.com/mobile-malware-evolution-2013/58335/\r\nPage 10 of 15\n\n7 Trojan-SMS.AndroidOS.OpFake.a 5.49%\r\n8 Trojan.AndroidOS.Plangton.a 5.37%\r\n9 Trojan.AndroidOS.MTK.a 4.25%\r\n10 AdWare.AndroidOS.Hamob.a 3.39%\r\n1. DangerousObject.Multi.Generic. This verdict means that we are aware of an application’s malicious\r\ncharacter, but for one reason or another have not provided our users with signatures to detect it. In such cases,\r\ndetection is available through cloud technologies implemented by the company in the Kaspersky Security\r\nNetwork, which enable our products to minimize the time it takes to respond to new and unknown threats.\r\n2. Trojan- SMS.AnroidOS.OpFake.bo This is one of the most sophisticated SMS Trojans. Its distinguishing\r\nfeatures are a well-designed interface and the greed of its developers. When launched, it steals money from the\r\nmobile device’s owner – from $9 to the entire amount in the user’s account. There is also the risk of the user’s\r\ntelephone number being discredited, since the Trojan can collect numbers from the contact list and send SMS\r\nmessages to all of those numbers. The malware targets primarily Russian-speakers and users in CIS countries.\r\n3. AdWare.AndroidOS.Ganlet.a. An advertising module that possesses the functionality necessary to install\r\nother applications.\r\n4. Trojan-SMS.AndroidOSFakeInst.a. This malware has evolved over the past few years from a simple SMS\r\nTrojan to a fully functional bot controlled via various channels (including Google Cloud Messaging). The Trojan\r\ncan steal money from a user’s account and send messages to numbers in the victim’s list.\r\n5. RiskTool.ANdroidOS.SMSreg.cw. This payment module is widespread in China. It is included in various\r\ngames as a module for making online purchases via SMS within an application. It removes confirmation text\r\nmessages from the billing system without the user’s knowledge. Victims have no idea money was stolen from\r\ntheir mobile until they check the balance.\r\n6. Trojan-SMS.AndroidOS.Agent.u. This was the first Trojan to use a vulnerability in Android OS to gain\r\nDEVICE ADMIN privileges, thereby making its removal a very difficult task. In addition, it is capable of rejecting\r\nincoming calls and of making calls on its own. Possible damage: sending multiple SMS messages with costs\r\ntotaling $9 or more.\r\n7. Trojan,AndroidOSPlangton.a. This advertising module sends user’s personal information (without their\r\nknowledge) to an advertising server, making it look like a targeted advertising campaign. The resulting damage\r\nincludes the user’s mobile number, Google account and some other data being discrediting. This Trojan also\r\narbitrarily changes the home page of the browser and adds advertising bookmarks.\r\n8. Trojan-SMS.AndroidOS.OpFake.a. This multifunctional bot helps distribute the sophisticated Android\r\nmalware Backdoor.AndroidOS.Obad.a. A composite of these two is extremely dangerous because of its:\r\n1. 1 wide range of capabilities: identity theft, sending text messages to any number. Installation of an\r\napplication like this could lead to all the money being stolen from a mobile account. It may also result in\r\nhttps://securelist.com/mobile-malware-evolution-2013/58335/\r\nPage 11 of 15\n\nthe affected phone number being discredited after the contact numbers stolen from the account are used to\r\nsend text messages. The list of contacts will also be uploaded to the criminal’s server.\r\n2. 2 extremely complex self-defense mechanisms and counter measures that prevent deletion. Due to the\r\nexploitation of an Android vulnerability, this Trojan cannot be removed without a special program such as\r\nKIS for Android.\r\nIt should be noted that Trojan-SMS.AndroidOS.OpFake.a. is spread over a larger geographical area than the\r\nother Top 10 leaders. We often register attempts to infect devices not only in the CIS countries but also in Europe.\r\n9. Trojan.AndroidOS.MTK.a. This is a sophisticated Trojan program with wide functionality and sophisticated\r\nencryption methods. Its main task is to run malicious apps that have been downloaded to the infected device.\r\n10. AdWare.AndroidOS.Hamoba.a is an advertising application imitating legitimate programs (by using the\r\nname and the icon, for example, WinRAR), while its only functionality is to display adverts.\r\nThe Top 10 includes four SMS Trojans, although some of them possess control mechanisms that convert infected\r\ndevices into bots.\r\nThe geography of threats\r\nCountries where users face the greatest risk of mobile malware infection (the percentage of all attacked unique\r\nusers)\r\nThe TOP 10 countries by number of attacked unique users:\r\nhttps://securelist.com/mobile-malware-evolution-2013/58335/\r\nPage 12 of 15\n\nCountry % of all attacked unique users\r\n1 Russia 40.34%\r\n2 India 7.90%\r\n3 Vietnam 3.96%\r\n4 Ukraine 3.84%\r\n5 United Kingdom 3.42%\r\n6 Germany 3.20%\r\n7 Kazakhstan 2.88%\r\n8 USA 2.13%\r\n9 Malaysia 2.12%\r\n10 Iran 2.01%\r\nMobile threats have region-specific features – attackers use different categories of mobile malware depending on\r\nthe region or the country. Below are a few examples of mobile malware distribution by country.\r\nRussia\r\nIn Russia, mobile cybercrime is particularly prevalent – 40.3% of all users attacked worldwide in 2013 were\r\nlocated in this country.\r\nTop 5 families of mobile malware distributed in Russia\r\nFamily % of all attacked unique users\r\nTrojan-SMS.AndroidOS.OpFake 40.19%\r\nTrojan-SMS.AndroidOS.FakeInst 28.57%\r\nTrojan-SMS.AndroidOS.Agent 27.11%\r\nDangerousObject.Multi.Generic 25.30%\r\nTrojan-SMS.AndroidOS.Stealer 15.98%\r\nIn 2013, Russia again led the way in the number of SMS Trojan infections and there are currently no signs that the\r\nsituation will improve. As has already been mentioned above, the majority of mobile banking Trojans target\r\nRussian users.\r\nRussia and the CIS countries often serve as a testing ground for new technologies: having perfected their\r\ntechnologies in the Russian-language sector of the Internet, the cybercriminals then turn their attention to users in\r\nhttps://securelist.com/mobile-malware-evolution-2013/58335/\r\nPage 13 of 15\n\nother countries.\r\nGermany\r\nGermany is one of the Western European countries where SMS Trojans are quite active. In 2013, Europe was\r\nclearly a target for Russian virus writers, as their monetization scams involving text messages being sent to\r\npremium numbers works well in this region. In Germany, we registered constant attempts at SMS Trojan\r\ninfection, especially by the Agent malware family.\r\nMobile banking Trojans are also actively used in this country: Germany ranks first among Western European\r\ncountries by the number of unique users attacked (6th place in the world rating).\r\nTop 5 families of mobile malware distributed in Germany\r\nFamily % of all attacked unique users\r\nRiskTool.AndroidOS.SMSreg 25.88%\r\nDangerousObject.Multi.Generic 20.83%\r\nTrojan-SMS.AndroidOS.Agent 9.25%\r\nTrojan.AndroidOS.MTK 8.58%\r\nAdWare.AndroidOS.Ganlet 5.92%\r\nThe USA\r\nThe situation in the USA is different. There are no monetization scams involving text messages, meaning there is\r\nno clear dominance by mobile SMS Trojans. The leaders include bots collecting data about infected smartphones.\r\nTop 5 families of mobile malware distributed in the US\r\nFamily % of all attacked unique users\r\nDangerousObject.Multi.Generic 19.75%\r\nRiskTool.AndroidOS.SMSreg 19.24%\r\nMonitor.AndroidOS.Walien 11.24%\r\nBackdoor.AndroidOS.GinMaster 8.05%\r\nAdWare.AndroidOS.Ganlet 7.29%\r\nChina\r\nIn China, there are a lot of advertising modules integrated into clean and even malicious applications. The\r\nfunctions of advertising modules are diverse, even going as far as downloading malware to the victim’s phone.\r\nhttps://securelist.com/mobile-malware-evolution-2013/58335/\r\nPage 14 of 15\n\nSMS Trojans and backdoors are also very popular in China.\r\nTop 5 families of mobile malware distributed in China\r\nFamily % of all attacked unique users\r\nRiskTool.AndroidOS.SMSreg 46.43%\r\nAdWare.AndroidOS.Dowgin 19.18%\r\nDangerousObject.Multi.Generic 13.89%\r\nTrojan-SMS.AndroidOS.Agent 10.55%\r\nTrojan.AndroidOS.MTK 10.13%\r\nConclusion\r\nMalicious software that attacks users of mobile banking accounts continues to develop and the number of\r\nprograms is growing rapidly. It is obvious that this trend will continue, with more mobile banking Trojans and\r\nnew technologies to avoid detection and removal.\r\nOf all the mobile malware samples detected in 2013, bots were the most numerous category. The attackers have\r\nclearly seen the benefits of mobile botnets when it comes to making profits. New mechanisms for controlling\r\nmobile botnets may appear in the near future.\r\nIn 2014 we expect to see vulnerabilities of all types being actively exploited to give malware root access on\r\ndevices, making removal even more difficult.\r\n2013 saw the first registered malware attack on a PC launched from a mobile device. We forecast future Wi-Fi\r\nattacks from mobile devices on neighboring workstations and the wider infrastructure.\r\nSMS Trojans are likely to remain among the mobile malware leaders and even conquer new territories.\r\nSource: https://securelist.com/mobile-malware-evolution-2013/58335/\r\nhttps://securelist.com/mobile-malware-evolution-2013/58335/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://securelist.com/mobile-malware-evolution-2013/58335/"
	],
	"report_names": [
		"58335"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434217,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/974d2f054cec687cd2bfc6d0d1df170e46af2796.pdf",
		"text": "https://archive.orkl.eu/974d2f054cec687cd2bfc6d0d1df170e46af2796.txt",
		"img": "https://archive.orkl.eu/974d2f054cec687cd2bfc6d0d1df170e46af2796.jpg"
	}
}