Advertising Trojans were the top mobile malware threat in 2016, however, new figures from Kaspersky Lab show their numbers declined last year but their creators turned to improved monetization methods.
Taking advantage of super-user rights to secretly install various applications or bombard an infected device with ads to make use of the smartphone impossible, ad trojans have become a major threat and are also extremely difficult to detect and remove.
Kaspersky's report shows the overall number of mobile advertising Trojans exploiting super-user rights declined in 2017 compared to the previous year. This decline seems to have been triggered by an overall decrease in the number of devices running older versions of Android. Older OSes are the main target of these Trojans as potentially exploited vulnerabilities are patched in newer versions. According to Kaspersky data, the proportion of users with devices running Android 5.0 or older dropped from more than 85 percent in 2016 to 57 percent in 2017. At the same time the proportion of Android 6.0 (or newer) users more than doubled, rising from 21 percent in 2016 to 50 percent in 2017.
But the drop in numbers has happened alongside changes to the way the malware makes money. In 2017, Kaspersky discovered new modifications of advertising Trojans that were not exploiting root access vulnerabilities to show ads, but were instead leveraging other methods, such as taking advantage of premium SMS services. For example, two Trojans related to the Ztorg malware family with such functionality were downloaded dozens of thousands of times from the Google Play Store.
"The mobile threat landscape is evolving in direct connection with what is happening in the global mobile market," says Roman Unuchek, security expert at Kaspersky Lab. "Right now, mobile advertising Trojans that exploit root rights are in decline, but if new versions of Android firmware happened to be vulnerable, new opportunities will be presented and we will see their growth return. The same is true for cryptocurrency -- with the increasing activity of miners around the world, we expect to see further modifications of mobile malware with mining modules inside, even though the performance power of mobile devices is not so high."
You can read more about the evolution of mobile malware on the Kaspersky SecureList blog.