The Tambir, Dwphon, and Gigabud malicious programs have features ranging from downloading other programs and credential theft to bypassing two-factor authentication and screen recording, jeopardising user privacy and security.
In 2023, Kaspersky says, its solutions blocked nearly 33.8-million attacks on mobile devices from malware, adware, and riskware – a 50% global increase of such attacks from the previous year’s figures.
Android malware and riskware activity surged in 2023 after two years of relative calm, returning to early 2021 levels by the end of the year. That said, the number of unique installation packages dropped from 2022, suggesting that malicious actors were more frequently using the same packages to infect different victims: last year Kaspersky detected more than 1.3-million unique malicious installation packages targeting the Android platform and distributed in various ways.
Tambir is a spyware application disguised as an IPTV app. It collects sensitive user information, such as SMS messages and keystrokes, after obtaining the appropriate permissions. The malware supports over 30 commands retrieved from its Command and Control server, and has been compared to the GodFather malware, both targeting users mainly in Turkey, though a number of other countries were also affected.
Gigabud, active since mid-2022, was initially focused on stealing banking credentials from users in Southeast Asia, but later crossed borders into other countries and regions. It has since evolved into a fake loan malware and is capable of screen recording and mimicking tapping by users to bypass two-factor authentication.
Dwphon, discovered in November 2023, targets cellphones from Chinese OEM manufacturers, primarily targeting the Russian market. The same malware earlier had been found in the firmware of a kids’ smart watch by an Israeli manufacturer distributed mainly in Europe and the Middle East. Dwphon is distributed as a component of a system update application and collects information about the device as well as personal data. It also gathers information regarding installed third-party applications and is capable of downloading, installing and deleting other applications on the device. One of the analysed samples also included the Triada trojan, one of the most widespread mobile trojans of 2023, which suggests that Dwphon modules are Triada-related.
Jornt van der Wiel, senior security researcher at Kaspersky’s GReAT, says: “As Kaspersky’s mobile threats report shows, Android malware and riskware activity surged in 2023 after two years of relative calm, returning to levels seen in 2021 by the end of the year. Users should exercise caution and should avoid downloading apps from unofficial sources, meticulously reviewing app permissions. Frequently, these apps lack exploitation functionality and depend solely on permissions granted by the user. Furthermore, using anti-malware tools can help preserve the integrity of your Android device.”
To protect your Android device, Kaspersky recommends the following:
- It’s safer to download your apps only from official stores like Google Play. Apps from this market are not 100 % secure, but at least they are checked by shop representatives and there is a certain filtering system — not every app qualifies for listing in these stores.
- Check the permissions of the apps that you use and think carefully before granting them, especially when it comes to high-risk permissions such as those related to Accessibility Services. For instance, the only permission a flashlight app needs is access to the flashlight (which doesn’t even involve camera access).
- A reliable security solution helps you detect malicious apps and adware before they start behaving badly on your devices. Conveniently, you can get protection, like Kaspersky Premium, directly from mobile operators.
- Update your operating system and important apps as updates become available. Many safety issues can be solved by installing updated versions of software.
Read the full reports on new Android malware and 2023 mobile malware on Securelist.com.