Three new dangerous Android malware variants have been analyzed by Kaspersky researchers. The Tambir, Dwphon, and Gigabud malicious programs exhibit diverse features, ranging from downloading other programs and credential theft to bypassing two-factor authentication and screen recording, jeopardizing user privacy and security.
In 2023, Kaspersky solutions blocked nearly 33.8 million attacks on mobile devices from malware, adware, and riskware, highlighting a 50% global increase of such attacks from the previous year's figures. Android malware and riskware activity surged in 2023 after two years of relative calm, returning to early 2021 levels by the end of the year. That said, the number of unique installation packages dropped from 2022, suggesting that malicious actors were more frequently using the same packages to infect different victims: last year Kaspersky detected more than 1.3 million unique malicious installation packages targeting the Android platform and distributed in various ways. Among these were Tambir, Dwphon and Gigabud malicious programs with the diverse features below described.
Tambir is a spyware application disguised as an IPTV app. It collects sensitive user information, such as SMS messages and keystrokes, after obtaining the appropriate permissions. The malware supports over 30 commands retrieved from its Command and Control server, and has been compared to the GodFather malware, both targeting users mainly in Turkey, though a number of other countries were also affected.
Gigabud, active since mid-2022, was initially focused on stealing banking credentials from users in Southeast Asia, but later crossed borders into other countries and regions. It has since evolved into a fake loan malware and is capable of screen recording and mimicking tapping by users to bypass two-factor authentication.
Dwphon, discovered in November 2023, targets cellphones from Chinese OEM manufacturers, primarily targeting the Russian market. The same malware earlier had been found in the firmware of a kids’ smart watch by an Israeli manufacturer distributed mainly in Europe and the Middle East. Dwphon is distributed as a component of a system update application and collects information about the device as well as personal data. It also gathers information regarding installed third-party applications and is capable of downloading, installing and deleting other applications on the device. One of the analyzed samples also included the Triada trojan, one of the most widespread mobile trojans of 2023, which suggests that Dwphon modules are Triada-related.
“As Kaspersky’s mobile threats report shows, Android malware and riskware activity surged in 2023 after two years of relative calm, returning to levels seen in 2021 by the end of the year. Users should exercise caution and should avoid downloading apps from unofficial sources, meticulously reviewing app permissions. Frequently, these apps lack exploitation functionality and depend solely on permissions granted by the user. Furthermore, using anti-malware tools can help preserve the integrity of your Android device,” comments Jornt van der Wiel, senior security researcher at Kaspersky’s GReAT.
Read the full reports on new Android malware and 2023 mobile malware on Securelist.com.
To protect your Android device, follow these recommendations:
· It’s safer to download your apps only from official stores like Google Play. Apps from this market are not 100 % secure, but at least they are checked by shop representatives and there is a certain filtering system — not every app qualifies for listing in these stores.
· Check the permissions of the apps that you use and think carefully before granting them, especially when it comes to high-risk permissions such as those related to Accessibility Services. For instance, the only permission a flashlight app needs is access to the flashlight (which doesn’t even involve camera access).
· A reliable security solution helps you detect malicious apps and adware before they start behaving badly on your devices. Conveniently, you can get protection, like Kaspersky Premium, directly from mobile operators.
· Update your operating system and important apps as updates become available. Many safety issues can be solved by installing updated versions of software.