Mobile Device Attacks in Russia Increased by 52 Times

“Kaspersky Lab” has noted a general increase in the number of attacks on mobile devices in Russia. Thus, in the first quarter of 2024, their number increased by 5.2 times compared to the same period in 2023 and amounted to over 19 million.

Researchers report that they have analyzed two threats for Android targeting Russian users that remain active in April 2024.

At the end of 2023, the company’s specialists discovered the Dwphon trojan, which has since evolved and become more active. The number of Dwphon attacks on Russian users increased by about 25% in March 2024 compared to December of the previous year, totaling nearly 222,000 cases.

Current versions of malware collect information about the infected device and its owner’s personal data, as well as details of installed applications. Dwphon can download various applications, including advertising and malicious software, to the smartphone without the user’s knowledge.

Experts note that the functionality and code of Dwphon are similar to Triada, one of the most common mobile trojans in 2023. However, experts are most interested in the circumstances under which Dwphon ends up on devices: it embeds itself in smartphone system applications even before the devices reach users’ hands.

“Typically, cybercriminals distribute trojans disguised as legitimate software on third-party platforms. Some varieties are also found in embedded stores. However, in the case of Dwphon, the victim receives the infected device straight out of the box, i.e., by purchasing it in a store. Here we are talking about pre-installed malware – in such cases, the supply chain of the device becomes compromised at some stage, and it is at this point that cybercriminals introduce malicious software. And the manufacturer and other participants in the chain most likely do not even know about it,” comments Dmitry Galov, head of the Russian research center at Kaspersky Lab.

The second threat is the banking trojan Mamont. In spring 2023, specialists first noticed this malicious program, but it began to show activity in November of the same year. Experts write that with a high degree of probability, it evolved from the ransomware program Rasket, whose authors threatened users with data leaks if they did not pay a ransom of 5000 rubles.

There are similarities in the code of Mamont and Rasket, for example, the names of configuration parameters. Moreover, both malicious programs use a Telegram bot to store information about victims. However, in Mamont, cybercriminals have enhanced the functionality of the banking Trojan to extract payment data from potential victims and gain access to their SMS messages.

Cybercriminals distribute Mamont on unofficial platforms, including disguised as applications for adults, delivery services, and financial organizations.

“Although banking trojans have not gained significant traction in Russia due to the active development of anti-fraud systems in financial institutions, individual representatives of this type can be very active. Since November, we have recorded almost 185,000 Mamont attacks on Russian users,” says Dmitry Kalinin, a cybersecurity expert at Kaspersky Lab. “Mamont is also an example of how cybercriminals look for the most profitable ways to monetize their efforts. Attackers may implement a function in malware, but if they do not achieve their goals, they will modify the malicious software by changing its technical capabilities.”

0 / 5

Your page rank:

Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment