Full Report
The most notable mobile threats of 2024, and statistics on Android-specific malware, adware and potentially unwanted software.
Analysis Summary
# Tool/Technique: Mamont Banking Trojan
## Overview
Mamont is a banking Trojan targeting Android users, discovered using a novel distribution scheme in Russia in late 2024. It tricked victims using lures related to product discounts, leading to the download of malware disguised as a shipment tracking application via phishing links.
## Technical Details
- Type: Malware family (Banking Trojan)
- Platform: Android
- Capabilities: Financial credential theft, potentially related to interaction with banking apps.
- First Seen: Discovered in late 2024.
## MITRE ATT&CK Mapping
*Note: Specific sub-techniques for this newly discovered distribution method are inferred based on typical banking Trojan behavior and the described infection chain.*
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (Implied via phishing link delivery)
- **TA0006 - Credential Access**
- T1656 - Input Capture (Likely capability of a banking Trojan)
## Functionality
### Core Capabilities
- Initial infection delivered via social engineering related to fake product discounts.
- Malware delivered via a phishing link disguised as a shipment tracking application.
### Advanced Features
- Utilizes a novel distribution scheme involving chat contact followed by a secondary phishing link delivery.
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: [Disguised as a shipment tracking app]
- Registry Keys: [Not specified in the context]
- Network Indicators: [C2 specifics not detailed, but relies on delivery via phishing URL.]
- Behavioral Indicators: Phishing lure involving product discount offers and subsequent request for communication before link delivery.
## Associated Threat Actors
- [Threat actors using Mamont were not explicitly named, but the activity was observed targeting Russian users.]
## Detection Methods
- [Signature-based detection based on known Mamont variants (e.g., Mamont.bc).]
- [Behavioral detection targeting the process of receiving a chat message followed by clicking a download link for tracking apps.]
- [YARA rules specific to the latest Mamont variant signatures if available.]
## Mitigation Strategies
- User education regarding unsolicited product discounts and subsequent request for communication/link download.
- Strict control over application installation, only allowing installations from official sources until verified.
- Security software configured to detect known banking Trojans like Mamont.
## Related Tools/Techniques
- Trojan.AndroidOS.Fakemoney.v (High detection rate banking threat)
- SpyNote RAT (Mentioned in context of NFC scam, sometimes used as a dropper)
***
# Tool/Technique: NFCGate Mod (Malicious Mod)
## Overview
A malicious modification of the legitimate Android application 'NFCGate'. This mod was used in an NFC banking scam in the Czech Republic and Russia to steal bank card details from users via near-field communication interaction.
## Technical Details
- Type: Malware (Malicious Application Mod)
- Platform: Android
- Capabilities: Exfiltrating card details via NFC interaction after proximity to the infected phone.
- First Seen: Described in August 2024 (ESET report).
## MITRE ATT&CK Mapping
- **TA0006 - Credential Access**
- T1557 - Man-in-the-Middle
- T1557.003 - Near Field Communication (NFC) (Direct mapping for the scam mechanism)
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (Via phishing websites used to spread the modded app)
## Functionality
### Core Capabilities
- Spreads via phishing websites using various pretexts.
- Obtains victim bank card details when the victim places their physical card near the back of the infected phone.
- Facilitates small contactless payments or ATM withdrawals using the stolen data.
### Advanced Features
- Leverages the legitimate NFC functionality of the device for malicious data extraction.
- Used in conjunction with other malware, such as SpyNote RAT, to activate NFC functionality and act as a dropper.
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: [Mod of NFCGate]
- Registry Keys: [Not specified in the context]
- Network Indicators: Data leakage occurred through near-field communication interaction, not direct C2 network traffic for data exfiltration in the moment of theft.
- Behavioral Indicators: Application requesting permission/prompting user to place a card near the device for "NFC connection."
## Associated Threat Actors
- [Unspecified, but linked to organized online fraud targeting Czech and Russian users.]
## Detection Methods
- [Behavioral detection focusing on apps accessing NFC hardware and attempting unauthorized data transmission or unauthorized initiation of contactless payment processes.]
- Anti-malware scanning of communication layer between the app and NFC modem/hardware.
## Mitigation Strategies
- Restrict applications that request broad NFC permissions unless absolutely necessary.
- Educate users about the scam tactics involving placing physical cards near the phone for "connection."
- Disable NFC functionality when not actively being used for legitimate purposes.
## Related Tools/Techniques
- SpyNote RAT (Used occasionally as a dropper and activator)
***
# Tool/Technique: LinkDoor Backdoor (Vo1d)
## Overview
LinkDoor (also known as Vo1d) is a backdoor discovered in July 2024 infecting Android-powered TV set-top boxes. It was found embedded within an infected system application named `com.google.android.services`.
## Technical Details
- Type: Malware (Backdoor)
- Platform: Android (specifically on TV set-top boxes)
- Capabilities: Executing arbitrary code, downloading and installing any APK files.
- First Seen: Discovered in July 2024.
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- **TA0003 - Persistence**
- T1542.001 - Persistent through Infection of a System Application (Infected system app `com.google.android.services`)
## Functionality
### Core Capabilities
- Ability to run arbitrary executable commands remotely.
- Capability to download and install other malicious APK files onto the compromised device.
### Advanced Features
- Hidden inside a package that closely mimics or replaces a legitimate system application (`com.google.android.services`), suggesting a high level of privilege or deep system integration.
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: Embedded within the system application package named `com.google.android.services`.
- Registry Keys: [Not specified in the context]
- Network Indicators: [Implied C2 communication channels for command retrieval and payload delivery.]
- Behavioral Indicators: Unauthorized execution of system commands or silent background installation of new APKs.
## Associated Threat Actors
- [Not specified in the context.]
## Detection Methods
- Monitoring system processes for unexpected calls to execution functions originating from core system applications.
- Checking for unauthorized modifications or replacements of critical system application packages.
## Mitigation Strategies
- Strict control over system partition modification, especially on specialized hardware like TV boxes.
- Regular integrity checks on system components, focusing on replacements of Google service packages.
## Related Tools/Techniques
- Trojan.AndroidOS.Adinstall (Generalized verdict for new preinstalled malicious apps)
***
# Tool/Technique: SparkCat (Malicious OCR SDK Implant)
## Overview
SparkCat is a malicious SDK implant found embedded in applications on Google Play (later removed) and distributed via unofficial sources. It is notable for being OCR malware capable of stealing cryptocurrency wallet recovery phrases from images on the device gallery. An iOS version was also found on the official App Store.
## Technical Details
- Type: Malware (Malicious SDK Implant)
- Platform: Android, iOS
- Capabilities: Image scanning using OCR to locate and exfiltrate cryptocurrency wallet recovery phrases/seed phrases.
- First Seen: Spreading actively as early as March 2024.
## MITRE ATT&CK Mapping
- **TA0006 - Credential Access**
- T1551 - Credentials from Password State
- T1551.003 - Stored Credentials (Indirectly, by harvesting recovery phrases)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
- **TA0007 - Discovery**
- T1083 - File and Directory Discovery (Scanning the gallery)
## Functionality
### Core Capabilities
- Communicates with a C2 server to receive a list of target keywords or dictionaries (used to identify wallet-related images).
- Scans the device gallery for images matching these criteria.
- Uses Optical Character Recognition (OCR) to extract text (recovery phrases) from the matched images.
### Advanced Features
- Highly targeted for cryptocurrency credential theft (recovery phrases).
- Successfully bypassed security checks to infiltrate both Google Play (Android) and the Apple App Store (iOS), making it significant as a well-hidden OCR malware.
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: Embedded within malicious applications distributed through official and unofficial sources.
- Registry Keys: [Not specified in the context]
- Network Indicators: Communication with C2 servers for command reception and exfiltration of extracted data.
- Behavioral Indicators: Excessive reading/scanning of image files in the user's gallery storage immediately following app installation or trigger.
## Associated Threat Actors
- [Not explicitly named, but the attack targeted users primarily in the UAE, Europe, and Asia.]
## Detection Methods
- Signature/Reputation detection for applications containing the SparkCat SDK.
- Behavioral monitoring for apps that exhibit rapid, high-volume file access to sensitive user directories like the photo gallery, followed by outbound network connections.
## Mitigation Strategies
- Avoid installing apps from unofficial sources, even when major official stores appear to vet them.
- Restrict application permissions, especially denying gallery access to non-essential applications.
- Users should never store cryptocurrency recovery phrases as digital image files on their primary devices.
## Related Tools/Techniques
- OCR malware generally, but notable for successfully infiltrating the Apple App Store.
***
# Malware Family Summary (General Statistics)
## Overview
The summary highlights trends in mobile malware detected by Kaspersky products in 2024, noting 33.3 million total attacks prevented. Adware remains the most frequent threat.
## Technical Details
- Type: Malware Families / Unwanted Software Classification.
- Platform: Mobile (Android primarily inferred).
## MITRE ATT&CK Mapping
*General mappings based on threat categories:*
- **Adware:** T1496 - Resource Hijacking (Collecting sensitive data for ad monetization)
- **Banking Trojans:** T1556 - Credentials from Input Attempts
## Functionality
### Core Capabilities
- **Adware Families Dominant:** BrowserAd (22.8%), HiddenAd (20.3%), and Adlo (16%) accounted for the largest share of new adware installations.
- **RiskTool Growth:** Fakapp pornographic apps drove an increase in RiskTool detections.
- **Banking Trojans Rising:** Banking Trojans moved up to fourth place in detection rankings.
## Related Tools/Techniques
- **Top Banking Trojan:** Trojan.AndroidOS.Fakemoney.v (16.64% detection share among Trojans)
- **Worm/Loader:** Trojan.AndroidOS.Triada.ga (Significant emergence in 2024 detections)
- **Adware:** BrowserAd, HiddenAd, Adlo.