For the first time in over three years, a mobile trojan has entered the overall top malware listing as well as being the most prevalent mobile threat over the past month, according to Check Point Research’s Global Threat Index for November 2019.
The mobile trojan is XHelper, which was first seen in the wild in March 2019. XHelper is a multi-purpose trojan targeting Android users that can download other malicious applications as well as display malicious advertisements. It is also reported to be a persistent application, able to reinstall itself even if it is uninstalled by the victim. During the past six months the malware’s code has been constantly updated, helping it to evade mobile antivirus solutions and to keep on infecting new victims. As a result, it has entered the overall top 10 malware list at #8.
November’s most wanted malware was the Emotet botnet, retaining the #1 position from October. However, in November, it impacted 9% of organizations globally, down from 14% the previous month.
“Both Emotet and XHelper are versatile, multi-purpose malware that can be adapted to criminals’ needs, such as distributing ransomware, spreading spam campaigns or distributing malvertising to users’ devices. This shows that criminals are trying multiple different illicit tactics to monetize their operations, rather than following a single trend like cryptomining which dominated the sector in 2018,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point. “As such, it’s essential that organizations deploy the latest generation anti-malware solutions on their networks as well as on employees’ mobile devices, to protect all enterprise endpoints. They should also educate employees about the dangers of opening email attachments, downloading resources or clicking on links that do not come from a trusted source or contact.”
November 2019’s Top 3 ‘Most Wanted’ Malware:
*The arrows relate to the change in rank compared to the previous month.
Emotet has maintained its position at the top of the malware list with a global impact of 9%. XMRig was the second most popular malware impacting 7% of organizations worldwide, followed by Trickbot, impacting 6% of organizations globally.
- ↔ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was formerly a banking Trojan, and recently has been used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
- ↔ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency which was first seen in-the-wild on May 2017.
- ↔ Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.
November’s Top 3 ‘Most Wanted’ Mobile Malware:
This month xHelper – a new entry to our top malware list – was the most prevalent mobile malware, followed by Guerilla and Lotoor.
- xHelper – A malicious Android application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application is capable of hiding itself from the user and mobile anti-virus programs, and reinstalls itself if the user uninstalls it.
- Guerrilla – An Android Trojan found embedded in multiple legitimate apps which is capable of downloading additional malicious payloads. Guerrilla generates fraudulent ad revenue for the app developers.
- Lotoor – Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
November’s ‘Most Exploited’ vulnerabilities:
This month the three top exploited remained the same as in the previous month – SQL injection techniques continue to lead the list, impacting 39% of organizations globally, followed by the OpenSSL TLS DTLS Heartbeat Information Disclosure vulnerability and MVPower DVR Remote Code Execution – impacting 34% and 33% of organizations worldwide respectively.
- SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
- OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
- MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.