Three new dangerous Android malware variants have been analysed by Kaspersky researchers – the Tambir, Dwphon, and Gigabud malicious programs – which exhibit diverse features ranging from downoading other programs and credential theft to bypassing two-factor authentication and screen recording.
In 2023, Kaspersky solutions blocked nearly 33,8-million attacks on mobile devices from malware, adware and riskware, highlighting a 50% global increase of such attacks from the previous year’s figures.
Android malware and riskware activity surged in 2023 after two years of relative calm, returning to early 2021 levels by the end of the year.
That said, the number of unique installation packages dropped from 2022, suggesting that malicious actors were more frequently using the same packages to infect different victims: last year Kaspersky detected more than 1,3-million unique malicious installation packages targeting the Android platform and distributed in various ways. Among these were Tambir, Dwphon and Gigabud malicious programs with the diverse features below described.
Tambir is a spyware application disguised as an IPTV app. It collects sensitive user information such as SMS messages and keystrokes after obtaining the appropriate permissions. The malware supports over 30 commands retrieved from its Command and Control server and has been compared to the GodFather malware, both targeting users mainly in Turkey although a number of other countries were also affected.
Gigabud, active since mid-2022, was initially focused on stealing banking credentials from users in Southeast Asia, but later crossed borders into other countries and regions. It has since evolved into a fake loan malware and is capable of screen recording and mimicking tapping by users to bypass two-factor authentication.
Dwphon, discovered in November 2023, targets cellphones from Chinese OEM manufacturers primarily targeting the Russian market. The same malware earlier had been found in the firmware of a kids’ smart watch by an Israeli manufacturer distributed mainly in Europe and the Middle East. Dwphon is distributed as a component of a system update application and collects information about the device as well as personal data. It also gathers information regarding installed third-party applications and is capable of downloading, installing and deleting other applications on the device. One of the analysed samples also included the Triada trojan, one of the most widespread mobile trojans of 2023, which suggests that Dwphon modules are Triada-related.
“As Kaspersky’s mobile threats report shows, Android malware and riskware activity surged in 2023 after two years of relative calm, returning to levels seen in 2021 by the end of the year,” says Jornt van der Wiel, senior security researcher at Kaspersky’s GReAT. “Users should exercise caution and should avoid downloading apps from unofficial sources, meticulously reviewing app permissions. Frequently, these apps lack exploitation functionality and depend solely on permissions granted by the user. Furthermore, using anti-malware tools can help preserve the integrity of your Android device.”