While enterprises stagger under sustained ransomware attacks, Android users are increasingly being targeted by banking malware, with Slovakian infosec firm ESET reckoning it had seen a 159 per cent increase in such malicious software over the last few months.

Even though banking malware aimed at users of the Google mobile OS sharply increased in popularity overall mobile threat detections on the Google-owned operating system declined by 18.8 per cent quarter-on-quarter, said ESET.

“Android Banking Malware has continued to grow substantially, during T1* 2021 by 158.7 per cent. On our top 10 list, Android Banking Malware is represented by Android/TrojanDropper.Agent trojan (26.4 per cent), which was the most widespread Android threat overall in T1, and by Android/Spy.Banker trojan (but at only 2.0 per cent),” said the company in a report published today.

Oddly, a flaw in Android Webview that existed for seven hours in March caused enough people to download ESET’s mobile antivirus to merit a specific mention in the report:

“It caused app crashes to a point that made users start investigating by extensively downloading cybersecurity apps, including ours. Even though this issue lasted for only around seven hours, we started to receive a lot of Android threat data from newly scanned devices.”

Tongue in cheek, the firm added: “It is, however, interesting to see a real-life example of what can cause Android users to suddenly become interested in cybersecurity protection!”

ESET also said it had seen Russia’s FSB foreign intelligence spy agency, which the security shop tracks under the name Turla, running an espionage campaign on “a Ministry of Foreign Affairs in Eastern Europe”. A backdoor planted on a ministry server combined with PowerShell scripts gave the game away, the company said, naming the exploit NETVulture. The FSB used OneDrive for command ‘n’ control, relying on “Microsoft Graph authentication to access the cloud storage”, in much the same way that Sophos warned of earlier this year.

On top of that the Russians had used a 2020 RCE vuln in Microsoft Exchange (CVE-2020-0688) to plant the China Chopper web shell. “Despite being low profile in the last months, this shows that Turla still has its sights set on its regular targets, especially diplomats, and is expanding its malware arsenal,” said ESET.

The full report can be read via Eset’s Welivesecurity blog. ®


* Strangely, ESET has eschewed the global quarterly standard for breaking up the year into digestible chunks and now segments it into thirds of four months each. This makes it difficult to accurately compare ESET research with other infosec companies’ output, especially when it comes to trends.