Researchers report that the trojan is spreading so fast, it has become #8 of the biggest threats impacting mobiles.

The latest Global Threat Index for November 2019 from Check Point Research has reported that, for the first time in over three years, a mobile trojan has entered the overall top malware listing as well as being the most prevalent mobile threat in November.

The mobile trojan is xHelper, first seen in the wild in March 2019. XHelper is a multi-purpose trojan targeting Android users that can download other malicious applications as well as display malicious advertisements. It is also reported to be a persistent application, able to reinstall itself even if it is uninstalled by the victim. During the past six months the malware’s code has been constantly updated, helping it to evade mobile antivirus solutions and keep on infecting new victims. As a result, it has entered the overall top 10 malware list at #8.  

Retaining the #1 position from October is the Emotet botnet. However, in November, it impacted only 9% of organisations globally, down from 14% the previous month. 

Said Maya Horowitz, Director, Threat Intelligence & Research, Products, Check Point: “Both Emotet and xHelper are versatile, multi-purpose malware that can be adapted to criminals’ needs, such as distributing ransomware, spreading spam campaigns or distributing malvertising to users’ devices.  This shows that criminals are trying multiple different illicit tactics to monetize their operations, rather than following a single trend like crypto-mining which dominated the sector in 2018. As such, it’s essential that organizations deploy the latest generation anti-malware solutions on their networks as well as on employees’ mobile devices, to protect all enterprise endpoints. They should also educate employees about the dangers of opening email attachments, downloading resources or clicking on links that do not come from a trusted source or contact.”

November’s Top 3 ‘Most Wanted’ malware

Emotet has maintained its position at the top of the malware list with a global impact of 9%. XMRig was the second most popular malware impacting 7% of organizations worldwide, followed by Trickbot, impacting 6% of organizations globally. See the list below, with the double-headed arrows The arrows relate to the change in rank compared to the previous month.

  1. Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was formerly a banking Trojan, and recently has been used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
  2. XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency which was first seen in-the-wild on May 2017.
  3. Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.

November’s Top 3 ‘Most Wanted’ Mobile Malware:

This month xHelper – a new entry to our top malware list – was the most prevalent mobile malware, followed by Guerilla and Lotoor.

      1. xHelper – A malicious Android application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application is capable of hiding itself from the user and mobile anti-virus programs, and reinstalls itself if the user uninstalls it.

      2. Guerrilla – An Android Trojan found embedded in multiple legitimate apps which is capable of downloading additional malicious payloads. Guerrilla generates fraudulent ad revenue for the app developers.

      3. Lotoor – A hack tool that exploits vulnerabilities on the Android operating system in order to gain root privileges on compromised mobile devices.

November’s ‘most exploited’ vulnerabilities

This month the three top-exploited vulnerabilities remained the same as in the previous month – SQL injection techniques continue to lead the list, impacting 39% of organizations globally, followed by the OpenSSL TLS DTLS Heartbeat Information Disclosure vulnerability and MVPower DVR Remote Code Execution – impacting 34% and 33% of organizations worldwide respectively.

  1. SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software
  2. OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server
  3. MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request

The Global Threat Impact Index and its ThreatCloud Map is powered by the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, 11 million malware signatures, and over 5.5 million infected websites. It identifies millions of malware types daily.  The complete list of the top 10 malware families in November can be found on the Check Point Blog.