Mobile Device Attacks in Russia Surge by 5.2 Times
According to Kaspersky Lab, the number of attacks on mobile devices in Russia has seen a dramatic increase. In the first quarter of 2024, attacks rose by 5.2 times compared to the same period in 2023, totaling over 19 million incidents.
Key Threats Targeting Russian Android Users
Researchers analyzed two major threats targeting Russian Android users that remain active as of April 2024.
Dwphon Trojan
At the end of 2023, Kaspersky specialists discovered the Dwphon trojan, which has since evolved and become more active. In March 2024, attacks by Dwphon on Russian users increased by about 25% compared to December 2023, reaching nearly 222,000 cases.
The latest versions of this malware collect information about the infected device, personal data of the owner, and details about installed apps. Dwphon can also download various applications onto the smartphone without the user’s knowledge, including adware and other malicious software.
Experts note that Dwphon’s functionality and code are similar to Triada, one of the most widespread mobile trojans in 2023. However, what stands out most is how Dwphon ends up on devices: it is embedded in system apps before the devices even reach users.
“Usually, cybercriminals distribute trojans disguised as legitimate apps on third-party platforms. Some variants are even found in built-in stores. But with Dwphon, the victim receives an infected device straight out of the box, meaning the device is compromised somewhere along the supply chain before it’s sold in stores. In such cases, the manufacturer and other supply chain participants are likely unaware of the infection,” commented Dmitry Galov, head of the Russian research center at Kaspersky Lab.
Mamont Banking Trojan
The second major threat is the Mamont banking trojan. First detected in spring 2023, Mamont became notably active in November of the same year. Experts believe it likely evolved from the Rasket ransomware, whose creators threatened to leak user data unless a ransom of 5,000 rubles was paid.
Mamont and Rasket share similarities in their code, such as configuration parameter names. Both use a Telegram bot to store victim information. However, Mamont’s creators have enhanced its banking trojan capabilities to steal payment data and access victims’ SMS messages.
Cybercriminals distribute Mamont on unofficial platforms, often disguising it as adult apps, delivery services, or financial organization apps.
“Although banking trojans haven’t become widespread in Russia due to the active development of anti-fraud systems by financial organizations, some variants can still be very active. Since November, we have recorded nearly 185,000 Mamont attacks on Russian users,” said Dmitry Kalinin, cybersecurity expert at Kaspersky Lab. “Mamont also demonstrates how attackers seek the most profitable ways to monetize their efforts. If a particular function in the malware doesn’t achieve their goals, they modify the malicious software, changing its technical capabilities.”