Three new dangerous Android malware variants have been analyzed by Kaspersky researchers. The Tambir, Dwphon, and Gigabud malicious programs exhibit diverse features, ranging from downloading other programs and credential theft to bypassing two-factor authentication (2FA) and screen recording, jeopardizing user privacy and security.
Tambir is a spyware application targeting users in Turkey. Disguised as an IPTV app, Tambir collects sensitive user information, such as SMS messages and keystrokes, after obtaining the appropriate permissions. The malware supports over 30 commands retrieved from its Command and Control (C2) server, and has been compared to the GodFather malware, which is among the TOP 3 mobile malware in the region, due to its similarities in target location and the use of Telegram for C2 communication.
Dwphon, discovered in November 2023, targets cellphones from Chinese OEM manufacturers, primarily targeting the Russian market. The malware is distributed as a component of a system update application and collects information about the device as well as personal data. It also gathers information regarding installed third-party applications and is capable of downloading, installing and deleting other applications on the device. One of the analysed samples also included the Triada trojan, one of the most widespread mobile trojans of 2023, which suggests that Dwphon modules are Triada-related.
Gigabud, active since mid-2022, was initially focused on stealing banking credentials from users in Southeast Asia, but later crossed borders into other countries such as Peru. It has since evolved into a fake loan malware and is capable of screen recording and mimicking tapping by users to bypass 2FA. The malware contains artifacts in the Chinese language and has been observed mimicking apps from companies in Thailand and Peru.
“As Kaspersky’s mobile threats report shows, Android malware and riskware activity surged in 2023 after two years of relative calm, returning to levels seen in 2021 by the end of the year. Users should exercise caution and should avoid downloading apps from unofficial sources, meticulously reviewing app permissions. Frequently, these apps lack exploitation functionality and depend solely on permissions granted by the user. Furthermore, using anti-malware tools can help preserve the integrity of your Android device,” comments Jornt van der Wiel, senior security researcher at Kaspersky’s GReAT.
In 2023, Kaspersky solutions blocked nearly 33.8 million attacks on mobile devices from malware, adware, and riskware, highlighting a 50% increase of such attacks from the previous year’s figures.
To protect your Android device, follow these recommendations:
- It’s safer to download your apps only from official stores like Google Play. Apps from this market are not 100 % secure, but at least they are checked by shop representatives and there is a certain filtering system — not every app qualifies for listing in these stores.
- Check the permissions of the apps that you use and think carefully before granting them, especially when it comes to high-risk permissions such as those related to Accessibility Services. For instance, the only permission a flashlight app needs is access to the flashlight (which doesn’t even involve camera access).
- A reliable security solution helps you detect malicious apps and adware before they start behaving badly on your devices.
- A good piece of advice is to update your operating system and important apps as updates become available. Many safety issues can be solved by installing updated versions of software.
