2020 Avira Report on Cybersecurity
2020 has been an exceptional year in many regards. The global threat Landscape has been impacted noticeably, with cybercriminals also adopting COVID-19 as a core element in their phishing campaigns.
Windows malware continues to be the dominant force, but the number of platform-agnostic threats rises with each month. Both OSX and Android malware have established a foothold in their environments, and each have a unique mix of threat categories.
Our threat heat maps also show there are clear differences where each type of malware strikes, with some countries and regions being more prone to being attacked then others.
Worldwide overview of 2020 and a comparison with 2019
Only one month in 2020 had clear lower overall attack volume compared to 2019; August. The biggest upswing can be pinpointed to the beginning of the year, with a noticeable peak in April, as well as the later points of the year since about September. The Covid-19 situation has certainly been a driving factor for the numbers from earlier this year, however activity seems to have stabilized around June.
Compared to 2019, the number of threats prevented globally has increased by about 15%, with the early months of 2020 in particular having the greatest impact in this number.
Over the last year, we have seen more unique malware threats than ever before.
Our database grew from 556 million in 2019 to an estimated 652 million at the end of 2020, which means that about 17% of all threats ever encountered by Avira and its customers were seen in the last 12 months. While it doesn’t tell us how many threats are actually encounterable in the wild, it paints a clear picture that the malware authors of the world are producing a near endless stream of malware.
Let’s have a look at what kind of attacks were blocked by Avira in 2020. This data includes every platform (Windows, macOS & Android) and it shows in which countries we saw users and their devices get attacked most by malicious activity. Displayed in red are countries with a higher rate of attacks, so the lighter the color, the less likely it was for a user in this country to have encountered malware.
Web Threats
URL blocks and phishing make up the biggest percentage in this category.
A URL block is when the Antivirus steps into action in case the user accidentally surfs to an infected page. Typically, these phishing pages mimic banks or popular webservices like PayPal or eBay. Once the unsuspecting user has typed in his username and password, the page usually redirects to the actual ebay.com or paypal.com webpage, causing the user to think he mistyped. This causes accounts to become compromised often without being noticed, which is part of the reason the old "online banking is unsafe" stigma still exists.
This category is heavily dependent on active phishing campaigns, such as emails that send the user towards a fake login page and can swing wildly between some weeks and others.
Web Threats by country
Our heatmap paints a clear picture, countries in the northern hemisphere are far more likely to encounter a malicious webpage than countries in the southern hemisphere. This doesn’t stop India from appearing near the top again though, together with Singapore, Denmark and the United States (very high threat of encountering Web attacks). Following them are the Nordics, the British Isles and Belgium.
In the upper middle we have Central Europe with the DACH region, France, Italy and Spain (high threat level).
The lowest level of URL blocking rate was registered in Northern Africa and in the West-Asia region (medium-low threat level).
Most important Android threats in 2020
2020 has seen a 35% increase in overall Android banker detections, which can easily be explained by the increase of activity in mobile online banking in 2020.
Here are the most important threats that defined the Android malware scene in 2020:
COVID-19 themed applications
As stated, with the start of the COVID-19 pandemic, malware authors created all sorts of tactics in order to abuse the fear and the desire for knowledge of the users. An example of such actions is a variant of the Cerberus banking trojan, commonly found named “Corona-Apps.apk“, which uses phishing tactics and its connection with the virus name in order to trick the users into installing it into their smartphones.
Stalkerware
Applications detected such as Stalkerware (also known as spouseware) are a subset of the Spyware malware category and may compromise the user’s privacy and the security of the local system. The app can be installed without the device owner’s knowledge or consent in order to spy and secretly monitor the victim’s personal info – images, videos, messages, location data.
Due to the increased activity of Stalkerware applications in the Android environment, Avira joined the Coalition against Stalkerware, in order to help fight against this menace. You can find details about this and an analysis of a typical Stalkerware app in this article.
Android trojan bankers
Trojan bankers have always played an important role in the Android malware scene and this year was no different. Besides the tactic of using COVID-19 as a disguise, bankers also used their classic approach: disguise as a widely used application, ask for unusual permissions and attempt to steal credit card data.
Android Threats by country
The pandemic increased the desire for information from the general public, which fell prey to all sorts of schemes created by Android malware authors, mostly revolving around applications that claim to tell the user if they have been infected or not, or just simply including the COVID specific keywords in the app name (“corona”, “covid” etc).
On our global heatmap, we notice another different pattern than before. Android threats are most commonly encountered in Iran, Algeria, India, or Pakistan (very high Android threat level), while users in Japan, Canada or Finland (medium Android threat level) are exposed to less attacks, by a decent margin. Still, the overall number of attacks has somewhat evened out, which means only a few countries have a significantly higher or lower threat level than average.
macOS Threats
macOS is often thought of as malware free. There was certainly a time where this applied, but with today’s adoption rate of the macOS environment, malware authors have long figured out ways to penetrate OSX systems.
Adware and PUA make up for more than half of all detections for macOS this year.
Having the software somewhat looking legitimately is the easiest way to surpass the filters Apple put in place, while still generating revenue through advertisement spam on the infected system. Besides that, there are of course also more classic malware, such as screen-lockers or stealers.
Some malicious applications, distributed via installation bundles, spam, or fake Adobe Flash Player updaters, exhibit a combination of multiple potentially unwanted behaviors such as intrusive advertisement and changing the user’s default search engine (which can cause privacy issues for the user).
Script- and Office based attacks are very common on macOS, making up a combined 21.5%.
Script and Office based attacks are usually first stage infectors, meaning they will download the actual payload after they have successfully infiltrated a system.
macOS Threats by country
For the macOS environment, it is completely a different story to Android because here we see the map split in half. On the one side, countries with a high to very high infection risk, and on the other side, countries with low or very low number of registered attacks.
Clearly, OSX malware authors & Adware distributors are focusing on the markets that have the highest Apple device adoption, with the United States topping the list (very high OSX threat), followed by Canada, Western Europe, Australia and Japan (high to very high OSX threat).
There are very few countries "in the middle ground", examples would be Italy and China, who have both still high numbers, but considerably lower than the aforementioned. South America, Africa and Asia are, with some exceptions, not a common target for macOS based malware attacks.
IoT Threats
The IoT Threat landscape also continues to grow in 2020. With more people at home, more smart devices are bought and installed that are constantly connected to the world wide web. While most of these devices can be considered safe, there are also dozens of them which are vulnerable through security holes in hard and software configuration.
Since there is usually no user involvement, who could be tricked into installing malware like with an Adware app or a phishing email, the IoT threats concentrate their efforts on these two infection vectors:
- Exploiting remote code execution vulnerabilities
- Brute-forcing credentials
The second one is especially tragic, since this is only possible due to unchanged standard passwords, or passwords that are not strong enough for a device sometimes permanently connected to the internet.
Less avoidable are those threats that exploit known vulnerabilities in the devices. Especially older IoT devices are susceptive to having unpatched security gaps that cybercriminals can use to gain illegitimate access into a home or corporate network.
Evolving Threat Landscape (2021 predictions)
Predicting the future is no easy feat, especially when taking into account the quick adaptability and creativeness of some malware authors. Regardless, let’s talk about how we think the threat landscape will evolve in 2021.
One big topic is the shift away from traditional PE malware, towards the usage of Non-PE files and file-less attacks. File-less attacks are ways of infecting a device just with in-memory execution of the malware. No "physical" file is being downloaded, making it more difficult to detect for traditional anti-virus engines.
Another topic which we have not discussed in this report until now are exploits. Every year trumps the previous year in terms of reported security holes found in common applications. The Software we use is becoming more complex with every day and the world is connected like never before, allowing exploit hunters to have a field day catching new vulnerabilities. Of course, not all vulnerability hunters are malware authors (thankfully!), but we believe we will see even more vulnerabilities being exploited in 2021 than ever before.
There is also an organizational shift, where more and more hackers are using tools and malware not written by themselves but made available or bought from other threat actors. This further separates the two entities "Hacker" and "Malware-Author" into separate groups of people in the same business. Of course, we still expect certain groups as well as governmental agencies to keep their creations to themselves, and only use them for very targeted attacks against high priority objects, e.g. by writing and using their own APTs (Advanced Persistent Threats).
Summary
The pandemic had a significant impact on the malware landscape of 2020. A sharp increase in malicious attacks was recorded at the same time as both the first and second waves of COVID-19. We also recorded more online threats that specifically targeted the login data of users in 2020. Especially for Android, cyber-criminals used keywords like "Corona" and "COVID-19" to lure unwary users. They also hid spy software in seemingly useful apps like "Corona-Apps.apk".
As long as the pandemic persists, malware authors will continue to take advantage of this global tragedy. Therefore, in 2021, users should be especially aware of "Corona" malware campaigns and be careful when clicking on links and installing smartphone apps. Although Android threats were primarily concentrated in specific regions like Africa or South America, Android users in Europe and the United States should also stay on guard.
The assumption that macOS is unaffected by malware has been disproved following the increase of macOS malware in 2020. While malware authors are focusing on the United States as Mac market number one, the threat level is also relatively high in western Europe.
In 2020, the threat level for IoT devices became even worse. Since attackers cannot manipulate users directly like with Windows or Android, they concentrate on unpatched vulnerabilities in the devices. Users should therefore update the firmware of their devices regularly and run a security check on their smart home equipment.
On the whole, it can be said that malware authors are adapting quickly. They are exploiting unpatched software or devices immediately and continuously developing new malware campaigns. Since malware is now sold complete with instructions, even those without special skills can become attackers, enabling the number of potential actors to keep growing at a rapid pace.