APT actors eye mobile platforms

Read time 3min 00sec

Advanced persistent threat (APT) activity in the first quarter of this year shows that the infection and distribution of malware via mobile platforms is increasing, with some campaigns focusing on mobile alone.

This is according to Kaspersky’s latest quarterly threat intelligence summary, which examines the company’s private threat intelligence research, as well as other sources that cover the major developments.

Asia is seeing a a rise in cyber criminal activity, particularly among new actors, while traditional advanced actors are becoming far more picky when it comes to how their operations are carried out, says the report.

Kaspersky has seen a number of campaigns that were strongly focused on mobile platforms. For example, a LightSpy water-holing campaign exploited iOS and Android devices, while an Android espionage campaign named PhantomLance targeted victims predominantly in South East Asia. Both campaigns successfully used a range of online platforms, including forums, social media and the Google Play app store, to distribute malware.

Getting creative

Kaspersky has also noted new APT groups with creative and sometimes low-budget campaigns rearing their heads, establishing their presence alongside the better known APT actors, such as CactusPete and the notorious Lazarus group.

APT actors also turned their attention to Afghanistan and India. Another group called TransparentTribe carried out a campaign with a new module named “USBWorm”, targeting victims in these countries, and developed a new tool designed to infect Android devices. This particular malware is a modified version of the “AhMyth” Android RAT, an open source piece of malware available on GitHub.


Unsurprisingly, APT groups have jumped on the COVID-19 bandwagon, using the pandemic to lure in vulnerable users through the popular topic. 

Vicente Diaz, principal security researcher, Global Research and Analysis Team at Kaspersky, says APT activities haven’t ceased during the pandemic. In fact, several threat actors  such as Kimsuky, Hades and DarkHotel have capitalised on it in different ways, including trying to improve their reputation by announcing that for the time being, they would not target healthcare organisations.

“Nevertheless, our findings suggest that both financial gain and geopolitics continue to be the key drivers of APT activity, particularly for actors who emerged in the last two years and are currently consolidating their status as persistent malefactors,” Diaz says.

Mobile is gaining traction in new campaigns, as new players come on the scene with innovative creative solutions, and activity from more seasoned actors has become nearly invisible.

This is possibly a consequence of the changing circumstances we all face, he says. “I must add that we do not necessarily have full visibility, and there will be activity that is neither on our radar yet, nor fully understood. This is why protection against both known and unknown threats remains critical for everyone.”

Kaspersky urges businesses to provide their security operations centre teams with access to the latest threat intelligence; to implement endpoint detection solutions for mobile devices and a corporate-grade security solution that detects advanced threats on the network level at an early stage. 

"Because many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to employees," the company concludes.

Login with