Transcription
FACTS AND FIGURESSECURITY REPORT2019/2020The AV-TEST Security Report Security Status WINDOWS Security Status ANDROID Security Status MacOS Security Status IoT/LINUX Test Statistics 2812161822
SECURITY REPORT: FACTS AND FIGURESAV-TESTTheSecurity ReportMass malware witha massive rate of increaseIn 2019, the use of mass malware, i.e. malware programs createdautomatically, reaped considerable profits for cybercriminals. Accordingly,the rate of this malware, distributed mainly in large campaigns per e-mailand over the Internet, continued to grow heavily. With more than 114 million(114,312,703) newly-developed malware applications, the malware industryJanuary 20102 www.av-test.org2013201420152016243.78 million265.76 million172.25 million123.84 million201285.29 million61.27 million201128.84 million44.57 millionAs the evaluations of malware numbers of the once again broke the sound barrier in 2019 and was more active than everAV-Test Institute‘s detection systems illustrate, before. Up to that time, the detection systems of the AV-Test Institute hadidentified the year 2018, registering over 105 million newly-developedthe new trend in the malware industry samples, as the most active year of criminal players.observed in 2019 clearly continued in the 1stThe analysis of the latest detection statistics for the first quarter of 2020quarter of 2020. The development of malware indicates that this year will also see significant growth rates in the use ofis divided up into two areas: While on the one mass malware: Already in the first quarter of the current year, the AV-TESTsystems have registered over 43 million newly-programmed samples.hand the automated production of mass Accordingly, by the end of 2020, there will be an anticipated explosion ofmalware for broadly-based online attacks newly-developed malware applications, which could level off for the entireyear at more than 160 million samples – and thus reach a new dimension. Incontinues to grow sharply, on the other hand the long-term view of the AV-Test Institute, the malware industry is thuscybercriminals are increasingly developing proving to be more active than ever and is anticipated over the course of theyear to surpass the overall threshold of 700 million known malwaresophisticated malware for specialized attacks. programs. As a result, the threat scenario posed by mass malware couldIn this, a combination of specially-developed reach a new dangerous peak in 2020. Currently, the development rate of newmalware is at 4.2 samples per second!attack tools is deployed, which is preciselyadapted to the previously identified digitalTotal malwareinfrastructure of the victims. in the last 10 years2017
13.47 millionOverall developmentof new malwarein the last 10 years11.92 million7.90 million3.85 million1.40 million14.40 million2.39 millionJanuary 2010March 2012July 2013June 2015October 2017March 2020Increasing detection ratesincrease development pressureEntrepreneurs, albeit driven by clearly criminal motives, are on the one handA precipitating factor for this dramatic development can be viewed as aare still not sufficiently protected so as to become an unattractive target forpositive, because among other reasons, the mass development of newcriminals. And thus they develop industrial scale mass malware for systemsmalware samples can be explained by the high level of protection currentlyconnected to the Internet, whose protection mechanisms are not up to theprovided by security products. This is true especially for protection solutionsstate of the art of countermeasures. The number of all detected and analyzedfor Windows systems. Because the majority of all malware still targets themalware programs for Windows at the time this report went to print wasoperating system most widely used by far around the world. In 2019, over 78517,465,709 samples. You can find precise data and analyses concerning thepercent of malware codes newly-developed by cybercriminals targetedthreat scenario for Windows systems from page 8.attracted to the wide level of distribution enjoyed by the operating systemfrom Redmond. On the other hand, it is a known fact that Windows systems661.16 million541.17 million437.14 millionincrease to over 83 percent.677.66 millionWindows systems. In the first quarter of 2020, this value continued toAV-ATLAS:the threat intelligenceplatform from AV-TESTIn 2019, AV-TEST launched its AV-ATLASthreat intelligence platform (av-atlas.org).Over the course of this development, theinstitute‘s in-house detection systems were calibrated in terms ofmeasurement technology. Such a step allows not only for a much moreprecise analysis of malware samples, prevents duplications and falsepositives, but also retroactively enables an adaptation of the detectionfigures to the state of the art in technology. As a result, there may be somechanges in numbers compared to the published statistical findings inprevious security reports. With the AV-ATLAS, the AV-Test Institute constantlyoffers new statistics and evaluations on the current threat situation.20182019March 20203
SECURITY REPORT: FACTS AND FIGURESAndroid and MacOS systems runningaround without protection softwareDistribution of malwareThe AV-TEST systems registered a slight decline in the rate of2019Q1 2020WindowsWindowsnewly-developed malware on the most widely-distributed mobile operatingsystem from Google. The operating system reached its peak in malwaregrowth in the year 2017 with 6,201,358 newly-programmed samples. Sincethen, the number of new Android malware samples has been declining, in2019 reaching the lowest level in three years with 3,170,140. Although thistrend is actually welcome, falling malware statistics do not automatically78.64%mean a diminished threat scenario for users of Android devices. Moreover,83.45%the trend of the first quarter of this year already indicates a resurgence ofmalware trends for Android.For MacOS as well, the detection systems of AV-TEST in 2019 indicated declining,yet persistently high malware statistics. Whereas the previous year, with overBrowser 15.84%90,000 newly-programmed malware applications represented a glaringmilestone in the trending history of MacOS malware, new developmentsBrowser 11.09%Android 2.75%Android 3.24%Other 1.91%Other 2.35%reached approximately half that number in the subsequent year, remainingbelow 60,000. If the statistics of this year‘s first quarter continue, an additionaldecline in new Mac malware can be anticipated. At least statistically, thenumber of new malware samples for Apple computers is expected to leveloff at roughly 40,000 new samples towards the end of the year.MacOS: ratio of malware to PUAin 2019 Q1 2020New malwarein 2019101,954,110per hour15,005per minute250.84 per 4310,59411,448Average malware threat in 2019per day360,135per second4.2January 2019March 2019
Overall, both these estimates and declining malware numbers are to be takenOverall malware distribution in 2019with a grain of salt, however, as they do not automatically equate to adiminished threat scenario. Both operating systems, not only Google‘s mobilesystem Android but also Apple‘s MacOS, compare negatively with Windows inthe sense that the deployed user devices are largely operated without effectiveprotection software. Notably, as evidenced by regular tests by the AV-TestTrojansInstitute, there are a large number of even free apps and antivirus solutions58.29%for both systems, with which a decent level of security could be reached.You can find more precise analyses on the threat scenario for Androiddevices in this report from page 12, for devices under MacOS from page 16.Trojans: the most popularall-purpose g for a 58 percent share of malware incidence for all operatingsystems, last year Trojans once again proved to be cybercriminals‘ weapon ofchoice. That should come as no surprise: This malware category enters targetdevices through virtually all available digital channels. Trojans can beBackdoors4.75%Password-Trojans2.24%Crypto miners3.85%Ransomware 0.78%Other 1.45%transmitted merely by visiting infected websites, they travel well concealed inlarge spam waves per e-mail, lurk in seemingly harmless software and appdownloads, and hide in would-be music and movie files. Yet they can also bedelivered with extreme precision into systems of potential victims, i.e. bycalling up QR codes or via storage media laid out as bait, such as supposedlylost USB sticks.March 202059,8442010 2011 2012 2013 2014 2015 2016 2017 2018 r 201994,0248,544Development of newmalware for MacOS2010 to Q1 20206,0426,2438,017PUA for MacOSMalware for MacOSQ120205
SECURITY REPORT: FACTS AND FIGURESDevelopment of new Trojans2010 to 201925,094,280In addition to comprehensive malware functions that Trojans contain, theycan retroactively load virtually any malware code onto hijacked systems,68,048,576which is why they are frequently only the first wave of an attack. If asufficient number of systems is infected, cybercriminals proceed to add8,841,285specialized malware code. Depending upon the criminal business model of201020152019Development of new ransomware 909,2812010 to 2019499,803the attackers, the payload may involve ransomware for blackmailing users,bots, and crypto miners for abusive use of hijacked CPU power and bandwidthor various other malware functions. This business model was so manifestlysuccessful in 2019 that the cybermafia further boosted the use of massivelydistributed Trojans in the first quarter of this year, and as a result, thecurrent Trojan rate is 66.82 percent.224,501Ransomware as a growth market20102017Development of new crypto miners2010 to 201920194,499,297Last year, extortion through ransomware proved to be an additional lucrativesource of income. The trend of this malware tripled in 2019 compared to theprevious year, reaching the highest level to date of over 900,000 samples.The same applies to the rapidly increasing number of crypto miners. Theillegal mining of cybercurrencies at the expense of users with systemsinfected with such special malware has apparently turned out to be a47lucrative source of income. The last Security Report by the AV-Test Institute20102019Development of new password-Trojans2010 to 20192,696,110already anticipated this trend.Attacks follow the laws of economics2,612,965As mentioned at the beginning of the report, the majority of the attackslaunched per malware targeted Microsoft systems. Thus, cyber-criminals actaccording to strict economics. Because in addition to wide distribution of atarget system and the subsequently anticipated profit, vulnerability alsoplays an important role in the economic considerations of the malware591,076201020122019Development of new bots2010 to 201911,6172industry. Thus, a look at discovered and published vulnerabilities of variousmanufacturers, such as is apparent in the evaluations of the CVE onlineservice, shows that in this respect, Microsoft is by far the most lucrativetarget. It may be true that Android and Debian are number one and two interms of the number of security gaps in products discovered last year. But aWindows system already follows in third place, and seven more are among13,737the Top 20. Seen overall, Microsoft thus earned the dubious honor in 2019 of18,6582010being the number one manufacturer in terms of having the most known20132019security leaks. Such statistics are naturally also of interest to criminals whoearn their money with the development of mass malware.6 www.av-test.org
APT: trend towards targeted attacksPUA: unwanted, yet widely distributedThe massive increase in targeted attacks by means of Advanced PersistentIn addition to malware attacks, Internet users also need to protectThreats (APTs) can hardly be quantified for various reasons: First, these typesthemselves against another threat, however: potentially unwantedof tactical attacks are strategically prepared long in advance and stagedapplications, or PUAs for short. This spyware is often pre-installed whenagainst companies and organizations that manage extremely valuabledevices are delivered with software bundles, yet much more frequently itinformation. Moreover, such attacks, normally leveled by state-organizedsneaks onto the devices when downloading programs and apps. The source isattackers against ministries, research, and production facilities as well asusually the advertising industry that uses PUAs to detect and analyzefinancial firms and other institutions of a country, are seldom made public.personal information such as user behavior and movement patterns. InYet it is a fact that companies in particular are increasingly required toexchange for the unwanted and usually secretly queried data, the userintroduce special defensive measures against targeted attacks on theirreceives personalized advertising.digital infrastructure. Since 2006, this has been underscored by listings in thedatabase of the Center for Strategic and International Studies (CSIS). TheWhereas these industrial snooping tools have been on the retreat in WindowsAV-TEST Institute responds to the increase in already known APT attacks withsystems for years, their numbers are heavily increasing in the Androida testing and certification program of security solutions aligned with theenvironment. And among MacOS systems, the number of PUA samples in 2019,MITRE standard. You can find information on the tests for evaluatingtotaling 52,095, was even nearly on the same level as the overall rate ofeffectiveness in fending off APT attacks on our website.malware (60,674 samples). In the first quarter of this year, the number of suchsnoop software for Macs even exceeded the rate of malware: Whereas theAV-TEST systems detected 11,441 new malware samples, the PUA rate wasalready at 18,829 samples. Accordingly, this category of malware in particularis developing into a new threat for Mac users.Windows: development of new PUAin 2019 Q1 2020779,821January 2019880,154Android: development of new PUAin 2019 Q1 2020 328,321666,222August 2019297,689481,847189,588March 2020January 2019August 2019March 20207
WINDOWS: FACTS AND FIGURESSecurity StatusWINDOWSBullseye on the market leaderAccording to the CVE database, Microsoft, with more than 660 officiallyreported dangerous security gaps last year, earned an unflattering image andthe number one position among the least secure operating systems. 357 ofall potential Windows vulnerabilities for attacks alone were attributable tothe current Windows 10 operating system. Also exhibiting a high degree ofvulnerability were Windows Server 2016 and Windows Server 2019. SomewhatNo other operating system is so much the lagging behind was Windows 7, which at the beginning of this year wasfocus of the malware industry. There is a officially put out to pasture by Microsoft and is no longer provided withupdates and security patches. Nonetheless, the Windows oldie remains highlygood reason for this: No other operating popular according to the latest evaluations: In the rankings of the firstsystem achieves a similar degree of quarter of this year, Windows 7, remaining at 30 percent, still achieved thenumber two ranking of the most widely-used operating systems in the world.distribution. So any cybercriminal seeking The clear market leader is Windows 10, which is running on just over halfbusiness success has their sights clearly (51.38%) of all worldwide computers connected to the Internet.set on one target: Windows systems. It Distribution of malwareshould be noted, however, that attacks on under Windows in 2019the operating system from Redmond are nolonger the business of amateurs. Becausethe high degree of penetration andTrojanseffectiveness of current security solutions64.31%in turn requires rapid speed and innovationin the development and distribution ofVirusesmass malware and sophisticated15.52%techniques in targeted 81%Ransomware 0.91%Crypto miners1.82%Other 0.96%8 www.av-test.org
Protection Windows DefenderAntivirus Home 2010 – Q1 2020Protection Windows DefenderAntivirus Business 2010 – Q1 20206 points6 points1 point1 point2010Q1 20202010Q1 2020Obviously, consumer users got on board prior to Windows 7 support beingIn 2019, the malware industry reacted accordingly to the largest number ofphased out and switched over to the successor system. In many other areas,security vulnerabilities to date for Windows and the software run on thate.g. in industrial manufacturing, government entities such as administrationoperating system: The levels of detected Windows exploits for utilizingand educational institutions, hospitals, not to mention companies and banks,relevant security gaps reached the highest level compared to the past 10frequently the rule applies, „Never change a running system“. Becauseyears. Especially from August to November, the exploits exhibited more thanchanging an operating system here is often a considerable cost factor, theexponential growth. Significant increases were already seen at the beginningswitchover rate is accordingly assumed to be much lower than in theof the year, however. By comparison: In the prior year, the overall annualconsumer segment.figure did reach 71,377 samples. In 2019, this figure virtually doubled toWindows gaps actively exploitedlike never beforeIn addition to the known and published Windows gaps, naturally there arealso those that were not known or are not known to either the public or themanufacturer. Unfortunately, only few of such „secret“ security leaks arecommunicated to the manufacturers; instead, they are used by intelligenceagencies for investigative and monitoring purposes. This means suchsoftware gaps are traded at high prices on the black market. A practice thatis rightly subject to regular, severe criticism both by software manufacturersand data protection and civil liberties advocates. And in addition to possiblebackdoors in the operating system, security vulnerabilities in widely-usedapplications as well as the firmware of connected devices make the riskscenario all the more severe. Thus, in 2019 Google, Oracle, Adobe, Cisco, andIBM landed in 2nd to 6th place of the Top 10 manufacturers with the mostexactly 130,776 newly-programmed exploits.The high development rate can in turn be interpreted as an indication of twopositive developments last year: First, Microsoft, as the supplier of theoperating system with the most security leaks, was quick to release patches.This fact puts cybercriminals under pressure to produce assembly linemalware samples in order to remain economically profitable. In addition, theembedded Windows defense systems proved to be reliable protection againstautomated mass malware. In the regular certification tests over the pastyear, Microsoft‘s consumer product, „Microsoft Defender Antivirus“ garneredthe AV-TEST rating as „Top Product“ five out of six times. Which among otherthings was due to the reliable detection and defensive performance againstwidely-distributed and frequently-occurring malware. The business solutionfrom Microsoft exhibited even better test results in 2019 and was even able todefend the title of „Top Product“ in six out of six annual tests.security gaps. The Adobe Reader alone, used worldwide, reached animpressive 342 known vulnerabilities.9
WINDOWS: FACTS AND FIGURESWindows: development of new exploitsin 2019 Q1 202022,153Windows: development of new Trojansin 2019 Q1 uary 2019November 2019March 20203,203,935January 2019September 2019March 2020Increase of Windows Trojans of over 35%Because virtually at the same time the first Trojan wave was unleashed,Wherever criminals were successful at infecting Windows systems, Trojans areAccording to the analyses of the AV-TEST detection systems, this includedgenerally used to spearhead the attack. On the one hand, to enable access tobots, ransomware, password Trojans and crypto miners in particular.several other campaigns of malware categories were launched as well.hijacked systems for as long as possible, and on the other hand, to uploadspecialized malware containing other malware functions.The bottom-line conclusion is that from mid-year until the end, there was anunmistakable movement by criminals in the direction of monetizing by meansAccordingly, the rate of new development for Trojans reached its highestof unleashed mass malware. Beginning with the extortion of Windows userslevel thus far in 2019. The prior year‘s figure of 42,594,399 was exceeded bythrough the blockage or encryption of Windows folders or entire systems,last year with a number totaling 57,612,235, representing an increase of morethrough capture of login data for online accounts of all kinds, right down tothan 35 percent. Overall in 2019, Trojans with 64.31 percent made up theabuse of third-party infrastructure, bandwidth, and CPU power in order tolargest share by far of the Windows malware deployed by criminals. Theremine cryptocurrencies such as Bitcoin. In particular, alternative currencies,were two remarkable waves of Trojans, one starting in August and one insuch as Binance Coin (BNB), Litecoin and Bitcoin Cash, came into theNovember of last year, thus ushering in the highest danger level for Windowscrosshairs of criminals in 2019, not least thanks to their high rate of marketusers in 2019.capitalization.Windows: development ofnew ransomware in 2019 Q1 2020Windows: development ofnew password-Trojans in 2019 Q1 anuary 201910 www.av-test.org77,248September 2019March 2020January 2019July 2019March 2020
Windows: development of new botsin 2019 Q1 202019,82321,993Windows: development ofnew crypto miners in 2019 Q1 2020482,24421,681327,909295,507117,334253January 2019August 2019March 2020Windows: development of new Virusesin 2019 Q1 20201,442,064January 2019October 2019March 2020Trend 2020While the development of password Trojans in the first quarter of this1,242,397year experienced a decline, the development rates of crypto miners,bots and ransomware are seeing a resurgence. As a ratio, the share of1,625,867Trojans to other malware categories climbed further to 69.63 percent.It is remarkable that compared to the previous year the rate of601,801traditional viruses declined by more than half (from 15.52% to 7.57%)and this malware class is therefore continuing to drastically lose itsJanuary 2019August 2019March 2020significance in the arsenal of cybercriminals.TOP 10Windows malware in 74%2.71%2.59%2.46%1.87%AV-TEST GmbH regularly evaluates on a bimonthlybasis all relevant antivirus solutions for Windowson the market. The latest test results can bedownloaded for free on the website underhttps://www.av-test.org/en/antivirus/.11
ANDROID: FACTS AND FIGURESSecurity StatusANDROIDMost insecure operating system 2019One glance at the development curve of new Android malware wascomforting both to the owners of the most widely-used operating system formobile devices and the provider Google over the past four years. Becausesince the highest level of malware development, recorded in mid-2016, therate of newly-developed Android malware was clearly retrograde, at themid-point of last year reaching its lowest point within the past three years.Declining malware development ratescharacterized the year 2018. That was then.Because since the beginning of the secondquarter of 2019, the rate of newly-developedAndroid malware samples has beengrowing consistently, and since the lastquarter it has even leapfrogged. How is thethreat scenario shaping up for the world‘smost widely-used mobile platform?This reassuring trend ended in the middle of last year, however. Since then,the malware curve for Android has experienced a consistent upswing, in thefirst quarter of this year even exponential growth. This comes as no surprise,as in the ranking of the operating systems and programs havingthe greatest security vulnerability, in 2019 Android earned1,086,499the dubious honor of first place with 417 security leaks knownand listed in the CVE database.Android: overall development ofnew malware 2010 to Q1 202093,9020January 201012 www.av-test.orgJuly 2013June 2016
Over 90% TrojansIn 2019, Trojans comprised the largest share by far. Virtually 94 percent of theAndroid: development ofnew ransomware in 2019 Q1 202016,079newly-programmed malware code for Android devices is attributable to thismalware category. „Hiddad” was a malware sample of this type, whichwreaked havoc as an Android Trojan already back in 2018 and last year withinthe Top 10 Android malware managed to climb from 8th place to 2nd place.Hiddad (18.7%) is an „advertising specialist“, which, among other places,hides in apps delivered via Google‘s Play Store. After the installation of apps7,974infected with Hiddad, the malware skillfully conceals itself by assuming1,260Android-typical file names such as „Google Play Service“. It confounds thedetection and removal through security apps by deploying super user rightsJanuary 2019September 2019March 2020and hiding in Android system folders. On infected user devices, Hiddaddisplays advertising in certain intervals in full-screen mode and enables itsperpetrators to extort cash in this manner.Android: distribution of malware in jans2.04%Ransomware 2.47%Other 1.56%May 2017August 2018March 202013
ANDROID: FACTS AND FIGURESAndroid: development ofnew password-Trojans in 2019 Q1 20207,9698,482Mobile blackmail: Android ransomwareAs an additional source of income in 2019, criminal Android specialistsdeployed ransomware to blackmail device users. Comprising 2.47 percent ofthe overall share of malware, this malware category is in 2nd place among5,268deployed malware programs. The economic basis for this trend is the fact4,618that mobile devices are now used to the same extent as PCs and notebooks.Add to this the constant availability of the devices as a camera for snapshots,as well as a far lower backup percentage, which means it is extremely seldomthat devices blocked by ransomware can be easily restored via a backup tothe state prior to the attack. It is worth noting that AV-TEST analysis systemsJanuary 2019March 2020detected over 78,000 newly-programmed ransomware samples for Google‘soperating system in 2019.The display of unwanted advertising on Android devices is obviouslybecoming used more and more frequently as a successful monetizationstrategy. After all, criminals can earn good money with advertising. That iswhy most malware samples among the Android Top 10 rely on this procedure.The same applies to “Shedun“, which in 2019 ranked at Number 3 (9.7%) andwas already making money for criminals as far back as 2015.January 201914 www.av-test.orgAugust 773186,207188,826299,851317,079Android: development of new Trojansin 2019 Q1 2020
Android Password Trojans ranked third in 2019. This malware is alsoworthwhile to criminals only because user devices are now used in a largescale for Internet banking and making purchases on online platforms.So skimming off login details and subsequently plundering various useraccounts has now become a lucrative target of attack by cyber criminals.Due to the still low penetration of protection apps, there is significantly lessurgency to innovate for Android, as opposed to Windows systems. Add to thisthe free availability of app development tools, the relatively easy access tothe Google Play Store, along with the additional opportunity to distributeinfected apps via other app stores. And finally, the high market share ofAndroid (approx. 80% worldwide) as well as the disparate, often no longerpatched, Android versions still in use, offer a good business climate470,055for criminals.TOP 10Android malware in 51%3.10%2.45%1.73%1.60%1.49%422,045Trend 2020The first quarter of the current year saw a clear decline in mobileransomware, whose year-on-year share dropped significantly from2.47 to 0.45 percent. Also in decline is the trend in password Trojans(2.04% to 1.33%). The growth rate of Trojans such as Shedun and Hiddadis exhibiting an increase accordingly. The latter significantly boosted itsshare in overall malware incidence to over 22 percent. This allows the278,488supposition, at least, that in 2020 cybercriminals are increasingly245,381cashing in on unwanted ads.AV-TEST GmbH regularly reviews all marketrelevant security solutions for Android mobiledevices every two months. The latest test resultscan be downloaded for free on the website evices/.January 2020March 202015
MacOS: FACTS AND FIGURESSecurity StatusMacOSOld known Trojans and backdoorsThe actual good news is overshadowed as soon as attention is focused onmalware distribution of last year and the 2019 key indicators are subjected toin-depth analysis. First, you have to scroll down quite a way to find Apple orits current operating system in the list of programs with known securityexploits: MacOS X only appears in 44th place. These known vulnerabilities andothers were also fully exploited in 2019, however. With only 107, the number ofGood news for Apple users: Overall, theAV-TEST detection systems registered adownward malware growth trend for MacOSsystems. However, behind this positivestatistic is also the fact that malware hasnow also become a threat to be takenseriously for Mac and that in 2019 therewas
reach a new dangerous peak in 2020. Currently, the development rate of new malware is at 4.2 samples per second! As the evaluations of malware numbers of the AV-Test Institute's detection systems illustrate, the new trend in the malware industry observed in 2019 clearly continued in the 1st quarter of 2020. The development of malware
