Cheetah Mobile June Security Report: Increase in Mobile Banking and Payment Malware

Blog > ContentJul 02, 2014


Developing Trends

Issues with mobile banking and mobile payment malware – malicious software that can extort money from users by hijacking personal information and spoofing bank sites or apps to trick victims into sharing personal data – rose in the month of June, according to Cheetah Mobile Threat Research Labs. The number of infected mobile devices worldwide, as well as the number of malware variants, increased in June at a high speed.


Infection Rates Around the World

In June, more than 100 countries were infected by mobile payment viruses. Vietnam, Russia and Taiwan were among the worst infected areas. 

Infection rates (June)


Top countries of mobile payment malware infected users (June)

Features of Mobile Payment Malware 

1. Mobile payment malware tends to spread to numbers in the infected user’s contact list. Once one individual has been infected, their friends and family are very likely to also get infected. This allows viruses to spread over a large area extremely fast.

2. Removal tends to be very difficult. The average user would have great difficulty solving the problem without the use of a security solution. 


An evolved form of Cryptolocker, Simplelocker is the first malware Cheetah Mobile has encountered that can successfully encrypt files on a user’s device. When installed, it will display random popups on the device, and encrypt files located on the device’s SD memory card such as pictures, audio files and videos. The malware asks for a $200USD ransom to resume normal device usage. While Cryptolocker stated the same thing as an empty threat, Simplelocker's extortion is real.

Simplelocker disguises itself as a media player on high-traffic websites. Once downloaded, it encrypts all files on the SD memory card and is extremely difficult to remove. Currently, several mobile security vendors still cannot guarantee that they are able to clean the virus while also recovering the locked data.

Currently, there are 40 known variants of Simplelocker and they are spreading fast. The most commonly affected countries are Russia, Ukraine and the U.S., with more than 15,000 users infected monthly.

Stubborn Trojan

In June, a high number of Trojans such as Android.Troj.fobus and Android.Troj.Fakeinst began to appear. These Trojans can make mobile payments without the user’s consent. After gaining access to the Android device manager, the malware commits SMS fraud, steals mobile data, contacts premium rate phone numbers, and stealthily downloads other malware apps. These Trojans are very difficult to remove and can sometimes prevent a user from uninstalling any apps.

So far, Cheetah Mobile has detected 17,060 separate infections for this class of malware. Russian and Korean speaking countries in particular have been targeted.

“Express Delivery” Variants

In May, “Express Delivery” raged through Taiwan. In June, we saw “Express Delivery” splitting off into 35 separate variants. The virus sends enticing messages to users, such as “Click to download your photos shot at the party” or “Check out this new song just released”. These messages are designed to lure in new victims.

Message sending from malware “You got a new driving violation ticket”

CM Security Warning

“Express Delivery” variants spread at a very high speed. The Cheetah Mobile Threat Research Lab has found that around 20,000 mobile phones receive these malicious messages every day. 

Korean BankKiller

In June, a new malware named BankKiller started infecting Korean Android users. The infection rate is increasing rapidly and is currently around 4,000 per day.


Fake (left) and official (right) banking apps interfaces comparison

The virus pretends to be a popular game or tool on third party Android markets and fools users into downloading it. Once installed it replaces banking apps with fake versions that are designed to steal personal information. With the stolen information, the hackers can apply for a new certificate, which they then use to freely access the victim's bank account.

Security Tips

Mobile payment malware can severely impact a users device and compromise personal data. The Cheetah Mobile team is consistently monitoring these fast-moving threats and responding immediately through product updates, giving users real-time protection. Both Clean Master and CM Security are designed to protect users from being attacked by the latest cyber threats. The newest Clean Master and CM Security app updates include:

1. Comprehensive anti-virus feature in Clean Master. A worry-free solution for most users, available for free on GooglePlay. If you already have it installed, make sure it's kept up-to-date.

2. CM Simplelocker Cleaner, which eliminates the Simplelocker malware and releases user data. 

3. CM Stubborn Trojan Killer, which removes Trojans that make malicious payments without the user's consent.

4. CM Security can combat all of the threats described in this report. It is available for free on GooglePlay.

Clean MasterOn GooglePlayCM SecurityOn GooglePlayCM BrowserOn GooglePlay