2017: Threats got more precise – and pervasive

Travis Witteveen, 2 years ago 3 min read

2017 was a transitional year as the online threats and malware grew increasingly focused on individual population segments, and government-funded software exploits escaped their secure confines and wreaked havoc around the globe.

During the year, Avira detected over 4.5 billion instances of malware attempting to infect operating devices protected by both our own AV software, and our technology partners’ services. There was substantial variation between months: Malware interceptions peaked in March at 474 million.

Sorting malware is an approximate task: depending on how the cybercriminals have decided to pack and distribute it or even where Avira has detected it, the same malware could be classified as an exploit kit, Trojan, or ransomware. That said, looking at these categories can help uncover trends and emerging threats.


Trojan detections made up the largest single category in the malware basket clocking in at 1.62 billion for the year. Trojans at first look innocuous, then show their true colors once in the device.

In 2017, ransomware was an extremely visible part of the Trojan family, totalling 25.19 million detections. Notable ransomware in 2017 included BadRabbit and the ever evolving Locky. While some Trojans might be categorized as an annoyance, ransomware can be life altering and life threatening. After all, when one’s entire files are zapped or a hospital, or even large parts of a country’s health system, shuts down – the impact is inescapable. We continue to recommend people back up their devices and not pay the ransom.

Banking Trojans, targeting financial and account data, reached 11.25 million detections. Dridex was our top banker Trojan, redirecting victims to malicious copies of banking sites. Dridex was particularly adept in changing its approach during the year with one of the latest versions using a Windows Office exploit to infect computers. This Trojan was spread primarily via spam emails distributed by the Necurs botnet. Supported by a daily flood of millions of emails, Dridex led to more than $40 million losses worldwide.

Cybercurrency malware such as the CoinMiner Trojan are a new entrant to this group. These quietly mine cryptocurrencies on the victim’s device degrading computer performance and sucking up bandwidth. Unlike ransomware, the costs to infected users are largely hidden and indirect. Look for this segment to grow.


Exploit kits, where cybercriminals run through a computer with a shopping list of vulnerabilities to exploit, checked in at 371 million detections. This category got a mid-year boost from the NSA when its top-secret toolkit was leaked and harnessed by cybercriminals, resulting in the EternalBlue and the WannaCry ransomware attacks.

Potentially Unwanted Apps (PUA)

PUA are a gateway security issue with a high level of user irritation. By pulling in additional ads and apps into computers and smartphones, they open the door to a host of security and performance issues. While usually not a direct threat, they take a negative toll on the online experience thanks to their redirected web searches and the unstoppable flood of ads. PUA:Win32/Linkury was one of the most common examples of Windows PUA. Avira sent users 155.6 million warnings about PUA downloads last year.

Avira URL Cloud Detections

Over 2017, the Avira Cloud registered over 651 million detections from URLs. This is a 27% decline versus 2016, when URL detections topped slightly over 882 million. Even though during January 2017 the URL malicious detections peaked at over 102 million, their incidence constantly decreased during 2017 to slightly over 27 million detections in December 2017. Out of the 651 million URL detections for 2017, 65% were malware related URLs, 24% phishing URLs, 9% malicious search engine URLs, 1,7% PUA downloads URLs and 0,3% PUA portals URLs.


Android insecurity remained a work in progress. While there were no massive onslaughts of Android malware, that hasn’t stopped cyber-criminals from trying. During the year, we saw the emergence of DoubleLocker ransomware and the LokiBot banking Trojan – two examples of traditional malware functionality being applied to smartphones. Three malware families hit hard and heavy last year focused on sneaking onto phones and making money by pulling suspect apps and ads into the devices. This included SPR/ANDR.SMSreg – a PUA that sends text messages to premium numbers, ANDROID/Dropper.Shedun – repackaging legit apps with ads, and ANDROID/Hiddenapp – hiding out in devices and downloading other malicious apps. In addition, there were several waves of poisoned apps on the market – apps available in official and unofficial Android markets which included unwanted malware and adware connections. While the official Android Play store is a fairly secure option, it is certainly not failproof.

What will 2018 bring? Continue reading here

This article first appeared on blog.avira.com on 18 January 2018

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.
2017: Threats got more precise – and pervasive

Travis Witteveen

Travis Witteveen is Avira's Chief Executive Officer, responsible for leading the company, growing its value, and guiding its social responsibilities. Follow Travis on Twitter @ @twitteveen

You might like


Turning up the heat on the smart thermostat

Turning up the heat on the smart thermostat

A smart thermostat and the team in the datacenter that supports it, knows a lot about the user – perhaps too much. The potential for hacking incidents to occur underlines the importance of security for all of our connected devices.

2 years ago 3 min read