Threat Review

Cyberprotection starts with understanding the latest attacks, cybercrimes, and privacy breaches.

Chapter 1

Executive Summary

In 2021, malware returned with a vengeance.

The Covid pandemic hit global economies hard in 2020, including the criminal underground—and malware detections fell appreciably. A year later, as coronavirus restrictions were eased around the world, malware roared back into our lives at record levels. Malware’s “Covid bounce” was visible everywhere, in detections for almost all types of malicious or unwanted software, on Windows and on Macs.

The mounting cost of complexity and technical debt was increasingly evident. From Google Chrome’s 18 zero-days to December’s big reveal that everything, everywhere could be put at risk by an unsung logging library, the lesson of 2021 was that while better patching is vitally important, we will not patch our way to security.

However, 2021 is most likely to be remembered as the year that ransomware was discussed by presidents and hunted by the military. The ransomware epidemic isn’t over, and it may not even have peaked, but the threat it poses to businesses, supply-chains and critical infrastructure is no longer in doubt, and the forces arrayed against it have never been so formidable.

Chapter 2

The year in malware

Heuristic Malware 35% Trojan 20% Sivis 2% Worm 2% Backdoor 2% Spyware 3% Virus 4% HackTool 7% Riskware Tool 12% Adware 13% Top 10 Windows malware detection categories 2021

The “Covid bounce”

In 2020, coronavirus restrictions created a significant depression in economic activity around the world. In that year, malware detections on Windows business machines fell 24 percent—a reminder that cybercrime is a business too. In 2021, malware came roaring back.

As restrictions eased, and cybercriminals learned how to target organizations whether they were in offices or homes, malware detection numbers climbed precipitously. And they didn’t simply return to the pre-Covid status quo, they soared past 2019’s numbers.

Last year, Malwarebytes detected 77 percent more malicious software than in 2020. As cryptocurrency values soared, detections of malware that mine cryptocurrencies on victims’ computers increased more than 300 precent. In addition, adware, spyware, and worms jumped by 200 percent, a solid indicator of what we should expect in 2022.

Consumer-focused detections increased 65 percent while detections of threats on Windows business computers rose 143 percent.

As cryptocurrency values soared, detections of malware that mine cryptocurrencies on victims’ computers increased more than 300 percent.

Windows malware detection totals 2019-2021

2019 2020 2021 20M Consumer Business 40M 60M 80M 100M 120M 140M 160M

Changing of the guard

Email threat detections also exhibited a “Covid bounce,” increasing by 56 percent between the first and second half of the year. But the trend over the last four years is actually one of significant decline.

Email threat detections 2018-2021

600K 500K 400K 300K 200K 100K 0K 1/18 4/18 7/18 10/18 1/19 4/19 7/19 10/19 10/21 7/21 4/21 1/21 10/20 7/20 4/20 1/20 Emotet Trickbot Dridex Qakbot Remcos Other

As the volume of malicious email detections declined, the pattern of detections changed too. Between 2018 and 2020, the email threat landscape was dominated by Emotet, TrickBot, and Dridex, which accounted for between 75 percent and 90 percent of all email detections. That picture has now changed. In 2021, Emotet, TrickBot, and Dridex made up just 42 percent of detections, and the space they vacated was filled by six other malware families operating at a similar scale.

Emotet 36% Trickbot 26% Others 4% Agent Tesla 1% Lokibot 1% Nanocore 2% DarkComet 2% Smokeloader 3% Remcos 3% Qakbot 5% Dridex 17% Email threat detections2018-2020

The old guard of email threats, focused on lateral movement and complete network compromise, seem to have been a poor fit for the work-from-home environment. Threat actors also appear to be using fewer emails in a more targeted way—perhaps copying a successful tactic from ransomware gangs.

Threat actors appear to be using fewer emails in a more targeted way.


The notable exception to the “Covid bounce” was ransomware, which decreased 38 percent in 2021. It didn’t go away, of course. In fact, 2021 was widely regarded as the worst year for ransomware ever.

The decrease in detections is most likely a simple side effect of the way ransomware is used. Over the last few years ransomware operators have achieved huge year-on-year increases in the amount of money they can demand by focusing their resources on fewer targets. Ransomware operators are rarely interested in compromising individual machines any more, their targets now are entire organizations.

If an attack is stopped it is likely to be stopped as the attackers breach the network, or as they prepare their attacks, which would not register as a ransomware detection, but something else.

Ransomware operators are rarely interested in compromising individual machines any more, their targets now are entire organizations.


Top 10 Mac detections 2021

4 8% 19% 1 3% PUP.JDI ( 75, 044,884) PUP.Kromtech (29 , 139 , 055) PUP.MacKeeper (10 ,501, 945) PUP.FakeAV.Anobot (3, 766,521) PUP.PCVARK (3, 663, 018) Adware.NewTab (3,330 , 890) OSX.VSearch (2, 041, 041) Adware.OperatorMac (1,98 7 ,809) OSX.Genieo ( 5,2 49 ,328) PUP.MacBooster (20 , 6 71 ,23 7) 7% 4% 2% 3% 2% 1% 1%

The “Covid bounce”

On Macs, detection numbers continued to be dominated by Potentially Unwanted Programs (PUPs) and adware in 2021. The year saw a surge in detections for both, and the same “Covid bounce” seen in Windows malware detections—a dip in 2020 followed by a huge rebound in 2021.

Mac detection totals 2019-2021

2019 2020 2021 20M 40M 60M 80M 100M 120M 140M 160M 180M

The number of Mac detections increased more than 200 percent year-on-year in 2021, to 164 million, an increase of 35 percent on 2019. To put the increase into perspective, in 2021 Malwarebytes saw 75 million detections for just one unwanted app: PUP.JDI, the same as the number of detections of all types on Macs in 2020.

The exception to the “Covid bounce” on Macs was malware. The number of new malware families discovered in 2021 was relatively low compared to previous years, and most of the new malware was never discovered in the wild, or was discovered in extremely small quantities.

In the last few years, Apple has introduced a range of security features designed to make it harder for malicious actors to access important data on Macs, notably the Transparency, Consent and Control (TCC) framework, which begs the question: Is TCC behind the apparent chill in Mac malware?

Research demonstrates this is unlikely, but the reduction in malware might indicate a change of course by malware authors in response to TCC. If TCC is having a chilling effect on Mac malware it will be a welcome development, but the bigger picture for Macs remains the vast headache of PUPs and adware.

PUPs 89.8% Malware 0.4% Adware 9.8% Mac detectionsby type 2021

Apple introduced TCC (Transparency, Consent and Control) to make it harder for malicious actors to access important data on Macs.

HiddenAds 19% Adware.InMobi 18% Adware.AdNote 3% Adware.Cootek 4% PUP.Riskware.Autoins.Fota 5% Spy 6% Downloader 8% Adware.MobiDash 12% Trojan.FakeAdsBlock 12% Dropper 13% Android detections by category 2021

Apps that make money through ads continued to dominate the Android detection landscape in 2021. One of the most prevalent, Android/Adware.MobiDash, racked up 133,179 detections by hiding in the code of legitimate apps that were repackaged and uploaded to third-party app stores. Meanwhile, Android/Adware.AdNote, which posed as various office-type apps on Google Play, was detected 25,314 times.

Pre-installed apps like the dangerous Android/PUP.Riskware.Autoins.Fota continued to cause significant headaches too. Despite a sharp drop in detections from the previous year, it was still detected 37,701 times in 2021.

One of the most prevalent forms of Android malware in 2021 was Android/Trojan.HiddenAds, a large family of trojans that aggressively displays ads wherever it can: In notifications, on the lock screen, in full pop-up screens, in the default browser. Last year, 463 different variants were detected a total of 192,919 times.

A close cousin of HiddenAds is another frequently detected piece of Android malware, Android/Trojan.FakeAdsBlock, a stealthy trojan that masquerades as an ad blocker. Like HiddenAds, it makes money by showing users ads and is far more dangerous and intrusive than run-of-the-mill adware.

Pre-installed malware continued to be a serious issue on mobile devices from budget manufacturers in 2021.

For years, Malwarebytes has tracked the prevalence of stalkerware, which is a term used to describe surveillance apps that are installed on a person’s device without their consent. These apps can access a device’s GPS location, web browsing history, photos, videos, emails, and phone call logs and audio.

Malwarebytes separates stalkerware-type activity into two categories—monitor apps and spyware apps. In 2020, detections of monitor and spyware apps saw an unprecedented spike at the moment much of the world went into some form of lockdown, and levels of stalkerware stayed at unprecedented highs for the rest of the year.

In 2021, Malwarebytes recorded a total of 54,677 detections of Android monitor apps and 1,106 detections of Android spyware apps. This represents a 4.2 percent increase in monitor detections and a 7.2 percent increase in spyware detections year-on-year, making 2021 even worse than 2020, and the worst year for stalkerware so far.

However, although the overall numbers are up, detections have taken an unmistakable downward turn since last year’s peak.

Abusers may simply have turned to other forms of technology as stalkerware became more widely detected.

Android monitor app detections 2020-2021

8K 7K 6K 5K 4K 3K 2K 1K 0K 1/20 3/20 5/20 7/20 5/21 7/21 9/21 11/21 3/21 1/21 11/20 9/20

Android spyware app detections 2020-2021

180 140 100 60 20 0K 1/20 3/20 5/20 7/20 5/21 7/21 9/21 11/21 3/21 1/21 11/20 9/20

In 2020, Malwarebytes, in consultation with other domestic abuse support networks, hypothesized that the increased stalkerware activity came about because of the real-world physical restrictions put in place to combat COVID-19 around the world. The increase was also detected by other members of the Coalition Against Stalkerware, and coincided with news reports of increased calls to domestic abuse agencies.

In 2021, many governments loosened their coronavirus restrictions, allowing the public to mix and travel more freely. And, just as the sudden increase in stalkerware detections mirrored the sudden, mass imposition of restrictions, the gradual decline in detections appears to reflect their gradual easing.

The decline in stalkerware is welcome, but the causes for it are not clear and it is too early to celebrate. It is increasingly easy for abusers to monitor their targets using off-the-shelf technology designed for other purposes. Abusers may simply have turned to other forms of technology as stalkerware became more widely detected. Or they may have returned to previous patterns of control and abuse as restrictions eased.

Increased stalkerware activity may have come about because of the real-world physical restrictions put in place to combat COVID-19.

Chapter 3

Looking to the future

We expect the important cybersecurity trends of the past year to persist into this year and beyond—determined, opportunistic adversaries; unmanageable complexity; Byzantine supply chains; mountains of technical debt; glacial patching rates; ad-driven app ecosystems; the proliferation of technology that can be used for stalking; and our systemic weaknesses to social engineering and ransomware. These problems were years in the making and they will not be solved quickly.

Organizations will need to choose their security software wisely, but simply buying the best tools is no longer enough. IBM’s 2020 Cyber Resilient Organization Report revealed what many admins already knew: That some organizations are now reaching a tipping point where increasing the complexity of their security stack is harming security outcomes.

The antidote is to provide the training and resources necessary to ensure that security tools are used well, and properly integrated. Organizations must seek out the best tools, while recognizing that security is a thing they must do rather than a thing they can buy. Doing security right means making every effort to stop attacks, while understanding that breaches are likely inevitable. It means thinking in terms of resilience: Threat hunting, threat containment, safeguarding of critical systems, harm reduction, and swift recovery.