Skip to Main Content

2017: Threats got more precise – and pervasive

2017 was a transitional year as the online threats grew more precisely focused on individual population segments and government-funded software exploits escaped their secure confines and wreaked havoc around the globe.

During the year, Avira detected over 4.5 billion instances of malware attempting to infect operating devices protected by our AV software. There was substantial variation between months as malware interceptions peaked in March at 474 million.

Sorting malware is an approximate task: depending on how the cybercriminals have decided to pack and distribute it or even where Avira has detected it, the same malware could be classified as an exploit kit, Trojan, or ransomware. That said, looking at these categories can help uncover trends and emerging threats.


Trojan detections made up the largest single category in the malware basket clocking in at 1.62 billion for the year. Trojan come in looking innocuous, then show their true colors once in the device.

In 2017, ransomware was an extremely visible part of the Trojan family, totaling 25.19 million detections. Notable ransomware from 2017 included BadRabbit and the ever evolving Locky. While some Trojans might be categorized as an annoyance, ransomware can be life altering and life threatening. After all, when one’s entire files are zapped or a hospital shuts down – the impact is inescapable. We continue to recommend people back up their devices and not pay the ransom.

Banking Trojans, targeting financial and account data, reached 11.25 million detections. Dridex was our top banker Trojan, redirecting victims to malicious copies of banking sites. Dridex was particularly adept in changing its approach during the year with one of the latest versions using a Windows Office exploit to infect computers. This Trojan was primarily spread via spam emails distributed by the Necurs botnet. Supported by a daily flood of millions of emails, Dridex led to more than $40 million losses worldwide.

Cybercurrency malware such as the CoinMiner Trojan are a new entrant to this group. These quietly mine cryptocurrencies on the victim’s device degrading computer performance and sucking up bandwidth. Unlike ransomware, the costs to infected users are largely hidden and indirect. Look for this segment to grow.


Exploit kits, where cybercriminals run through a computer with a shopping list of vulnerabilities to exploit, checked in at 371 million detections. This category got a mid-year boost from the NSA when its top-secret toolkit was leaked and harnessed by cybercriminals, resulting in the EternalBlue and the WannaCry ransomware attacks.

Potentially Unwanted Apps (PUA)

PUA are a gateway security issue with a high level of user irritation. By pulling in additional ads and apps into computers and smartphones, they open the door to a host of security and performance issues. While usually not a direct threat, they take a negative toll on your online experience thanks to their redirected web searches and the unstoppable flood of ads. PUA:Win32/Linkury was one of the most common examples of Windows PUA. Avira sent users 155.6 million warnings about PUA downloads last year.

Avira URL Cloud Detections

Over 2017, the Avira Cloud registered over 651 million detections from URLs. This means a 27% decline versus similar 2016, when URL detections topped slightly over 882 million. Even though during January 2017 the URL malicious detections peaked at over 102 million, their incidence constantly decreased during 2017 to slightly over 27 million detections in December 2017. Out of the 651 million URL detections for 2017, 65% were malware related URLs, 24% phishing URLs, 9% malicious search engine URLs, 1,7% PUA downloads URLs and 0,3% PUA portals URLs. 


Android insecurity remained a work in progress. While there were no massive onslaughts of Android malware, that hasn’t stopped cyber-criminals from trying. During the year, we saw the emergence of DoubleLocker ransomware and the LokiBot banking Trojan – two examples of traditional malware functionality being applied to smartphones. Three malware families hitting hard and heavy last year focused on sneaking onto phones and making money by pulling suspect apps and ads into the devices. This included SPR/ANDR.SMSreg – a PUA that sends text messages to premium numbers, ANDROID/Dropper.Shedun – repackaging legit apps with ads, and ANDROID/Hiddenapp – hiding out in devices and downloading other malicious apps. In addition, there were several waves of poisoned apps on the market – apps available in official and unofficial Android markets which included unwanted malware and adware connections. While the official Android Play store is a fairly secure option, it is certainly not failproof. 

2018: Watch your step when the chips are down 

Security starts with the hardware

Now that the new year has started, we are already seeing the first major vulnerabilities with Meltdown and Spectre chip design issues. There are so many connected device’s, running a mix of hardware chip sets, modified operating systems, and using a mix of protocols, multiple services and applications – the threat vector for a potential comprise is expanding exponentially. This includes not the traditional computing devices, such as laptops, PCs and smartphones, but also the dramatically increasing numbers of smart-home devices. The shear amount of variations and combinations has a direct correlation to the discovery of security vulnerabilities and the exploitation of these vulnerabilities by hackers and malware authors. This is only going to get worse. 

Think small, think smart

The number of Internet of Things devices is booming. Gartner expects 8.4 billion units were in play last year, and the numbers will explode up to 20 billion by 2020. A significant number of these things are insecure by design with fixed or difficult to change settings and the Mirai malware dramatically showed how these devices could be enslaved into a botnet to distribute spam or knock sites off the internet via DDoS attacks.

“We see three major issues when it comes to IoT security: privacy, ransomware, and blackmail.” Travis Witteveen, CEO Avira


We see three major issues when it comes to IoT security: privacy, ransomware, and blackmail. As a direct threat, we expect to see ransomware to be adapted to smart devices, potentially bricking the device – or the home – until a ransom is paid. Secondly, this flood of unencrypted data from smart homes will be captured and misused in a blackmail scenario.

The limits of privacy legislation

2018 is the year of GDPR, the EU attempt to place privacy control and awareness back into the hands of the individual. Yes, this is raising the privacy bar by increased awareness, but the bar remains too low, as the nature of the internet and its “globalness” will render these laws largely insufficient and useless. While GDPR will cause costs and potentially result in an array of legal cases for high-profile companies, the larger group of individual app developers, web-site owners, and other businesses will continue to consciously as well as unconsciously act inappropriately and disregard basic data privacy.

Protecting the individuals’ privacy requires a combination of services, which enable the user in an understandable fashion to be aware and define the definition of privacy they consider relevant.

New centralization

The world is going through a massive evolution, as nation states are becoming less powerful in the world of the individual compared to the global corporate brands (Apple, Facebook, Google, Amazon & Microsoft). Virtual currency reduces the influence of a government and central banks (which are all interested in the economic well-being of their individual countries), while early in its development, it is another attack on the nation state. Altogether, traditional nation states are losing power due to these newcomers. This fear of losing power is causing a backlash of laws and protectionist initiatives across various areas; net neutrality, regional sourcing, data privacy, etc.

Think smart and consider preventive care

Overall, as a society and as individual, we are benefiting greatly from these new technologies and services. We can do things faster, better, and cheaper than ever before. As Avira, our goal is to help people best profit from these developments, while ensuring their security baseline continues to improve. To fulfill that promise, we have expanded our portfolio to not only detect and delete malicious threats, but also to prevent unwanted events from happening in both the traditional world of devices as well as within the smart-home.


In late 2017, we launched Avira SafeThings™, our security platform for the IoT. It automatically secures connected devices in the home, thanks to its machine learning and artificial intelligence expertise. SafeThings™ is delivered to the home via the router or the internet service providers, freeing users from the need to be the information security officers for their smart devices.

This post is also available in: FrenchItalian

Chief Executive Officer