2020 threat prediction list from Avast threat experts

Mobile scams, sophisticated Malspam, IoT Malware and Botnets head up the list of predicted attacks for 2020. Avast also anticipates a greater focus on data privacy in the field of Artificial Intelligence.

Avast Threat Experts anticipate the following security trends for 2020:

How PC malware is delivered:
Avast’s Head of the Threat Intelligence Systems, Jakub Kroustek, expects advancements to be made in terms of how malware is delivered to PCs, with more sophisticated methods of spreading threats being deployed. These include distribution via malicious emails, from stealing incoming emails either to spy on victims or to add a malicious payload to the email which is then sent back in the conversation. Kroustek also predicts a resurgence of exploit kits, indicated by his observation of a strong comeback in kits and malware to be spread via supply chain attacks. Finally, we are likely to see cybercriminals exploit RDP (Remote Desktop Protocol) vulnerabilities to distribute threats.

Kroustek said, “Cybercriminals are constantly innovating and looking for new ways to circumvent today’s powerful personal and business security solutions. Not only is it harder for people to spot malicious emails or suspicious links and attachments, making attacks more likely to be successful, but the exploitation of RDP vulnerabilities to spread worm-like strains of threats could have significant impact.”

Mobile scams and iOS vulnerabilities:
On the mobile side, Nikoloas Chrysaidos, Head of Mobile Threat Intelligence and Security at Avast predicts that more subscription scams and fake apps will make their way onto official app stores, and that more iOS vulnerabilities will be exposed by security researchers and bad actors alike.

Chrysiados explains, “Getting malicious apps onto the Google Play Store and the Apple App Store is not an easy task, which is why cybercriminals are shifting towards subscription scams, and fake apps integrated with aggressive adware to make money. We are already seeing community projects, like checkra1n, providing high-quality semi-tethered iOS jailbreaks based on the checkm8 bootrom exploit. While this could enable researchers to discover more vulnerabilities, we hope they will be reported to Apple and not abused by the bad guys.”

Internet of Things (IoT) devices will become an even greater target for hackers
Security researcher Anna Shirokova predicts devices and even physical locations will become smart – or even smarter than they already are – to be used by vendors to collect more data about users in order to learn and predict their behavior.

“Smart devices and locations that collect data offer convenience, but they limit people’s control over their privacy. Additionally, companies collecting and storing a plethora of customer data make attractive targets for data hungry cybercriminals looking to sell data for financial gain on underground markets,” explains Shirokova.

Shirokova also expects cybercriminals to continue adding obfuscation to their IoT malware, similar to how cybercriminals attempt to protect their Windows malware code from being analysed by researchers.

Security researcher Daniel Uhricek foresees the development of new exploits for smart devices and predicts that malware authors will continue to build upon older, already established malware families, expanding them with newly released exploits to widen their IoT attack surface.

“Malware authors have also been making progress in preparing their attack infrastructure. We have seen IoT malware adopting DNS-over-HTTPS, Tor communication, proxies and different encryption methods, and we expect malware authors will adopt other security practices to make their botnets more robust,” said Uhricek.

Privacy will become the new frontier for security:
Rajarshi Gupta, Head of Artificial Intelligence at Avast, expects to see practical applications of AI algorithms, including differential privacy, to profit from big data insights as we do today, but without exposing all the private details.

Gupta said, “There is recent work, like the Data Shapley, to attribute value to individual pieces of data provided by users. While we do not foresee a monetization of personal data in 2020, per se, we hope to start seeing initial products that at least allow individuals to take back control their own data, by deciding whether and which companies can harness their data, and what data they can use.”