Netskope data reveals growing malware threat in the telecom industry

OneDrive is the most popular app in the telecom industry by a large margin, with 54% of all users accessing OneDrive each day.

VoicenData Bureau
New Update

OneDrive is the most popular app in the telecom industry by a large margin, with 54% of all users accessing OneDrive each day, compared to 46% of users in other industries.


The most recent research study from Netskope Threat Labs has been released, providing insight into the cyberthreats that organisations in the financial services sector must contend with.

Key findings from the Threat Labs Report — TELECOM 2023 include:

Cloud App Adoption: The average user in the telecom industry interacts with 24 different cloud apps per month, which is on par with other industries. The Microsoft apps OneDrive, Teams, SharePoint, and are all more popular in telecom, while the Google apps Drive and Gmail are all less popular.


Cloud App Abuse: The telecom industry ties the financial services industry for having the highest percentage of cloud malware downloads. The top 10 apps with malware downloads are the cloud storage apps Microsoft OneDrive, Azure Blob Storage, Google Drive, and MediaFire.

Malware & Ransomware: Trojans dominated malware downloads from the cloud and web, led by FormBook, Razy, and Valyria. Other top malware families targeting telecom organizations included the Ako ransomware, the PonyStealer infostealer, and the Zusy backdoor.

Cloud App Adoption


According to the report, Cloud app adoption continues to increase in the telecommunication industry, with enterprises using cloud apps to improve productivity and enable hybrid workforces. The number of apps a user in telecom interacts with has increased from 22 to 24 apps over the past 12 months, in-line with other industries. The top 1% of users interacted with 76 apps per month on average, below the average of 95 apps in other industries.

The report further stated, users in telecom downloaded data from cloud apps at a slightly higher rate than other industries, with 95% of users downloading data from cloud apps in telecom, compared to 93% in other industries. Telecom led other industries by an even larger margin in uploads, with 74% of users uploading data monthly compared to 65% in other industries.

Most Popular Cloud Apps


The report added, OneDrive is the most popular app in the telecom industry by a large margin, with 54% of all users accessing OneDrive each day, compared to 46% of users in other industries. Other Microsoft products including Teams, SharePoint, and are also more popular in the telecom industry. By comparison, Google Drive and Google Gmail are less popular, and other apps enjoy comparable popularity to other industries.

Top Apps Used for Uploads

Unsurprisingly, uploads to Microsoft OneDrive are more common in telecom compared to other industries, the results of the increased popularity of that app, while uploads to Google Gmail and Google Drive are less common. Files are uploaded to other apps at rates that are comparable to other industries.


Top Apps Used for Downloads

Similarly, telecom also stands out for having more users downloading files from OneDrive and SharePoint than other industries. Of the cloud storage solutions provided by the big three IaaS cloud providers, Google Cloud Storage is more popular, Amazon S3 is as popular, and Azure Blob Storage is less popular compared to other industries

Cloud App Abuse


Cloud Malware Delivery

The report highlighted, The popularity of cloud malware delivery in telecom has remained consistently high for the past 12 months, spending most of that period between 60% and 70%. On average, 62% of malware downloads in telecom came from cloud apps, compared to 53% in other industries. Abusing cloud apps for malware delivery enables attackers to evade security controls that rely primarily on domain block lists and URL filtering, or that do not inspect cloud traffic.

Compared to other industries, telecom is tied with financial services for being the industry with the highest percentage of malware downloads from the cloud over the past 12 months.


Cloud Apps Abused for Malware Delivery

In the last 12 months, the report says, Microsoft OneDrive was the most popular cloud app abused for malware downloads in the telecom industry, representing 29% of all cloud malware downloads, compared to 22% in other industries. As highlighted earlier in this report, Microsoft OneDrive is also the most popular app among users in telecom, which makes it both an useful app for attackers seeking to target a wide variety of organizations using the same app, and also makes it more likely that the malicious payloads would reach their targets. Other top apps for malware downloads include free software hosting sites (GitHub), collaboration apps (SharePoint), free web hosting services (Weebly, Squarespace), cloud storage apps (Azure Blob Storage, Google Drive, MediaFire), and webmail apps (, Google Gmail).

Malware & Ransomware

Top Malware Types

The most common malware type detected by Netskope in the telecom industry in the last 12 months were Trojans, which are commonly used by attackers to gain an initial foothold and deliver other types of malware, such as infostealers, remote access Trojans, backdoors, and ransomware. The second most common were file-based exploits. Rounding out the top five are infostealers, backdoors, and downloaders. File-based exploits, backdoors, and downloaders were all much more common in the telecom industry compared to other industries.

Top Malware & Ransomware Families

This list contains the top 10 malware and ransomware families detected by Netskope targeting users in the telecom industry in the last 12 months:

Adware.Bundlore (a.k.a. SurfBuyer) is an OSX adware installer that has circulated in many forms including Flash player installers, hidden scripts, and browser plugins.

Adware.Pirrit is an adware installer for OSX that has been around since 2016 that continues to circulate.

Backdoor.Zusy (a.k.a. TinyBanker) is a banking Trojan based on the source code of Zeus, aiming to steal personal information via code injection into websites.

Infostealer.AgentTesla is a .NET-based Remote Access Trojan with many capabilities, such as stealing browsers’ passwords, capturing keystrokes, clipboard, etc.

Infostealer.PonyStealer (a.k.a. Fareit) is a malware able to steal passwords from hundreds of applications, including web browsers, emails, messaging apps, and FTP.

Phishing.PhishingX is a malicious PDF file used as part of a phishing campaign to redirect victims to a phishing page.

Ransomware.Ako (a.k.a. MedusaLocker) is a RaaS (ransomware-as-a-service) group active since 2019.

Trojan.FormBook (a.k.a. XLoader) is a malware that provides full control over infected machines, offering many functionalities such as stealing passwords and executing additional malware.

Trojan.Razy is a Trojan typically distributed via malicious ads disguised as legitimate software, often used to steal cryptocurrency data.

Trojan.Valyria (a.k.a. POWERSTATS) is a family of malicious Microsoft Office Documents that contain embedded malicious VBScripts usually to deliver other malicious payloads.

According to this analysis, there has been a rise in both the use of the cloud and the amount of data being accessed and uploaded to it. It also brought attention to the growing practise of attackers employing a range of cloud apps, particularly well-known enterprise apps, to spread malware to their targets. The majority of the malware samples were Trojans, while there were also downloaders, backdoors, file-based exploits, ransomware, and information thieves. Organisations in the telecoms sector are advised by Netskope Threat Labs to assess their security posture to make sure they are sufficiently protected against these trends