Mobile Malware Growth Continuing in 2013

February 21, 2013

At the start of 2013, McAfee Labs researchers had counted 36,699 mobile malware samples — and an astounding 95% of those samples only appeared over the course of the previous 12 months. In comparison, McAfee threat researchers gathered just 792 samples of mobile malware in all of 2011. Will 2013 display a similarly amazing climb?

All signs point to yes. The growth of mobile malware shows no sign of slowing and this threat will likely continue to explode as mobile devices remain particularly attractive to cybercriminals and malware authors for the following reasons:

  • The inherent value of the information that can be found on mobile devices, including passwords and address books
  • New “business” opportunities that aren’t available on the PC platform, such as Trojans that send SMS messages to premium services that then charge the user for each message
  • The propensity of some users to “root” their own phones to customize the interface or add functionality, which then allows hackers to exploit the device’s underlying vulnerabilities
  • The opportunity to quickly create very large mobile botnets
  • The ability to install malware that blocks software updates from users’ carriers that would remove other previously installed malware

Total Mobile Malware By PlatformAndroid Malware: Backdoors, Exploits & Spyware
The Android platform continues to make up the bulk of malware targets, representing 97% of total mobile malware. McAfee Labs researchers are tracking a range of mobile malware targeting these devices, including backdoors that enable attackers to gain control of a smartphone, new mobile exploits, and spyware.

Mobile Backdoors
Attackers love it when users install malicious apps that let the bad guys gain complete control of victims’ phones, so it’s no wonder that mobile backdoors remain popular with attackers. Here is how a few of these apps operate:

  • Android/FakeLookout.A is a mobile backdoor that pretends to be an update to antivirus software. In reality it hands control of a phone to an attacker. It’s designed to steal and upload text messages and other files to the attacker’s server.
  • Android/GinMaster.A is a mobile backdoor that uses a root exploit to gain further access to a user’s phone. It posts a number of pieces of identifying information to the attacker’s server and accepts commands from the attacker.
  • Android/Citmo.A is SMS-forwarding malware that sends mobile Transaction Authorization Numbers (mTANs), the secret codes sent via text message to a smartphone to verify that a user is logging in online. When a user has inadvertently downloaded Android/Citmo.A, the attackers will log in and wait for the bank to send an mTAN. Your infected phone will immediately forward the mTAN to the attackers, allowing them to log in to your system and potentially get access to financial accounts.

Mobile Exploits
Recent models of Samsung phones were vulnerable to a configuration error that allowed the legitimate rooting of phones. This was good for skilled users who wanted to modify the operating system, customize the interface, or add security improvements, but it also opened up the device to vulnerabilities, giving attackers complete access to an unsuspecting user’s phone. The underlying vulnerability gives one complete access to all of the memory in the system. It allows someone skilled or with an exploit to patch the OS and remove all security restrictions.

  • Exploit/ExymemBrk.A, detected as a potentially unwanted program, serves this dual purpose for both legitimate users and criminals. McAfee Labs detected it in the event that malware authors use it along with their malware to take over a phone. The legitimate rooting app Android/ExynosToor.A installs the exploit and roots vulnerable phones. This app was later updated to disable the vulnerability to prevent an attacker from entering a phone.

Mobile Spyware
Spyware makes up a tiny portion of new Android threats, but among the more notable malicious threats are Android/Ozotshielder.A and Android/PBL.A.

  • Android/PBL.A is an app that claims to store a copy of the mobile user’s phonebook and contacts on the phone, but actually sends them off to a server controlled by the attacker. If the author had informed users of what the app was actually doing, McAfee Labs would call this a potentially unwanted program; instead it is classified as malware.
  • Android/Ozotshielder.A is trickier. It pretends to be a simple live wallpaper. In reality it contacts the attacker’s server to download a list of SMS messages it will send to a premium-rate number. It then sends the list of successfully sent messages to the attacker. This behavior implies that the attacker leases the network of infected devices to various advertisers or crooks who make money from premium-rate SMS.