More than 99 percent of new mobile threats discovered by F-Secure Labs in the first quarter of 2014 targeted Android users, according to F-Secure’s new Mobile Threat Report. Two hundred seventy-seven new threat families and variants were discovered, all but two targeted Android — of the two that didn’t, one targeted the iPhone, and one targeted Symbian. In comparison, the same quarter last year brought 149 new threat families and variants, of which 91 percent targeted Android.
The first quarter also saw a number of firsts for Android malware. This indicates that the mobile threatscape is continuing to develop in sophistication and complexity. The quarter saw the first cryptocurrency miner, which hijacks the device to mine for virtual currencies such as Litecoin. It saw the first bootkit, which affects the earliest stages of the device’s bootup routine and is extremely difficult to detect and remove. It saw the first Tor Trojan and the first Windows banking Trojan hopping over to Android.
“These developments give us signs to the direction of malware authors,” said Mikko Hyppönen, chief research officer at F-Secure. “We’ll very likely see more of these in the coming months. For example, mobile phones are getting more powerful, making it possible for cyber criminals to profit by using them to mine for cryptocurrencies.”
Great Britain experienced the highest level of mobile malware measured by F-Secure in Q1, with 15 to 20 malware files blocked per 10,000 users there, or about one in 500 users. The U.S., India and Germany all had five to 10 malware blocked for every 10,000 users. And in Saudi Arabia and the Netherlands, two to five malware were blocked per 10,000 users.
Click through for findings from F-Secure’s Q1 2014 Mobile Threat Report.
Found in the world
F-Secure Labs found or received hundreds of thousands of mobile app samples in Q1 2014, from sites like Google Play Store, third-party app stores, developer forums, user submissions and other sources. To identify threats, they analyzed each app received for malicious code. If they found any, the app was grouped into families based on similarities in code and behavior. Unique samples in a family are known as variants.
In Q1 2014, 275 new threat families (or new variants of known families) were found that run on Android. They also found one new threat family each on iPhone and Symbian.
Ninety-one percent of these new families or threats were categorized as malware, as they posed a significant security risk to the user’s device and/or information. The rest were classified as potentially unwanted apps (PUA), as they could inadvertently introduce risks to the user’s privacy or device security if the app were misused.
Seen by users
Compared to PC-based threats, the number of mobile malware is miniscule. Even so, in Q1 2014, users of F-Secure’s Mobile Security (for Android) solution sent a steady stream of reports of malware detected and blocked on their devices.
In Q1 2014, more users in Great Britain reported malware activity being discovered and blocked on their Android device than in any other country, by wide margin (15 to 20 malware files blocked per 10,000 users). Users in the United States, India, Germany, (five to 10 malware blocked for every 10,000 users) Saudi Arabia, and the Netherlands (two to five malware were blocked per 10,000 users) also reported a notable level of malware being detected and blocked.
Top 10 Android malware
Though there are hundreds of malware families, most users only see a handful of common threats, as the top 10 Android malware families reported in Q1 2014 combined make up 76 percent of all Android threats seen in this period. Of these top 10, 45 percent of the reports were threats in the Fakeinst family, followed by 34 percent in SMSSend variants, and 21 percent in eight other families.
What does it do?
Trojans are currently the most common type of mobile malware. Most of the Trojans seen in Q1 2014 engaged in one (if not more) of the following activities:
- SMS sending: Silently send SMS messages to premium-rate numbers or SMS-based subscription services.
- File or app downloading: Download and install unsolicited files or apps onto the device.
- Location tracking: Silently tracking the device’s GPS location and/or audio or video monitor the user.
- Fake app scanning: Pretend to be a mobile antivirus solution but has no useful functionality.
- Link clicking: Silently keep connecting to websites in order to inflate the site’s visit counters.
- Banking fraud: Silently monitor and divert banking-related SMS messages.
- Data stealing: Steal personal material such as files, contacts, photos, and other private details.
- Fee charging: Charge a “fee” for use/update/installation of a legitimate (and usually free) app.
Nineteen percent of these new families or variants secretly connected over the Internet to a remote Command & Control (C&C) server. Devices that connect to an unauthorized remote server this way are known as bots; a group of such devices is known as a botnet.
These apps can receive instructions dictated by an attacker operating the C&C server, instructing the app to perform functions such as installing programs, collecting information, and sending SMS messages.
Eighty-eight percent of the new families or variants seen included some way for the attacker to make money off the user that unwittingly installs the app – for example, silently sending SMS messages to premium-rate number or charging a ‘fee’ for a free program.
With 99 percent of new threats that emerged in Q1 2014 designed to run on the Android operating system (OS), it’s not surprising that most interesting mobile malware technical developments involved this platform. Here are a few noteworthy advances seen in Android malware in the last few months.
Windows Trojan hops on Android: A banking-Trojan named Droidpak that targets Windows PCs also tries to install a mobile banking-Trojan on any Android devices connected via USB to the infected machine. Depending on the variant, the mobile banking-Trojan was detected as Trojan-Spy:Android/Smforw.H or Trojan:Android/Gepew.A or .B).
First Tor trojan: Trojan:Android/Torsm.A is the first Trojan on this platform to leverage the open-source Orbot client for the popular Tor anonymizing network to communicate with its C&C server, making it difficult (if not impossible) for researchers and law enforcement to track and shut down the C&C.
First cryptominer: Trojan:Android/CoinMiner.A is distributed in a repackaged application. When installed, it essentially hijacks the device to silently mine virtual currency (such as Litecoin) for the malware author. Apart from any data charges incurred, the constant use of the device’s hardware may also affect its battery life and eventual lifespan.
More Android threats
First bootkit: Trojan:Android/Oldboot.A is believed to be Android’s first bootkit, or malware that affects the earliest stages of the device’s bootup routine, making it extremely difficult to detect or remove. The malware is thought to have spread in modified firmware updates, with most infections reportedly seen in China.
Pileup exploit: Researchers reported vulnerabilities in the Android OS (collectively called Pileup flaws) that could allow an installed malware to silently upgrade its permissions during a system update (essentially, “privilege escalation through updating”).
Dendroid toolkit: Backdoor:Android/Dendroid.A is a toolkit for creating Remote Access Trojans (RAT) that allow an attacker to create trojans that can remotely access an infected device’s audio and video functions. It also creates Trojans that can evade Google Play Store security.
On iPhone & Symbian
Though most malware authors concentrated on creating new apps that run on Android, a few unusual souls apparently also tried their hand at making new malware to run on the iPhone and Symbian platforms. These two threats were the only new, non-Android malware we saw in Q1 2014.
Trojan:iPhoneOS/Adthief.A: A security researcher first reported finding a suspicious library used in a popular framework for app development. When installed and run on a jailbroken iPhone, the malware hijacked various advertising modules in installed apps to display its own advertisements. iPhones that have not been jailbroken are not affected.
Trojan:Symbos/SMSjeg.B: Though this Trojan is unusual for appearing on a Symbian platform when most malware development is focused on other, more booming operating systems, the Trojan itself is unremarkable. When active, the malware will silently send SMS messages.