Editor’s Note: Welcome to our weekly Reality Check column. We’ve gathered a group of visionaries and veterans in the mobile industry to give their insights into the marketplace.
While mobile malware grew substantially in 2011, most of the attacks lacked sophistication and the ability to make money for cyber-criminals. But there is little doubt that mobile attacks will continue to evolve – especially for the Android platform – as smartphones are too promising a target for cyber-criminals to ignore.
If we take a few minutes, it’s easy to see the parallels, such as the dominant operating system being targeted and attacks being more mischievous to start, between what we are seeing now and the early days of malware on Windows PCs. Hopefully, we have learned from our past and will not let history repeat itself with mobile devices.
Was 2011 the year of mobile malware?
While there has been a lot of hype about mobile malware in the past few months, it’s important that we look at some real data to see if there really is a problem that needs to be addressed.
Kindsight Security Labs detected a significant increase in Android infections during 2011 and reported similar numbers to other security vendors. We measured a 4-times increase alone in latter part of 2011 (early Sept to late Nov).
But does this make 2011 the year of mobile malware? While there is obviously growth in the number of infections, it is still early days. These infections represent only .1% percent (1 in 1,000) of Android devices, which is relatively small compared with the 15% to 20% infection rates that Kindsight Security Labs detects in home networks. Regardless, mobile malware is growing.
The key right now is to be aware of the problem and take steps to fix it before it becomes more widespread. To do this, it’s important to understand how devices are getting infected and what the attacks are trying to do to devices and user information.
It starts with a malicious app
Today, the most common distribution mechanism for cyber-criminals is to conceal malware as a Trojan inside of a pirated application. The Trojan is then downloaded and installed by an unsuspecting user along with the app. Trojanized apps have been distributed on both the Android Market and third-party app sites.
Google recently announced its new “Bouncer” service to scan Android apps uploaded to its marketplace for malware, but only reported a 40% decrease – meaning that there is still a problem. Most third-party app sites are not nearly as diligent in identifying malicious apps, and it may remain the main distribution mechanism, and main source of Android infections, for some time.
So far mobile malware makes little attempt to conceal itself and can easily be removed by uninstalling the infected app. However, some samples show a higher degree of sophistication and are not so easy to remove.
We have seen malware that attempts to “root” the phone, make hidden copies of itself in “system” directories, install executable binary files, change system file access permissions and/or delete other applications. Although these techniques are not yet common, they are relatively simple to implement and will be more widespread in the next generation of malware.
Expect the attacks to evolve
So far, profiting from mobile malware is not as easy as in the established underground for the PC market. However, it is likely just a matter of time before this becomes established for mobile devices. Premium SMS messages are a major moneymaker and quite common in malware targeted at the Chinese and Russian markets.
Often mobile malware will steal contact lists or send SMS messages directly to contact lists, which may be the beginning of an SMS spam issue that could rival the email spam we see today. We have seen malware that intercepts SMS messages and forwards the content to the command-and-control server. This has an obvious application when combined with banking Trojans like “Zeus” and “SpyEye” to steal one-time banking credential transmitted via SMS.
So far the existing malware command-and-control strategies lack sophistication. Typically the IP address or domain name of the C&C server is hard coded in the malware and it becomes inoperable once this C&C server is disabled.
However, if we look at the development of PC-based malware, we can expect similar technologies to emerge on the mobile front: rootkit technology will be used to conceal the malware; C&C protocols will become more robust; and the malware will disable security features on the mobile device and protect itself from removal. Mobile malware builder kits will also become available, making it easier to create and deploy malicious apps.
There is little doubt that monetization using premium SMS messages will move to North America and include SMS spam, browser hijacking, ad-click fraud, spyware and fake apps as the vectors used to steal money or identities.
In 2009, we saw the “IKEE” worm that used SSH to spread to jail-broken iPhones, so vulnerabilities in network apps can and will allow phone-to-phone infections via the Internet connection. Malware that spreads directly from phone-to-phone will likely occur on Android devices in 2012.
Will mobile malware be a major problem in the future?
Growth in mobile malware definitely took place in 2011 but it was not as threatening as the numbers may initially indicate since the malware lacked sophistication. This growth was clearly in the early stages and it will probably take a few years before it becomes as problematic as we experience on the PC platform. But there is little doubt that malware will continue to evolve and that new techniques will be explored that have the potential to do real damage and start a similar underground market to what we see on the PC side today.
Kevin McNamee is security architect and director of Kindsight Security Labs. With over 30 years of security and networking experience, Kevin was director of security research at Bell Labs and also held security development and design roles at TimeStep, Milkyway Networks, Newbridge Networks and Alcatel-Lucent.