The State of Mobile Malware
There is no doubt that mobile malware has been in the news a lot recently and most of the headlines make it sound like it is a significant and ever growing problem. But recently, some have called into question whether the problem is as big as some would leave us to believe or if it’s just a lot of hype.
What does seem to be without dispute is that the majority of mobile malware targets devices based on the Android platform. While it’s possible to infect other smartphones, the openness and growing market share of Android devices make it the ideal target.
Is Mobile Malware a Problem?
The best place to explore the state of mobile malware is to look at what the data says about the problem. Our security labs reported a significant increase of 400 percent in Android infections detected in service provider networks over three months (early September to late November 2011) alone, as shown below.
Even though this growth rate of Android infections is impressive, it needs to be looked at as a percentage of infected devices since the growth rate of smartphones is also impressive. At this point in time, the infection rate is less than 0.1 percent, which is relatively small compared with the 10-14 percent of home networks with malware detected on a typical day, but still an issue nonetheless.
How Mobile Devices are Infected
So far, the most common mechanism to distribute malware for mobile devices is to conceal the malware as a Trojan inside of a pirated application. The Trojan is then downloaded and installed by the unsuspecting user. These malicious apps have been distributed both on a trusted marketplace and third-party app sites.
While many have been removed quickly from the Android Market, third-party app sites are not quite as diligent. Even after this malware is taken down, cybercriminals can either Trojanize a new app or change the malware slightly and repost it. For now, this is an arms race between the cybercriminals and the marketplaces that has no signs of slowing down.
There have not been any reports of Android malware that spreads directly from phone to phone, although there was the IKEE worm (2009) that used SSH to spread to jail-broken iPhones. Despite the fact that mobile phones are not as vulnerable to network exploits as the personal computer platform, it is inevitable that vulnerabilities, which can be exploited directly from the network, will appear.
For the most part, the malware makes no attempt to conceal itself and can be detected by some mobile antivirus applications and easily removed by uninstalling the infected app. However, some samples show a higher degree of sophistication and can go undetected or are not so easy to remove. It appears as if these are tests or beta versions, which may evolve into more sophisticated attempts in the future.
It is definitely possible to create malware that can "root" the phone using a variety of exploits, make hidden copies of itself in "system" directories, install executable binary files, change system file access permissions and/or delete other applications. Although these techniques are not yet common, they are relatively simple to implement and will be more widespread in the next generation of malware.
What the Malware Does
One of the reasons that mobile malware is not growing even faster is that the samples so far do not seem to be making the malware author any significant amount of money. Many of the samples simply send information about the phone to the command and control (C&C) server, with no clear indication of how this information would be useful to the attacker.
Often mobile malware will steal contact lists or send SMS messages directly to contact lists. This may be the beginning of an SMS spam market that will rival the traditional e-mail spam we've faced for the past decade. Of course, whether this SMS spam will be lucrative enough needs to be figured out by the cybercriminals.
Other samples intercept SMS messages and forward the content to the C&C server which has an obvious application when combined with banking Trojans like Zeus and SpyEye, to steal one-time banking credential transmitted via SMS. This would require a sophisticated infrastructure that coordinates the attack on the same subscriber across both fixed and mobile infrastructures but the payoff could be huge.
One of the issues we have seen before these attacks can be launched is the lack of sophistication in the malware C&C strategies. Typically the IP address or domain name of the C&C server is hard coded in the malware and it becomes inoperable once this C&C server is disabled. This address of the C&C server would need to be dynamically updated for these attacks to be more successful.
For now, profiting from mobile malware does not appear to be as easy as in the established cybercrime underground that has developed around the Windows platform. Premium SMS messages are a major moneymaker and it is quite common in malware targeted at the Chinese and Russian markets. However, it is likely just a matter of time before this method and others become established.
The Future of Mobile Malware
Several reports, including findings from our security labs, have shown a substantial growth in Android malware during 2011. However, this growth is in its early stages and we probably have a few years before it becomes as problematic as we experience on the Windows platform. The malware is not very sophisticated so far but the techniques that have been explored have potential.
With the rapid increase in smartphone adoption, there is little doubt that the investments in infrastructure and more sophisticated malware will happen.
Cybercriminals have too much to gain to ignore this large and growing segment of the market. In particular, future mobile malware will definitely focus on making money from these attacks and making it easier to update the malicious app so it can evade mobile antivirus products and dynamically update its C&C server.
Kevin McNamee is security architect and director at Kindsight Security Labs.