December 13, 2011

Malwarenomics: 2012 Mobile Threat Predictions

In the past, malware developers have concentrated on over 1 billion PCs in the world. However, as the number of mobile users has skyrocketed, smartphones have become an attractive target for malware producers. There are three motivations for malicious activity — fame, fortune and politics. We will see maturation in all areas, but we expect fortune-seekers to really come into their own in 2012.

Like any business, malware writers are continually inventing new ways to expand their reach and profit. The potential “addressable market” is enormous: while the electric grid serves 80% of the global population, the wireless grid already reaches 85% of individuals worldwide (Mary Meeker 2011 Internet Trends Presentation). In addition to size and growth, the market also has an attractive attribute that can make fraud simpler to conduct: a built-in payment mechanism.

Likelihood of Encountering Mobile Threats

2011 has seen the emergence of a credible field of Android malware, with a 4% yearly likelihood of an Android user encountering malware, which was a significant increase compared to the beginning of the year. In the beginning of 2011 we measured a 1% yearly likelihood. In total, we have identified more than 1000 instances of infected applications, which is a doubling since the beginning of July 2011.

Because Web-based threats, such as phishing, can carry over from the PC, the likelihood is higher than that of malware, which needs to be redeveloped for mobile devices. The global yearly likelihood of an Android user clicking on an unsafe link is 36% (6% higher than July 2011). In the United States, the likelihood is higher than the global average at 40%.

Mobile Malware Industry Drivers

The factors that drive the mobile malware industry are:

  • Profit from infection: how much money can the industry extract from devices with malware.
  • Cost of infection: how easy or expensive is it to produce and distribute malware to devices.

When mobile malware producers are able to steadily increase profits from infections more than they pay to infect devices, the industry will grow rapidly. There are a number of trends seen in 2011 that we expect to carry over into 2012 (perhaps at a greater rate) that will drive down the cost of infection and drive up profitability.

Profit from infection: New Methods of Malware Monetization

With more powerful and feature rich smartphones come increasingly complex schemes to exploit the many new apps and services that we enjoy:

1. Mobile pickpocketing (SMS/call fraud). Because many mobile devices now have the ability to charge your phone bill via SMS billing and phone calls, malware has begun using these mechanisms to steal directly from user accounts. With mobile phones, money is just a click away through carrier billing fraud, and we expect more malware to exploit this efficiency. For the bad guys, this is a dramatic improvement over PC-based malware, where a hacker has to first steal bank or credit card credentials and then find a way to access the accounts. GGTracker, discovered in June, was the first example of this targeting U.S. users. Mobile threats, including GGTracker, have stolen an estimated one million dollars from users in 2011.

In the past few weeks we’ve seen a burst of mobile pickpocketing activity. Last week there were several waves of a new threat, RuFraud, posted to the official Android Market targeting users in multiple European countries. The initial batch of malicious applications appeared as horoscope apps with a fairly hidden ToS indicating charges. Lookout notified Google of 9 identical malicious applications that appeared as wallpaper apps for popular movies and downloaders for popular games such as Angry Birds. Google responded quickly and pulled these apps from the Android Market. Overnight, the fraudsters again posted 13 new supposed downloaders to the Android Market; it appears that there were upwards of 14,000 downloads of these apps.  Google responded to reports from Lookout and others by pulling these apps from the Market. We are seeing this type of malware affect mobile users worldwide and we expect this trend to continue into 2012.

2. Botnets Come to Life. Many past instances of malware have secretly integrated thousands of mobile devices into extensive botnet-like networks — DroidDream and Geimini are examples of this.  People don’t know their phones are connected, but these systems (networks of infected computing devices that are all connected to the same third-party server) can be activated at any time. By combining the power and data in all of these devices, these hidden computing networks have the capacity to do a lot (but very little has yet been used at scale).

More than 10 new families of botnet-like systems were discovered in 2011, and we expect the number to grow in 2012, as well as the number of individual devices connected into both new and existing networks. Perhaps more importantly, we expect in 2012 malware writers will start activating the networks to distribute spam, steal private info, and install other malware. Users can prevent their phones from being part of a botnet by installing security software that identifies malware on their devices and by being careful to download only apps from trusted sources.

3. Vulnerable phones. Any complex software system is bound to have security vulnerabilities, and mobile device operating systems are no exception.  In fact, a number of vulnerabilities has been exploited on both Android and iOS devices. The DroidDream malware that emerged in the Android Market in the first quarter of 2011 actually utilized two Android vulnerabilities.

This risk is compounded today because it is much more difficult to update software on mobile phones than it is to update PCs. In fact, at any given time, most Android devices have at least one significant vulnerability. Manufacturers, OS providers and carriers need to continue to work together and drive down the time it takes to patch phones, and until they do, we expect this trend to continue.

Cost of infection: Innovation in Malware Distribution

Unfortunately, the same pace of innovation that brings us an amazing new mobile device every month also exists among the bad guys. As security software developers and app stores make it more difficult for malware developers to deploy malicious apps, would-be thieves will use new methods to target mobile users directly.

4. Automated Repackaging. Malware writers have had a lot of success infecting users with repackaged versions of applications. Because this is a game of numbers we expect to see malware writers develop tools that enable them to automatically repackage apps with malware and upload them to the market. We have already seen a few instances where several infected apps were packaged by the same developer within a matter of seconds (quicker than someone could do manually). We expect to see malware writers continue to develop more methods like this to provide quicker, faster and broader distribution.

5. Malvertising. Bad guys will do anything to get people to install their software they will even use in-app advertisements to increase their reach. We’ve seen an increase in malvertising — genuine-looking advertisements that link back to fraudulent sites. Given how effective this method has been with recent Trojans like GGTracker. We expect other malware writers to try similar distribution tactics.

6. Browser attacks. Just as we have seen with PC-based threats, we expect more criminals will attempt mobile fraud through Web-based distribution like email, text messages and fraudulent websites. We expect to see a continued increase in mobile phishing attempts and messages linked to websites that automatically download malware on devices. All mobile devices can be affected by browser exploits. For example, users have been able to jailbreak their iOS devices (i.e., iPhone, iPad) by simply visiting a website. This website was clearly not malicious, but served as an important example of how easy it would be for malware writers to use the same technique for evil.

How to be an even smarter mobile user in 2012

From our 2011 research on mobile threats, we have identified some specific instances where you should use extra caution when downloading apps or clicking links on your phone:

  • Visiting third party app stores. Lookout found that malware writers often test malware in alternative app markets before trying to place it in the Android Market or App Store. When discovered, malware is usually pulled more quickly from these primary distributors than it is from alternative markets.  The likelihood of you encountering malware on an alternative app store increases dramatically.
  • Downloading gaming, utility and porn applications. Be careful to check reviews on these apps before you download. We found that these types of apps are most likely to have malware hidden inside of them.
  • Clicking on a shortened URL (e.g. bitly link) in an SMS message or on a social networking site. Users are three times more likely to click on a phishing link on their mobile device than they are on their PC (Trusteer 2011). Because we expect malware writers to increase web-based distribution, it’s time to start using extra caution when clicking on links on our mobile phones.
  • An app asks you to click “OK”. Don’t “auto pilot” through the prompts an app shows you in order to perform a certain function or deliver a service. Sometimes these apps are greyware, which hide in fine print that they will charge you via premium rate text messages.
  • Clicking on in-app advertisements. Not all advertisements are bad. In fact, most are okay. But some are examples of malvertising and could direct you to a malicious website, prompt you to download malware, or violate your privacy. When clicking on ads, you need to make sure that the ad directs to where you expect to be directed.

Bad guys will always follow the money, and with the meteoric growth of mobile devices there is more money to be made in mobile fraud than ever before. Easy distribution combined with efficient monetization will keep malware developers and perpetrators of Web-based fraud hard at work designing the next great mobile scam. The good news is that mobile technology gets savvier every day, and users can effectively protect themselves. Following a few simple usage tips, being careful about the links you click, keeping your device software up to date, and scanning for malware will go a long way toward protecting your privacy and shielding you from fraud in 2012.

  1. Vess says:

    How do you compute the probability of encountering malware? You would have to divide the number of downloads of malicious apps by the number of downloads of all apps (and multiply the result by 100, if you want to get the probability in percents). I find it very hard to believe that you would get a number as high as 4%, not to mention that it is practically impossible to get these numbers for all possible sources of apps.

  2. […] which monitors apps on Android, Blackberry, iOS and Windows Mobile devices, released its “Malwarenomics: 2012 Mobile Malware Predictions” report Tuesday night, which follows up on information gathered this year that revealed more […]

  3. Tesco says:

    Agreed! Easy distribution combined with efficient monetization will keep malware developers and perpetrators of Web-based fraud hard at work designing the next great mobile scam.

  4. […] from 4,781 cases in 2009 to 10,369 cases in 2010 and 22,600 cases in 2011. And according to Lookout, the likelihood of Americans encountering Android malware went from 1% in the beginning of 2011 to […]

Leave a comment