Forecast for the year ahead in mobile malware distribution methods, profit-making schemes and privacy threats
The mobile era is underway, and 2013 will find people more dependent than ever on their mobile devices to control countless aspects of their personal, public and business lives. The possibilities of this trend are exciting, but heavy reliance and a trove of information on devices are enticing to attackers, putting people, businesses and their most sensitive data at risk.
In 2013, people will purchase more than 1.2 billion mobile devices, surpassing PCs as the most common internet access device in the world. Mobile platforms will continue to expand at breakneck speed, as people are forecast to download over 70 billion mobile apps in 2014.
2013 Prediction Highlights
- Globally, we estimate 18 million Android users may encounter mobile malware from the beginning of 2012 to the end of 2013.
- Toll fraud will continue to dominate as the chosen monetization strategy for mobile malware writers.
- Mobile spam will increase in volume, become a growing nuisance and turn into a new threat vector.
- The use of surveillanceware (like FinFisher) for political espionage will increase.
- Finding the right balance between protection and employee empowerment will be the business challenge of 2013.
Before diving into next year, let’s take a look back at 2012.
- Toll fraud, malware that charges money to a user’s mobile phone bill, matured as a significant application-based mobile threat. In 2012, 72 percent of Lookout’s malware detections were classified as toll fraud malware.
- Privacy has become a major concern for smartphone users with a number of threats emerging on both Android and iOS.
- Earlier this year, roughly 5 percent of the Android apps Lookout analyzed used an aggressive ad network—these apps accounted for over 80 million downloads.
- Theft and physical attacks related to mobile devices are increasing as a greater number of people now carry one or more expensive phones and tablets. We estimate that stolen and lost mobile phones cost US consumers $30 billion in 2012.
2013 Likelihood of Encountering a Threat
Lookout’s State of Mobile Security 2012 report established a new methodology for measuring the likelihood of encountering mobile threats. Based on this new methodology, the global likelihood that a new Lookout user encountered a mobile threat from June to October was 0.84 percent.
The likelihood that new Lookout users will encounter malware or spyware is heavily dependent on their geography and behavior, varying from 0.20 percent in Japan to 0.40 percent in the US and as high as 34.7 percent in Russia. This chart looks at country-based mobile malware and spyware infection rates of new Lookout users in October 2012.
Figure 2: Mobile Malware Infection Rate – New Lookout Users, October 2012
Each of these threats have been and will continue to be driven by financial, political and/or publicity motivations. Lookout’s team of security engineers and data researchers took a look at these trends and motivations from 2012 to offer insights into the evolution of the mobile threat space for 2013.
Toll Fraud Takes the Cake in 2013
Toll fraud will continue to dominate the 2013 mobile threat space, despite forward momentum on the platform to block these types of attacks. This is due to the following:
- Systems Architecture: Premium SMS protections are only baked into the latest versions of Android (4.2 / Jelly Bean); the first devices are just now shipping with this firmware version, and will not significantly penetrate the market until late 2013.
- Ease of Attack: Toll fraud will remain the easiest path to monetization for malware authors within the base of mobile consumers. It does not require significant technical sophistication and provides considerable ROI that is built into most mobile networks via pre-existing billing channels. A 2012 example, FakeInst, pretended to act as an installer for legitimate popular apps such as the Opera Browser (hence the names ‘OpFake’ and ‘Fakebrows’) or WhatsApp Messenger.
Spam Heats Up on Mobile
SMS-based spam will increase in its volume across mobile networks in 2013. We recently observed a number of malicious applications, toll fraud-based and otherwise, such as ConnectSMS, actively collecting contact information from infected devices. It’s not a stretch to expect that malware writers will seek to monetize these datasets via spammers. Its only a matter of time before writers send spam in-network, infecting devices to appear they have come from inside as the have on PCs in the past.
Mobile Banking/Payments Top of Mind But Have Little Payoff
Mobile banking has become mainstream, and mobile bank fraud has continued to remain an issue, predominately for European users. The majority of mobile banking threats begin with PC-based malware and include a malicious mobile app that intercepts verification codes, known as mTANs, sent to customers’ devices via SMS. Standalone mobile banking fraud without a PC component is not yet prevalent. Because PC-based banking fraud is still a viable business model, we do not expect attackers to significantly change their ways in 2013.
Mobile payments are still in their early stages; currently no platform or technology dominates the market. Card-based fraud is simple and enjoys an ample payoff, suggesting that fraudsters may not have the motive to shift to mobile payments fraud yet. Attacks against mobile payment systems have been limited to, academic proofs, like NFC, that are typical for an emerging technology. While McKinsey predicts that by 2013, almost 50 percent of consumers expect to use their mobile phones to access their financial accounts or process payments, this space will not reach the maturity needed to become a legitimate target in 2013.
Mobile Becomes Hotspot for Targeted Political Surveillance
In 2012, FinSpy provided the first evidence that mobile surveillanceware is actively being used to monitor political targets. Marketed to law enforcement personnel, FinSpy software was discovered targeting human rights activists in Bahrain. We expect to find more politically motivated targeted surveillanceware emerge in 2013.
Businesses Challenged with Employee Empowerment vs. Control
Finding the right balance between protection and employee empowerment will be the challenge of 2013. Over the past few years, there has been a surge in the Bring Your Own Device (BYOD) phenomenon. More than 80 percent of organizations allow employees to bring their devices to work. Not only that, but employees often use consumer cloud services to store / transfer sensitive corporate information, broadening the target, often accessing these at work, or Bring Your Own Network (BYON). As corporate IT administrators seek to gain control over mobile devices, there is potential that by over-correcting for the problem, employees will seek new ways to subvert processes and policies that constrain the pure consumer experience.
Mobile App & Browser – Constant Threat Vectors
Mobile applications will remain the central collection point for our personal data – from location information, messaging, calendars to social circles. They will also remain the most straightforward channel for privacy attacks that seek to collect that data.
Meanwhile, the mobile browser will continue to be the largest remote attack surface on mobile devices. Attacks of this type provide a vector for intruders to attempt to break in, independent of creating a trojanized mobile application, making it a target for a broad-based attack.
Privacy Crackdowns Happen Across the Board
Mobile privacy will be a major issue in 2013, as long as applications continue to access personal or device-specific information without gaining proper informed consent. There will be continued pressure on app developers in the form of government action, industry self-regulation and consumer pressure. The State of California has started to crackdown on apps and developers that do not provide sufficient mobile privacy policies. This is a first step towards a broader set of industry standards around mobile privacy.
How to Stay Safe in 2013
- Avoid toll fraud, regularly check your phone bill: Always review your monthly phone bill statements for suspicious charges. Contact your carrier if you identify something you believe to be fraud.
- Double-check URLs on your mobile: After clicking on a web link, pay close attention to the address to make sure it matches the website it claims to be, especially if you are asked to enter account or login information.
- Protect your privacy, understand app permissions: Be cautious about granting applications access to personal information on your phone or letting the application have access to perform functions on your phone. Make sure to check the privacy settings for each app before installing it.
- Be smart about device settings: Keep network connectivity such as NFC / WiFi, or Bluetooth ‘OFF’ when not in use. Be sure to disable settings such as debug mode that can open a device up to illicit access.
- Download a security app: Download a security app that scans the apps you download for malware and spyware, helps you locate a lost or stolen device, and protects you from unsafe websites.
- Update your phone and apps: Make sure to download and install updates from your mobile operator as soon as they are available for your device. The same goes for apps, download app updates when they are available.
- Raise employee awareness: Help employees understand the threats and risks out there so that employees can take action to safeguard their phones.
- Protect employees’ phones: Ensure that every phone – personal or company – is protected with a mobile security app for business that finds malware, scans apps, and locates and remotely wipes the device.
- Patch known vulnerabilities: Keep employee phones’ operating system software up-to-date by enabling automatic updates or accepting service provider’s updates when prompted. Stay up to speed on what vulnerabilities are not patched across device types and carriers to maintain a proper threat model. The National Institute of Standards and Technology offers a database of device vulnerabilities.
This report was prepared and written by security researchers and engineers Kevin Mahaffey, Derek Halliday and Tim Wyatt from Lookout.
 To estimate the total number of mobile users that will encounter malware from the beginning of 2012 to 2013, we used the likelihood rate of infection in October 2012 from global top markets. By extrapolating this detection rate across Android user base for each market (reference Canalys) in 2012 and the expected shipment base in 2013 for each market, Lookout estimates that as many as 18.4 million will encountered malware/spyware from the beginning of 2012 to the end of 2013. We combined shipment data from 2012 and 2013 to get an accurate representation of the number of phones in the market based on the average two year cell phone contract.
 “Theft of cell phones rise nationally.” USA Today. October 20, 2012.
 Lookout Mobile Lost and Found Report (March 2012)