The Evidence
Mobile malware, in particular Android mobile malware, is
rising. This is a fact.
It has been rising slowly since 2004, as the figures below
from McAfee detail, and the rate has been accelerating since autumn 2011 when a
number of high-profile cases of Android mobile malware hit the press. This
included Google’s official Android Appstore, then called Market now called
Play, being used as a method to distribute Trojanised apps to unwitting
customers. GGTracker [1],
SuiConFo [2] and RuFraud [3] were all Trojanised Android apps that were attempting to defraud consumers
largely by attacking the Premium Rate Service industry through the unauthorised
sending of Premium Rate SMS messages.
 |
Mobile Malware Explodes, Increases 1,200% in Q1/2012
|
Source: McAfee Threats
Report: First Quarter 2012
“A comparison between the number of malicious Android application package files (APKs) received in Q1 2011 and in Q1 2012 reveals a more staggering find — an increase from 139 to 3063 counts.” Mobile Threat Report Q12012, F-Secure
Figures
from Goode Intelligence’s annual mSecurity survey back this up with a rise in
the number of reported mobile malware incidents – read infection – in the
workplace from 7% in 2009 to 24% late in 2011; nearly a quarter of all
organisations. This figure is alarming.
GI mSecurity Survey: Has
your organisation experienced a mobile malware incident?
We are also seeing
evidence from other sources including telecommunications regulators. In the UK,
the country’s premium rate regulator, PhonepayPlus, has been involved in
investigations into premium rate fraud directly caused by mobile malware.
With the assistance
of Goode Intelligence, (providing research and analysis into the link between
mobile malware and PRS fraud), PhonepayPlus are proactively tracking instances
of mobile malware that are attacking PRS.
One of these
investigations hit the news recently and resulted in a hefty £50,000 fine for a
mobile aggregator, A1 Aggregator Ltd based in Latvia, for managing the SMS
shortcodes that were used in the RuFraud malware attack. From late November
2011, after receiving 34 complaints from consumers of unauthorised PSMS charges
on their phone bills, including an individual losing around £80, the regulator
investigated further and tracked the fraud down to Trojanised versions of
Android Apps distributed via Android Market (Play). The fake apps included
Trojanised versions of Angry Birds Assassins Creed and Cut the Rope. Consumers
had no knowledge of three PSMS messages being sent every time the Trojanised
app was started. Each PSMS message was costing the unwitting user £5.00.
In this one case
1,391 mobile numbers in the UK were affected and an estimated £27,850 worth of
fraud was attempted. Due to the swift action from the regulator, the shortcode
was suspended and none of the £27,850 of UK consumer’s money was able to reach
the fraudsters.
PhonepayPlus found
evidence of the RuFraud Trojan operating in 18 countries. Thankfully the UK has a regulator that is well
advised and has put into place procedures to ensure that this emerging area of
PRS fraud is actively monitored. What about the other 17 countries that were
targeted by this malware? How many consumers have been affected and how much
financial damage has been done in regions where regulation is not so proactive?
The Risk
There is evidence from
multiple sources, including our own, that mobile malware is rising and it is
targeting consumers for, amongst other reasons, financial fraud.
On the face of it,
it seems that the risk of malware infection is getting stronger and both
consumer and enterprise mobile users should take preventative measure to
counteract that threat. These preventative measures include being cautious when
downloading Android apps from appstores, including Google Play and from
third-parties, and checking the permissions carefully. There is also the option
of protecting your mobile device with a mobile security product that is proven
to be effective in preventing mobile malware.
Android is being
targeted as it has a more open platform for downloading and installing apps and
it is becoming the number one mobile platform around the world. This makes it
the number one target for malware in today’s mobile market.
However, we should
also be cautious in assessing the current risk to both consumers and enterprise
users from the threat of mobile malware. Apple’s iOS has been free of malware
and there have been very small numbers of malware that have been known to affect
BlackBerry devices.
Additionally,
Google should be applauded in acknowledging the threat from Trojanised apps in
Play by deploying a solution, Bouncer [4],
which attempts to detect mobile malware on upload. Bouncer was announced early
in 2012, although it has been running during 2011, and it is probably too early
to state how effective the solution is in preventing mobile malware on Play [5].
There is also an
acknowledgement from third-party Android appstores that security is important
as a business differentiator. Goode Intelligence surveyed a number of the
third-party appstores and was pleased that over two-thirds of the respondents
(68 percent) replied with a ‘yes’ to the question “Do you think there is a
commercial benefit for an app store to offer malware detection and prevention
technology?” The tools are
available for these third-party Android appstores with AVG [6] amongst the vendors offering specific security solutions aimed at preventing
the spread of malware from these appstores.
Yes the statistics
do tell us of double and triple digit growth in mobile malware, mainly
targeting the Android platform. However, the risk is still relatively low and
the financial fraud that is being committed as a result of mobile malware is
currently low in value. These are still early days in the history of malware
targeting mobile platforms and indications are that the business drivers for
attacking these platforms is growing which could result in the situation
getting worse – especially in the short-to-medium term.
And in answer to
the question of attacks on Apple iOS, will this happen? You betcha! As the
famous US bank robber, Willie Sutton, said in response to the question why he
robbed banks; "because that's where the money is." Whether they will
succeed is another matter and the topic for another blog.
Alan Goode
May 2012
|
[1] Google’s Blog announcement on Bouncer http://googlemobile.blogspot.co.uk/2012/02/android-and-security.html
[2] Although this article from Andy Greenberg on Forbes questions how effective
Bouncer is: http://www.forbes.com/sites/andygreenberg/2012/05/23/researchers-say-they-snuck-malware-app-past-googles-bouncer-android-market-scanner/
[3] Press release in the partnership between AVG and Livewire: http://www.avg.com.au/news/Livewire-Mobile-partnership/
[4] Covered by Lookout Mobile Security in this blog: http://blog.mylookout.com/blog/2011/06/20/security-alert-android-trojan-ggtracker-charges-victims-premium-rate-sms-messages/
[5] Covered by Denis Maslennikov of Kaspersky Labs in this blog: http://www.securelist.com/en/blog/208193261/SMS_Trojans_all_around_the_world
[6] Covered by Lookout Mobile Security in this blog: http://blog.mylookout.com/blog/2011/12/11/european-premium-sms-fraud/
