Was Mobile Malware a Problem in 2011?

Last year, we predicted that mobile malware, particularly on the Android platform, would be one of the major trends in 2011. As the year draws to a close, we wanted to check to see if our crystal ball was accurate in this prediction.

In November, Juniper reported a 472% growth in Android samples since July 2011, a stat that speaks for itself. But, Chris DiBona from Google responded on his blog saying that “No major cell phone has a ‘virus’ problem in the traditional sense…” and that “virus companies are playing on your fears”.  So who’s right?

In 2011, Kindsight added signatures to our platform that detects the network behavior of Android and other mobile malware.  These signatures typically detect the command and control protocol used by the malware to “call home” to report stolen information and wait for instructions.

Looking at the results from Kindsight deployments, we have seen a significant increase in Android infections from our network-based malware detection systems. As shown below, there was a 4x increase in the last 3 months (early Sept to late Nov), which appears to confirm the report from Juniper.

But not so fast, while there is obviously growth in the infections we are seeing, it is still early days. These infections represent only 0.1% (1 in 1000) of Android devices, which is relatively small compared with the 10-12% infection rates that we are seeing on a typical day in the PC market, but it is growing.

How Devices are Getting Infected

In 2011, we also had an opportunity to do an in depth analysis on a variety of Android malware samples. The most common distribution mechanism is to conceal the malware as a Trojan inside of a pirated application. The Trojan is then downloaded and installed by the unsuspecting user. These have been distributed on the Android Market and third party app sites. They are usually removed from the Market as soon as someone notices the problem, but this is often after some damage has been done. Some third party app sites are not quite as diligent.

We have not yet seen any Android malware that spreads directly from phone to phone, although there was the IKEE worm (2009) that used SSH to spread to jail-broken iPhones. However, despite the fact that these phones are not as vulnerable to network exploits as the PC platform, it is inevitable that vulnerabilities which can be exploited directly from the network will appear periodically.

For the most part, the malware makes no attempt to conceal itself and can easily be removed by uninstalling the infected app. However some samples show a higher degree of sophistication and are not so easy to remove.

We have seen malware that attempts to “root” the phone using a variety of exploits, makes hidden copies of itself in “system” directories, install executable binary files, changes system file access permissions and deletes other applications. Although these techniques are not yet common, they are relatively simple to implement and will be more widespread in the next generation of malware.

What the Malware Does

So far, profiting from mobile malware is not as easy as in the established cybercrime underground that has developed around the PC platform. However it is likely just a matter of time before this becomes established.

Premium SMS messages are a major moneymaker and it is quite common in malware targeted at the Chinese and Russian markets. Often mobile malware will steal contact lists or send SMS messages directly to contact lists. This may be the beginning of an SMS spam market that will rival the traditional e-mail spam used in wire-line networks. We have seen several samples that intercept SMS messages and forward the content to the C&C server. This has an obvious application when combined with banking Trojans like Zeus and SpyEye, to steal one-time banking credential transmitted via SMS.

Many of the samples simply sent information about phone to the C&C server, with no clear indication of how this information would be useful to the attacker. One sample actually used a Google Analytics API to forward the information.

So far we have not seen any sophistication in the malware command and control strategies. Typically the IP address or domain name of the C&C server is hard coded in the malware and it becomes inoperable once this C&C server is disabled.

Is Mobile Malware a Problem?

So to summarize, the growth reported by Juniper is certainly correct though not as threatening as it first seems. Google’s DiBona is also right in that problem is currently not at the same scale as in the PC market. However, in the long run, DiBona may find that he spoke too soon because this is just starting to ramp up.

Kindsight has seen substantial growth in Android malware infections during 2011. This growth is in its early stages and we probably have a few years before it becomes as problematic as we experience on the PC platform. The malware is not very sophisticated so far but the techniques that have been explored have potential and we expect rapid exploitation over the next few years.

By Kevin McNamee, Kindsight Security Labs