Much has been written about the growth of malware targeting Android devices. Earlier this year for example, Damballa found that in the first half of 2011, the number of Android devices engaged in live communication with a botnet command and control server hit 40,000 at one point.
There is little point in infecting phones however unless the attacker has a way to monetize their malware. But according to a new report from Symantec, attackers may not be getting much bang for their buck.
“When it comes to comparing the amount of money cybercriminals are currently making off mobile malware versus malware targeting PCs, it really isn’t even close,” Eric Chien, technical director of Symantec Security Response, told SecurityWeek. “There is some evidence that recent large-scale, PC-based scams have made in the hundreds of millions of dollars. When it comes to mobile malware scams, we’re generally talking about a few thousand dollars at most.”
So how are attackers turning compromised phones into profit? There are a number of different ways. Among the most popular are premium rate number billing scams. These premium-rate numbers are typically “short codes” – shorter than usual phone numbers. Each country and carrier regulates short codes different, but usually an oversight body issues the short codes for a fee, according to Symantec. In the United States, a dedicated short code may cost $1,500 to set up and then $1,000 per month. A shared short code where the message must be preceded by a keyword can be obtained for $50 per month.
“When calling or sending an SMS to a short code, the caller is billed a premium rate above the normal cost of an SMS or phone call,” according to the report. “The revenue is then shared by the attacker, carrier, and the SMS aggregator. The attacker receives 30-70% of the premium rate charge depending on the carrier, amount charged per message, and number of messages received.”
Most carriers allow a premium rate of up to $10.00 per message, but some carriers will allow charges in excess of $50.00 per message. If the attacker uses an SMS aggregator, the attacker will pay an additional fee.
Android apps can request the ability to send SMS messages at installation, the report continues. These SMS messages can be sent without the user confirmation, and sending an SMS to a premium short code rings up charges to the phone owner’s bill. This allows an attacker to generate revenue. However because short codes are usually carrier and country-specific, multiple short codes are needed, or threats may only target specific regions.
While these and other schemes – such as pay-per-install and adware operations – offer revenue opportunities for attackers, they often require a large number of infections to be worthwhile, according to the report.
“Further, for each attack we have seen on Android, none were repeated,” the report notes. “It is possible that the attackers did not generate enough revenue, and thus did not repeat the effort.”
At this point researchers are not seeing much Android malware being bought and sold, said John Harrison, Group Manager for Symantec Security Response.
“There simply isn’t a huge market for it at this time because it is still very much in a nascent state,” he explained. “What we’re seeing right now [is] early adopters exploring ways to turn mobile malware into a successful criminal business model like they have done on the PC. Once they figure it out, we’ll likely see a market for mobile malware emerge.” “As far as we have been able to tell, there aren’t any mobile malware toolkits making the rounds yet,” he added. “That said, it is a very real possibility that we will see them in the future. One possible explanation as to why we haven’t seen them is because cybercriminals are still very much trying to figure out how to monetize mobile malware; they’re still trying to fit the various pieces together for it become a significant revenue generator for them. Once they figure this out, I think it will be more likely that we’ll see mobile malware toolkits emerge.”
Besides using mobile security and management software if at all possible, consumers should only download applications from marketplaces hosted by well-known legitimate vendors, Harrison said. Also, if practical, users should adjust Android OS application settings to stop the installation of non-market apps.
“Next, pay attention to the name of the app creator,” he added. “If downloading a popular app from a well-known app creator, then an app that purports to be the legitimate version, but has a different author listed should be a definite red flag...Finally, during the installation of apps, always check the access permissions being requested for installation; if they seem excessive for what the application is designed to do, it would be wise to not install the application.”