While mobile malware remains small next to the amount affecting PCs, it is still growing, and new reports from Kaspersky Lab and F-Secure show where attackers are focusing their attention.
A new report by Kaspersky Lab found that 28 percent of all mobile devices attacked by malware in the third quarter of 2012 were running “Gingerbread” – aka Android OS version 2.3.6.
According to Kaspersky, 91 percent of all Android malware detected in the last 14 days of September occurred on mobile devices running either Gingerbread or “Ice Cream Sandwich”, Android version 4.04.
“It is obvious that the devices with the later versions of operating systems installed on them are better suited to actively working online,” blogged Yury Namestnikov, senior malware analyst at Kaspersky Lab. “Unfortunately, more active web surfing often leads users to sites hosting malicious content. “
“More than one half of all malware detected on user smartphones turned out to be SMS Trojans, i.e. malicious programs that steal money from victims’ mobile accounts by sending SMS messages to premium rate numbers,” he continued. “The OpFake family has become the most widespread (38.3 percent of all the malicious programs for Android detected) among all the mobile malware families. All the programs in this family disguise themselves as Opera Mini. Third place in the ranking was taken by the FakeInst family, whose members pretend to be installers for popular programs (17 percent).”
“These two types of malware are mostly distributed via so-called alternative app stores created by cybercriminals,” he added.
Google has taken a number of steps to address security, for example developing a mechanism known as Bouncer to police the Google Play marketplace for Android apps. Android also included anti-exploit features to Jelly Bean (4.1) and implemented address space layout randomization more extensively, and has reportedly developed a real-time app scanner for Jelly Bean 4.2 to detect malicious applications.
The threat landscape for mobile devices has more on it than Android malware however. In its report, F-Secure noted that the third quarter saw a new variant of Zitmo (mobile version of the Zeus malware) targeting Blackberry devices. The new variant is now using COD file format and targets mobile Transaction Authentication Numbers (mTANs) sent by banks to their customers to authenticate transactions attempts.
Besides Zitmo for Blackberry, the FinSpy trojan was the other notable discovery in the third quarter of 2012, F-Secure said. The Trojan is available on multiple mobile platforms – Android, Symbian, iOS, and Windows Mobile, and can take screenshots of an infected device, record keyboard strokes, intercept Skype communications, track device location, and monitor SMS and call activities on the device.
Researchers at F-Secure also identified 21 new families and variants affecting Symbian devices in the third quarter, representing a 17 percent increase compared to the second quarter.
“Most of the Symbian malware originates in China and are distributed for the purpose of making a profit,” according to the report. “Most of these (for example, Fakepatch.A and Foliur.A) are involved in SMS-sending activities. The SMS messages are usually sent to premium rate numbers or those associated with SMS-based services. Malware authors and distributers can easily turn an infection into profit by taking advantage of a ‘built-in’ billing mechanism for these SMS services; the malware simply sends out SMS messages that silently sign up the device owner for a premium subscription service, incurring charges the user’s account.”