In an effort to help users dodge mobile malware targeting the iPhones, BlackBerrys and Android devices, McAfee this week shared some tips and strategies on the subject of mobile threats. But just what are those threats, and how are attackers using them to make money?
According to Tim Armstrong, malware researcher at Kaspersky Lab, the king of the mobile malware world is the SMS Trojan. SMS Trojan operations start with the establishment of a premium rate number with a short code of four or five digits. Once the malicious app is on the phone, the app dials out to the premium rate number in the background, with message rates standing between $5 and $10 each. Each time an SMS message is sent, the criminal racks up more profit, he said.
“While almost non-existent in the US, it represents the largest threat worldwide by far…Also incredibly common is malware that steals data,” he continued. “This includes everything from contact lists to IMEI (International Mobile Equipment Identity) and IMSI (International Mobile Subscriber Identity) numbers, as well as User IDs. The latter are able to uniquely identify the phone to a carrier. With the stolen data phones can be cloned giving access to user data such as SMS messages.”
The most dangerous malware, he added, is botnet malware such as Zitmo (the mobile version of the Zeus malware). In its threat report for the first half of 2011, security firm Damballa reported that the number of Android devices engaging in live communications with a command-and-control server reached nearly 40,000 at one point. McAfee’s Threats Report for the second quarter of 2011 also underscored the attention attackers are paying to Google Android, as it was by far the most targeted platform.
With the amount of malware continuing to grow, McAfee offers some familiar advice to users – check applications’ permissions, research apps before downloading them and make sure applications are coming from a reputable market. Of course, Trojanized versions of otherwise legitimate applications are attackers’ main means of getting their hands on user data and raking in the cash.
With all this in mind, vendors such as M86 Security Labs are predicting a surge in malware targeting mobile devices in 2012. Still, it is worth noting that the amount of mobile malware is currently minuscule next to the amount aimed at PCs. With that in mind, here are some of the most dangerous pieces mobile malware security researchers have seen in the wild, in no particular order.
GG Tracker: According to Lookout Mobile Security, this Trojan has had the largest impact on users in the United States in recent months. The Trojan works by subscribing the user to one or several premium rate SMS subscription services. According to the company, Android users are directed to install the Trojan after clicking on a malicious in-app advertisement.
Android.Rootcager, AKA Droid Dream: Droid Dream was significant because the attacker infected and redistributed more than 58 legitimate applications on Google’s App Market, explained Vikram Thakur, principle security response manager at Symantec. “Once installed by the user, the threat attempted to exploit two different vulnerabilities in Android to obtain administrator-level control of the device,” he said. “The threat then installed additional software on the device, without the user’s consent. The software exfiltrates a number of confi¬dential items, including: device ID/serial numbers, device model information, carrier information, and has the ability to download and install future malware packages without the user’s knowledge, this was possible because the threat exploited a vulnerability to bypass Android’s isolation model.”
Android.Bgserv: When Google released a tool to clean up devices infected with Android.Rootcager threat, malware authors capitalized on the hype and released a fake version of the cleanup tool that sent user data – such as the device IMEI number – to a server in China, Thakur noted.
ZitMo: The first mobile version of Zeus was found in September 2010 targeting Symbian devices to steal the mobile transaction authentication numbers (mTANs) used by online banking services. In the months since, versions of ZitMo have been seen targeting a variety of platforms, including Windows Mobile, BlackBerry and Android.
Legacy and LeNa: These two pieces of malware have become some of the most widely seeded malicious programs in third-party markets, and the most widely detected. Legacy, which is also known as DroidKungFu, was seen in multiple alternative app stores and forums based in China targeting Chinese Android users. The next generation of Legacy is LeNa, which was detected in October affecting both alternative app stores and a handful of applications in the Android Market, with the latter being removed by Google. Once on the phone, LeNa begins communicating with a command and control server, and has been seen downloading the DroidDream Light malware to devices as well.
“Mobile malware solutions are in their infancies, so their capabilities to protect users and networks are very limited,” Brad Anstis, vice president of technical strategy at M86 Security, said in a statement announcing the company’s 2012 threat predictions. “To help defend from an influx of mobile malware, organizations will need to extend their security policies to mobile devices. It will be critical to ensure that all personal devices that access an organization’s Wi-Fi and networks are covered.”