Smartphone malware infections increased by 96% over the year to April 2016; smartphones account for 78% of all mobile infections; and the number of infected mobile devices peaked at 1.06% in April. These details come from the latest Nokia Threat Intelligence Report (PDF) for the first half of 2016, and demonstrate a rapidly increasing malware threat to mobile devices.
This data is aggregated from users of the NetGuard Endpoint Security Solution, and monitors traffic from more than 100 million devices.
Monthly mobile device infection rates have grown steadily over the last few years, but they show a dramatic spike in April 2016.
“The sharp increase in April,” says the report, “was due to a significant increase in smartphone infections involving the Kasandra, SMSTracker and UaPush Android trojans.” The overall infection rate implies that something like 1 in every 120 smartphones were infected at some point during April.
Android, unsurprisingly, remains the platform most commonly targeted by malware, accounting for 74% of all infections. Twenty-two percent of infections occurred on Windows devices, and just 4% on iOS and other devices. Android malware in Nokia’s database increased by 75% during the first half of 2016.
UaPush, Kasandra, and SMSTracker are the most prevalent infections, accounting for 19.2%, 15.23% and 12% of infections respectively. They are all Android malware. UaPush steals personal information and sends short SMS messages. Its C&C server is located in China, and activity currently seems to be declining.
Kasandra (also known as SandroRat) is a remote access trojan packaged to look like Kaspersky’s Mobile Security App. It gives the attacker unrestricted access to the victim’s personal details, stores the data in an adaptive multi-rate file on the SD card, and uploads the file to the attacker’s C&C server.
SMSTracker (also known as Android.Monitor.Gizmo) is a Spyphone app that provides complete phone tracking and monitoring. SMS, MMS, voice, GPS location and browser history can all be tracked and monitored remotely.
The last year hasn’t just seen an increase in mobile malware volume — there has also been a step up in malware sophistication. Examples of the new breed of sophistication include HummingBad, Viking Horde, GhostPush/Shedun , and YiSpecter. YiSpecter attacks iOS, but seems to have been developed by a Chinese malware gang known as YingMob. YiSpecter’s main claim to fame is that it was the first iOS malware capable of exploiting the Apple sandboxing prevention mechanism on non-jail-broken iPhones.
Other recent developments noted by Nokia include continuing use of phones in DNS DDoS amplification attacks; and the migration of ransomware from Android mobile devices to Android-based IoT devices. DDoS amplification attacks are not normally possible via mobile phones; but can be used when the phone is being operated as a mobile hotspot. The IoT ransomware is possible because many IoT devices are based on the Android operating system. In July 2016, Trend Micro reported that an FLocker variant can now affect smart TVs.