Statistics show an increase in Android devices infected with crimeware that is actively communicating with multiple criminal C&C servers
Google Android devices are being caught in a Web of botnet activity at an unprecedented rate, according to new research by security firm Damballa.
In its threat report for the first half of 2011, Damballa observed that the number of Android devices engaging in live communications with a command-and-control server reached nearly 40,000 at one point. While the figure is nowhere near the numbers of PCs under the control of cyber-criminals, it does represent a significant jump in malware targeting mobile phones.
During weeks 10 and 11 of the year, a malware outbreak peaked at 20,000 devices but was quickly quashed – something the firm attributes to devices and applications being remotely wiped when malicious apps were identified.
“As predicted, 2011 is shaping up to be the year that mobile malware will begin to be an issue for consumers and enterprises alike in North America,” according to the report. “Other countries (China being a great case in point) have already had to deal with significant outbreaks of mobile device infections.”
“Many of these devices connect to the corporate WiFi when brought to work,” the report continues. “They come into the network infected, and traditional security systems designed to protect traditional computing assets will not detect these infected mobile devices.”
According to Damballa Vice President of Research Gunter Ollmann, the majority of the malware associated with this C&C activity is designed to initially steal data stored on the handset such as email account passwords and then to serve as a jump point to other networks. If the phone connects to a WiFi network for example, the remote attacker can launch new attacks from the compromised device and proxy commands to other infected devices, he told SecurityWeek via email.
But while threats against Android have gotten plenty of headlines of late, the threat of compromised PCs did not lessen during the first half of the year. As it turns out, the notorious SpyEye crimeware kit jumped from number 10 in 2010 to number one on the list of the largest botnets.
“It’s not surprising to see “OneStreetTroop,” a botnet operation utilizing crimeware generated and managed by the popular SpyEye DIY (do-it-yourself) construction set, rise to prominence in the first half of 2011,” according to the report. “The developers behind the SpyEye Builder Kit acquired access to the Zeus Builder source code and have now combined the best of both crimeware development kits into a single commercial package. The malware is now more powerful and capable than ever. After the recent release of a ‘crack’ to version 1.3.45 of the SpyEye developer kit, as first reported by Damballa Labs, we expect to see widespread adoption of SpyEye in 2011 for the purposes of launching additional fraud campaigns.”
Not unexpectedly, the list also demonstrated the prevalence of do-it-yourself crimeware kits. Of the top 10 largest botnets, eight utilize well-known off-the-shelf construction kits, the firm noted.
“Criminal operators continue to hone their craft in 2011 using crimeware that can be repurposed for multiple fraud opportunities, sold or leased to other criminals, and that is now successfully infiltrating the mobile space,” Ollmann said in a prepared statement. “As the arms race rages on between the criminals, their increasingly federated crime-as-a-service ecosystem, and the security professionals tasked with combating them, it has become increasingly important that the defenders obtain advanced knowledge of the existence and behavior of new criminal operators and their network of infected assets.”
Related Reading: Rethinking Cybersecurity in a Mobile World
Related Reading: Got Android? Some Considerations on Permissions and Security