The threat associated with mobile malware is expanding. In 2015 alone, Kaspersky uncovered 884,774 new malicious mobile programs, and 7,030 new mobile banking Trojans. Mobile malware is growing in sophistication, borrowing deployment and obfuscation techniques from conventional PC malware, reflecting the continuous evolution of the cyber threat landscape. It is almost certain that in some cases this is a result of funding and development support from advanced threat actors.
Mobile devices are a huge part of our daily lives. Connecting us to social media, banking, videos, gaming apps, online shopping. Devices are also heavily used for mobile working, and therefore have become extremely important to UK business. According to CERT UK, personal mobile devices are often as critical to businesses as corporate devices, with employees using them for work-related activities on corporate networks (likely against corporate security policies).
Attackers follow the data. If sensitive data is being accessed by mobile devices with limited security in place, attackers will seek to exploit any vulnerabilities, and target these devices on a massive scale. It is as simple as that.
Malware has demonstrated its ability to maintain persistence on traditional devices, while at the same time adapting and evolving to be effective at compromising mobile devices. The theory of malware, or self-reproducing code at the very least, can be traced back to 1949 with early experimental code and exploits in the 1970s, says Brian Contos.
Mobile malware is a malicious software specifically designed to attack mobile devices, such as phones or tablets. Mobile malware can be weaponised with traditional computer malware if the target displays a mobile interface.
The story of mobile malware begins in 2000 with a mobile virus called Timofonica. In 2004, Cabir made its first appearance targeting Symbian-based devices. In the same year, Qdial and Skulls appeared, with the latter bearing a close resemblance to the older forms of computer malware in the sense that while it was malicious, it was not designed with criminal intent of digital theft or business disruption. By 2005, mobile malware was already moving into the realms of information theft with Pbstealer and Commwarrior, although not to the standard of sophistication of modern threats.
The first ever Trojan for Android devices was discovered in 2010 by Trend Micro. ANDROIDOS_DROIDSMS.A. was a Russian SMS Fraud app that sent messages to premium rate numbers. In the same year, another Trojan known as DROIDSMS.A. was uncovered masquerading as a game, Tap Snake, which would transmit the GPS location of an infected phone over HTTP, which would then be queried by another phone using the GPS Spy app. Also in August of that year, we witnessed the very first malware for iOS-based devices, the Ikee worm, only affecting jailbroken iPhones and taking advantage of a default SHH password to spread to other jailbroken phones.
Fast forward to March 2011, the largest collection of Trojan-based apps was discovered on the Android market, including the DroidDream malware capable of gaining root access to the device. Since 2011, more and more malicious Android malware has been discovered performing different malicious actions, such as stealing personal information, sending SMS to premium numbers, keylogging, deploying cryptographic ransomware on devices, even eavesdropping on telephone conversations under the disguise of a Google+ app.
The graph below illustrates the brief history of mobile malware as applied to Android, Blackberry, iOS, Symbian, and cross-platform malware:
Of course, the volume of mobile malware cannot yet be compared to the almost epidemic proportions of PC-based malware. Having said that, we have observed threat actors using multi-platform vectors to distribute their attacks. The example of Zeus malware, incorporating mobile elements aimed at intercepting SMS banking authentication codes, is pertinent.
There are different types of mobile malware, some less harmful than others. Adware, riskware, and chargeware have been perceived as mobile malware with lower severity compared to spyware and Trojans (primarily banking Trojans).
Adware contains code from an advertising network to collect personal information or engage in intrusive presentations of advertising without providing proper notification. This functionality can include adding shortcuts to the desktop or displaying ads in the notification tray.
Riskware includes code, libraries, or network services that pose a risk to devices due to known vulnerabilities in the code or the low reputation of service providers used by the code. This type of application is not known to be malicious, but may subject devices to more risk than a typical application.
Chargeware will charge a device’s wireless bill for services without providing adequate information about the charges or giving users an opportunity to accept the charges.
Spyware is software that spies, that is broadly distributed and whose end game is typically spam and/or phishing enablement. The motive here is monetary.
Trojans perform actions other than those advertised to perform malicious actions, such as fraudulently charging a device’s wireless bill or stealing banking information from devices.
Historically, mobile malware would target consumers as opposed to companies. However, this is no longer the case. Even though the end devices continue to be the target they may be used as a pivot to gain access to a corporate network, for instance. Employees use mobile devices and PCs in tandem, and it should be expected that threat actors do the same. It is wise therefore for security specialists to incorporate mobile devices into the cyber kill chain, especially in the first stages of reconnaissance, weaponisation, and delivery as a means of harvesting user credentials and pivoting into corporate networks.
Mobile malware is used by a number of threat actors with diverse capabilities and motivations. However, the most prominent threat actor groups using mobile malware are believed to be organised criminal gangs and APT groups.
Organised Criminal Gangs (OCGs)The increased sophistication and evolution of mobile malware suggests that organised criminal groups are heavily investing in this area. Mobile cybercrime underground markets are thriving, where mobile malware is being traded as a precious commodity. The offerings available on the mobile cybercrime underground, where the starting price is estimated at $5.000, cover the full spectrum of the cybercrime ecosystem.
The capability of OCGs varies depending on their resources, technical or otherwise. The motivation, however, remains the same: profit. OCGs use a wide range of mobile malware to siphon money from the victim accounts; extort their victims; steal PII for sale and even generate money through premium SMS and advertising revenue.
Advance Persistence Threat groups (APTs)Mobile malware presents obvious opportunities for Advance Persistence Threat (APT) groups, state-sponsored/affiliated or not, seeking to continuously explore new attack vectors for their operations. The potential of mobile malware being exploited in cyber espionage campaigns is illustrated by the example of Smeshapp being used by a Pakistani APT group to spy on Indian Military personnel. This is not the only example. Google constantly removes spyware apps from the Google Play store.
APT groups are primarily interested in intellectual property data as well as market sensitive data that is specific to their sectors of interest. Companies that allow their employees to use mobile phones for work purposes should be aware of this threat actor category seeking to obtain intellectual property data by deploying mobile malware. AndroRAT, for example, has the ability to monitor calls and messages, stream sound from the microphone, establish device coordinates, and access files and documents.
The volume of mobile malware is without doubt increasing. Although there are few tangible real-world use cases where mobile malware has been used against large companies if compared to the PC-based equivalent, it is nevertheless a viable threat that will certainly become more prevalent in the immediate future.
A successful mitigation strategy against mobile cybercrime risks must not only address current malware threats, but more importantly, consider the fluid nature of cybercrime and the connection between the different threat actor groups. Mobile defences must protect organisations from today’s threats. Considering the rapid pace of evolution and innovation set by cyber criminals, security teams must keep up. Certainly, the first logical step is to restrict the use of personal mobile phones in corporate network environments.