While the amount of malicious software focused on the growing number of mobile devices on the market remains a drop in the bucket next to the amount targeting PCs, attackers are steadily turning the devices in consumers’ pockets into targets.
So far this year, several pieces of malware have popped onto the radar and underscored the growing sophistication of cybercriminals targeting mobile devices. After fielding feedback from security pros, here in no particular order is Dark Reading’s list of the five most dangerous, sophisticated, and prolific pieces of mobile malware that have appeared thus far in 2012.
1. FakeInst SMS Trojan and its variants
“FakeInst disguises itself as popular apps like Instagram, Opera Browser, [and] Skype, and sends SMS messages to premium-rate numbers,” says Jerry Yang, vice president engineering at mobile security firm TrustGo.
“It is selected because it has been widely infected. There are many variants in the FakeInst family, such as RuWapFraud, Depositmobi, Opfake, and JiFake,” Yang says. “Sixty percent of total Android malware we found belong to the FakeInst family. Geographically, it mainly exists in Russia. There are also samples found from all over the world.”
Also on the list is SMSZombie, which was recently spotted in third-party markets in China and has infected more than 500,000 devices in the past few weeks. The malware works by sending SMS messages to China Mobile’s online payment system and “top-up designated accounts,” Yang explains.
“The amount of payment, frequency, and destination are all controlled by malware developer,” he says. “It is significant because it takes extra steps to protect itself.”
Once installed, it obtains Device Admin privileges and is very difficult to remove, prompting TrustGo to publish details of a manual removal process on its blog.
“We expect more Android malware will adopt similar techniques to protect themselves,” he says.
Discovered by Lookout Mobile Security in April, NotCompatible is the first piece of mobile malware that used websites as a targeted distribution method, notes Derek Halliday, lead security product manager at Lookout.
“NotCompatible is automatically downloaded when an Android browser visits an infected website,” he says. “The downloaded application is disguised as a security update in an attempt to convince the user to install it.”
If it successfully installed, NotCompatible can potentially be used to gain access to private networks by turning an infected Android device into a network proxy, and can be used to gain access to protected information or systems, Halliday says.
Bundled in with legitimate applications, Android.Bmaster was spotted on a third-party Android app market earlier this year. The majority of the infected victims were Chinese users. Once on the device, the malware swiped sensitive data from the phone, including the Cell ID, location area code, and IMEI (International Mobile Equipment Identity) number, and caused users to send SMS messages to premium numbers.
“Analysis of Android.Bmaster’s command-and-control servers indicate the total number of infected devices connected to the botnet over its entire life span numbered in the hundreds of thousands,” says Kevin Haley, director of Symantec Security Response. “The number of infected devices able to generate revenue on any given day ranged from 10,000 to 30,000, enough to potentially net the botmaster millions of dollars annually if the infection rates are sustained.”
LuckyCat was the name given to a campaign of targeted attacks that struck the aerospace and energy industries in Japan as well as Tibetan activists and others. To broaden their attack, the perpetrators have brought the attack to theAndroid platform.
Once installed, the application displays a black icon with the text “testService,” and opens a backdoor on the device to steal information.
“Luckycat is the first APT [advanced persistent threat] targeting Android platform,” TrustGo’s Yang says. “It is a Trojan horse for Android devices that opens a back door and steals information on the infected device.”