One million pieces of mobile malware - and counting...

News by Steve Gold

The H1-2014 threats report from F-Secure reveals there has been an increase in online attacks that lock user data and hold it for ransom - even on mobile devices.

In parallel with F-Secure's report, fellow security vendor Avast says this summer has seen the million pieces of mobile malware milestone crossed.

Back at F-Secure, during the second quarter of the year, the firm says that 295 new threat families and variants were discovered – 294 on Android and one on Apple iOS. This is up on the first quarter, when 277 threats were logged, 275 of them targeting the Android portable operating system.

The top Android threats in the second quarter were Trojans that either send text messages to premium numbers, or exfiltrate data from a device for remote forwarding.

F-Secure says that the most notable piece of Android malware was the Slocker code, which appeared in June and was/is the first TOR-encrypted ransomware.

Unlike the earlier Koler malware, says the report, the Trojan:Android/Slocker malware actually encrypts image, document and video files on the device.

"Like Koler, it also disables the back button to interfere with the user's control of the device. Slocker variants can communicate with their controlling server either via the Tor anonymising network or SMS messages," says the report.

Over at Avast, meanwhile, Ondrej Vlcek, the firm's chief operating officer, says his research shows that mobile malware is growing exponentially - and is now ten times up on 100,000 samples seen in its database back in 2011.

Despite this, he says, the security threat posed by mobile malware is still relatively young, with most code displaying a pretty simple structure, even if it is designed to effectively steal people's money.

"Newer mobile malware is, however, adapting and evolving, slowly embracing more deceitful and complex tactics to target users," he says in his analysis of the mobile malware landscape, adding that the focus of mobile malware has always been on monetisation, meaning that even early mobile malware posed real-life threats to its victims, stealing money from them.

On top of this, he explained, even though malware targeting smartphones and tablets is still young, it is developing much faster than PC malware did in its initial years.

Against this backdrop, Vlcek predicts that, with the emergence of new technologies, malware authors will find new ways of taking advantage of them.

For example, he says, as the use of new payment methods like Near Field Payment increases, he expect hackers will change the way they go after money.


Rob Bamforth, Quocirca's principal analyst for business communications, says that one of the mobile malware challenges facing companies us that the malware exploits gaps in the security of the employee in a typical business.

"The problem is that, even on a corporate device, employees want to download apps. This creates holes in the enterprise," he said, adding that this has created the need for multiple layers of security that covers mobile devices.

Bamforth went on to say that it is interesting to note that Avast confirms that the mischief seen with early mobile malware has now been superseded by cybercriminals tapping mobile malware to generate money through various means. This, he says, highlights the speed with which malware has developed on mobile devices.

Tony Kenyon, technical director for EMEA and Latin America with A10 Networks, said we are rapidly moving to a world where everything is done on the move - personal banking, shopping, image capture, contacts, email and blogging - and if you add location based services, identity, cloud storage, credit card use, and virtual money to the mix it's easy to see just how attractive a target the mobile phone has become for hackers.

"Since Android continues to be the firm favourite for mobile hackers the attack surface is becoming ever more focussed - why bother writing malware for multiple platforms when almost everything we do is converging at the smartphone? As things stand this trend is only going in one direction," he said.

As a result, Kenyon says we - as a security industry - need to think more holistically about the shift toward mobile for virtually everything we do.

"This includes how to protect users at a device level, the mobile operating system, the transaction level, securing cloud storage, the policing of applications and the traffic passing over backend service provider networks, as well as increasing interaction with the Internet of Things. Achieving all this whilst keeping mobiles simple to use is going to be no easy task," he explained.


Mike McLaughlin, a senior pen tester with First Base Technologies, said that corporate clients are starting to wake up to the realisation that mobile pen testing now needs to form part of their pen testing processes.

This stems from the rising usage of mobile devices in the workplace, he says, adding that many companies simply buy their staff an iPad or an Android device, give it to the employee and forget about the need for security.

"The result is that mobile devices are protected by the company VPN, but no thought is given to the data that is actually stored on the device itself. Then there is the additional problem that people do not treat text messages in the same way that they treat emails from a security perspective," he explained.

McLaughlin went on to say that, because of this, he has seen users clicking on links in text messages without a second thought, even when they are fully aware of the security issues that emails now pose.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews