2019 and Beyond
The 2018 mobile landscape was rife with threats that jumped on bandwagons and hedged bets. Cryptocurrency-mining malware did both and became more prevalent than mobile ransomware. Its surge had various dynamics at play: security improvements in Android that made it tougher to crack; volatility of cryptocurrency’s real-world value; and alternative sources of income like click fraud and banking malware. Mobile ransomware is no less of a threat, however. Mobile malware with file encryption modules, for instance, can now also remotely control an infected device’s screen.
Banking trojans, on the other hand, are now a cybercriminal staple and no longer a niche threat. In fact, it doubled in pervasiveness, broadened tactics and techniques, and diversified beyond information theft. In terms of impact, mobile advertising fraud was the year's most egregious, causing an estimated US$4.9 billion in losses in 2018. Targeted attacks also increased, many of which are sustained, multiplatform-by-design cyberespionage campaigns. The learning curve still isn’t steep, however, as many of these attacks relied on publicly available or retail tools that were easily modified.
Many of the attacks and malware we saw exploited old security and design flaws despite disclosure of new, unique — and sometimes, zero-day — vulnerabilities. We looked back at 2018’s mobile threat landscape to see the possible threats that lie ahead, to help users and organizations proactively defend against them.
Mobile ransomware decreased in prevalence.
Trend Micro Mobile App Reputation Service (MARS) sourced a total of 112,965 unique mobile ransomware samples. It’s nearly a 76-percent decrease from 2017, when it was the most pervasive. Security improvements in Android 5 (Lollipop), added to curb the threat, could have caused the decrease in mobile ransomware. These improvements include features that restrict the abuse of application programming interfaces (APIs) to hijack processes and activities, require runtime permissions, and enhance the PIN reset process, among others. The apparent ease and quick money-grab schemes of banking trojans or cryptocurrency-mining malware could have also affected the cybercriminals’ malware of choice. The unpredictability of cryptocurrency’s real-world value also seemed to have affected the way cybercriminals demand ransom (i.e., payment options).
Mobile ransomware’s decreased prevalence does not make them less of a threat. Some of the simple screen lockers, which made up the majority of last year’s mobile ransomware, evolved into file-encrypting malware. Abusing Android’s accessibility features also allowed others to hijack an infected device’s screen or even remotely control it.
Comparison of unique samples of mobile ransomware Trend Micro sourced in 2016, 2017, and 2018
Country distribution of ransomware detections in 2018
Mobile cryptocurrency-mining malware rose by 450%.
The popularity of cryptocurrencies — and the technology that make them work — drew more cybercriminal attention. In fact, the unique samples of mobile cryptocurrency-mining malware Trend Micro MARS sourced in 2018 increased by 450 percent.
Comparison of unique samples of mobile cryptocurrency-mining malware Trend Micro MARS sourced in 2017 and 2018
Country distribution of mobile cryptocurrency-mining malware in 2018
While it's difficult to turn a profit from a single device, cybercriminals could earn a lot by pooling multitudes of infected devices. In February, the ADB.Miner botnet emerged, affecting Android-based internet-of-things (IoT) devices such as smart TVs, routers, and streaming boxes. It exploits open/exposed TCP port 5555 on devices, and delivers a Monero-mining worm. HiddenMiner, uncovered in March, abused the device administrator feature to stay out of the user’s sight. It has no switch or controller, and could persistently steal computing power until it bricks the device. Many potentially unwanted applications (PUAs) and adware also turned into cryptocurrency-mining apps. To further monetize their applications, some even have software development kits (SDKs) that mine for Monero directly instead of just displaying ads.
The allure of cryptocurrency mining’s lucrativeness also made it a social engineering lure. Cybercriminals masqueraded their applications as legitimate cryptocurrency wallet apps (to store, send, or receive cryptocurrency), but instead stole its contents. Apps were also embedded with code that could track changes in the device’s clipboard content. Once a digital wallet of interest is keyed in, it is copied then replaced with an attacker-owned one.
Old and known vulnerabilities and exploits in Android are still perennial problems.
Android 9 (Pie), released last August 2018, introduced several mechanisms to further mitigate security risks. The StrongBox Keymaster, for instance, protects devices against exploits that take advantage of framework vulnerabilities such as side-channel attacks. The CALL_LOG permission group provides control and visibility into applications accessing information on calls (i.e., phone numbers, call logs). Google also hardened security features that help defend against vulnerability exploits in applications.
Despite these added features, old and known vulnerabilities were still a perennial problem. Dirty COW (CVE-2016-5195) and iovyroot (CVE-2015-1805) were significantly used by malicious applications to gain root access to the device. In the fourth quarter of 2018, there was a marked increase in malicious applications exploiting the Janus vulnerability (CVE-2017-13156), which can let attackers overwrite and modify installed applications.
Detections of unique samples that exploit Dirty COW, Iovyroot, and Janus in 2018
Also of note was the RAMpage attack, which exploits a vulnerability (CVE-2018-9442) to gain unfettered access to compromised devices. RAMPage takes advantage of Rowhammer, a hardware-based issue in the dynamic random access memory (DRAM) chips in Android devices that can enable hackers to gain read-and-write privileges to the device’s physical memory
Last year was also encumbered with data leak and privilege escalation flaws. The Man-in-The-Disk attack, for instance, can let hackers hijack files stored in the device’s external storage (i.e., SD card) used by other applications. We also found that the Yandex Disk application (version 3.43) had an issue where its content provider (a mechanism that helps manage data access and sharing among applications) is exported without permission restrictions and validation of uniform resource identifier (URI), that is, a path to a file or resource.
There were also vulnerabilities that were notable for their attack vectors. An example is the permission-based vulnerability (CVE-2018-9375) in UserDictionaryProvider, a content provider that stores the user’s custom/personal dictionary, which, when exploited successfully, can let hackers steal its contents. Another is CVE-2018-9445, a security flaw in e2fsprogs (utilities for managing file systems used in the kernel) that can let hackers gain access to data stored on the device — even if it’s locked — by tricking users into connecting an especially crafted USB device to the phone. Google’s Project Zero’s Jann Horn also found that CVE-2018-9445 can be further exploited to escalate privileges (using a Raspberry Zero-based device and abusing kernel invoke) due to a vulnerability in the SEPolicy (CVE-2018-9488), which are policies set for applications and services installed in the device.
With these, we expect cybercriminals and threat actors to shift to socially engineered, application-level attacks (i.e., man-in-the-disk). Android 9’s security improvements can make it more difficult to successfully compromise a device or exploit vulnerabilities in its framework components. APK Signature Scheme v3, for instance, mitigates further exposure of data. https default prevents less secure HTTP traffic in applications, while certain admin policies are now marked as deprecated when invoked by the device administrator. File and metadata encryption were also updated in Android 9 to better support adoptable storage (turning removable SD cards into a permanent part of the device) and full-disk encryption.
Android fragmentation can exacerbate vulnerabilities and exploits. Different, modified or customized — and sometimes outdated — versions of Android OS are preinstalled on smartphones, making old and known Android vulnerabilities a persistent problem. For instance, Janus still poses a risk as many devices are still running earlier versions of Android OS. Android 7 (Nougat) and earlier versions don’t support v2 and v3 (v2+) APK signature schemes, which are the more secure mechanisms for developers to update their applications. This highlights the importance of implementing security by design in mobile application development and ensuring that original equipment and design manufacturers (OEMs and ODMs) emphasize privacy and security in their products.
Mobile banking malware increased by 98%.
At the height of their operations, a hacker arrested last year reportedly used an Android banking trojan to steal between $1,500 and $8,000 from victims on a daily basis. With over 2 billion users estimated to access banking services through their mobile devices, cybercriminals see them as a data trove they can monetize. This is illustrated by 214,323 unique samples of mobile banking trojans Trend Micro MARS sourced last year — almost twice the number of mobile banking trojans in 2017.
Unlike in 2016, when mobile banking malware affected Russian-speaking users the most, Japanese-speaking users took the brunt in 2018 due to the prevalence of FakeSpy and XLoader. FakeSpy replaces legitimate banking apps installed on the device with malicious versions and steals more than just account credentials. XLoader uses SMiShing and DNS hijacking (overwriting the router’s DNS settings to divert internet traffic to attacker-specified domains) for propagation. Anubis combines information theft (i.e., keylogging) with ransomware-like routines. For example, Anubis abuses the Android Accessibility service to log keystrokes, take screenshots of keypresses, and encrypt files stored in the device’s external storage. Anubis can also delete the device’s contact list — a behavior unusually observed in mobile banking malware.
Comparison of unique mobile banking trojans Trend Micro sourced in 2016, 2017, and 2018
Country distribution of mobile banking trojans’ impact in 2018
Cybercriminals used a diverse range of tactics and techniques. Some were technical, intercepting and redirecting text messages to bypass SMS-based authentication and steal call logs. Others went the well-trodden path of impersonating legitimate apps and using social engineering to lure users into installing cybercriminal versions of banking apps.
Overlay techniques (superimposing a fake login page to a banking app) were still prominent in 2018 despite security improvements in Android 7 (Nougat) and 8 (Oreo). ExoBot 2.5, Anubis II, and MysteryBot are just some of the threats that actively work around Android 7 and 8’s mitigations against overlay attacks. Of late, Android’s UsageStatsManager (PACKAGE_USAGE_STATS, which provides access to device usage history) and Accessibility Service are being abused to execute overlay attacks. As such, we expect mobile banking threats down the line to move towards automating their abuse — from enabling these legitimate services to automating the permissions, activating device administrator, and monitoring the device’s activities and processes.
Jailbreaking iOS devices gained traction again.
With the release of iPhone XS and its new A12 bionic chip, Apple introduced a set of instructions that use a memory protection technique called Pointer Authentication Codes (PAC), which made jailbreaking more difficult. However, security researchers (KeenLab, Vulcan) successfully did so on iOS 12, with other researchers (e.g. PanGu, Yalu) disclosing that their jailbreak tools bypassed PAC’s mitigations. A jailbreak project on iOS 11.0 – 11.1.2 was also open sourced and included a full exploit chain that was based on a previously disclosed proof-of-concept (PoC) code.
To further illustrate: Trend Micro MARS sourced 1,205 unique samples of iOS-related threats in 2018. Many of these were PUAs and threats that are wrappers (IOS_JailbreakTool.A) of publicly available and open-source jailbreak tools meant for acquiring high privileges in the device. There were also considerable detections for backdoored versions of an ad library (iBackDoor.A) that can potentially let attackers access sensitive data.
Distribution of iOS PUAs and malware Trend Micro MARS detected in 2018
Note: Others include the families IOS_XcodeGhost.A, IOS_AceDeceiver.A, and IOS_TinyV.A
In iOS 11, there’s a feature that lets the camera scan QR codes then use Safari to access the related website. However, this could be abused by attackers by forging the malicious website’s name embedded in the QR code with a popular and legitimate one.
We also saw a vulnerability in the trust process of enterprise certificates that affects iOS 11 and earlier versions. This can let attackers bypass the trust process and make enterprise certificate-signed applications run or be used like applications installed from App Store. We also uncovered vulnerabilities (CVE-2018-4413, CVE-2018-4447, CVE-2018-4435) that can let hackers execute arbitrary code with kernel privileges. There were also vulnerabilities (i.e., CVE-2018-4241) that can be used to jailbreak iOS devices.
Apple’s walled-garden approach and proactive strategy of patching jailbreaking-related vulnerabilities help mitigate exploits in iOS and its system components. We thus expect iOS threats to target enterprise app stores and mobile device management (MDM) software that administer iOS devices and distribute in-house applications. They can be seen as easier attack vectors compared to the Apple’s own app store and security measures. We also foresee more threats that abuse publicly available projects/repositories or tools to jailbreak iOS devices.
Mobile cyberespionage campaigns diversified.
The mobile platform was no longer an afterthought for cyberespionage campaigns in 2018. Many were multiplatform by design, some of which are still active. They abuse social media and use watering hole techniques to steal data and spy on their targets.
An example is PoriewSpy, whose operators are related to Operation C-Major, an information theft campaign uncovered in 2016. Like Operation C-Major that used an off-the-rack spying app, PoriewSpy’s operators developed their apps by repurposing and modifying known remote access trojans DroidJack and SandroRAT as well as the “Android Image Viewer” open-source project. PoriewSpy uses pornography as its social engineering lure and turns an infected Android device into an audio recorder while stealing its contacts, SMSs, call logs, and location information.
Another is Confucius, a cyberespionage campaign on Windows and Android platforms. It uses romance scams and adult content to steal sensitive data. Confucius is also related to other multiplatform cyberespionage campaigns Urpage, Bahamut, and Patchwork.
The mobile cyberespionage attacks in 2018 weren’t incidental or one-off cases, but rather thought-out and sustained. Skygofree and ZooPark, for instance, monitored the activities of and stole data from Android devices. The Stealth Mango and Tangelo campaigns used phishing to steal sensitive data on compromised Android and iOS devices. With the wealth of information that threat actors can steal from mobile devices, we expect more cyberespionage-related threats developed for multiple mobile operating systems and platforms.
Massive mobile ad fraud campaigns cost hefty financial losses.
With mobile advertising spending projected to be at over US$75 billion in 2018, cybercriminals would want to cash in on it, too. And indeed, 2018 saw mobile ad fraud’s significant real-life impact. While the industry already has countermeasures against it, relatively unique techniques were also employed to circumvent them. One of these is Bundle ID spoofing, first reported by Pixelate in June 2018. In October, a massive and intricate digital advertising fraud scheme was uncovered, involving over 125 Android applications and websites.
Trend Micro MARS, which detects and analyzes SDKs for fraud and malware, identified 1,088 additional Android applications containing SDKs used in the scheme. Of these apps, 889 were in Google Play (all of which have since been taken down), but they were comprised of different versions of 128 unique apps. The rest were in third-party app marketplaces. On Google Play, the apps’ combined installs were at 120,293,130, involving 54 developers. One app alone netted 10 million downloads. These were touted as educational (books, news, weather information), entertainment, leisure (games), and optimization apps.
The scheme reported in June 2018 entails buying popular and legitimate apps from their developers and transferring them to fraudulent or shell companies. Real, human usage is tracked, monitored, and then programmed into bots that mimic the actions. The bots are loaded on servers with dedicated software that lets the bots generate and direct traffic to these specific applications. Combining bot-generated traffic with real-human usage enables them to evade anti-fraud detection while also providing additional revenue through ad views.
Fraudsters also pull off this scam by spoofing apps. A fraudster-owned application is disguised for another (usually a more popular app), and notifies the ad platform by displaying the spoofed app’s unique ID. This scheme reportedly earned fraudsters US$75 million per year in fake ad revenue from apps installed 115 million times on Android devices. Google and its partners also incurred losses of around US$10 million.
Another type of mobile ad fraud, reported on November 26, 2018 by analytics firm Kochava, involves Android apps that used click injection. It entails creating fake clicks and monetizing them even when an ad isn’t displayed. In the same month we uncovered fake voice apps on Google Play that carry out automated functions such as pop-ups of fake surveys and ad clicks.
In this scheme, the app asks unsuspecting users to allow the apps to detect when new apps are installed or when other apps are launched. As soon as a new application is downloaded, the fraudulent app will search for its bounty programs in its ad network, then create clicks containing relevant information where the incentives can be credited.
The scam also involves embedding click injection code to applications that make use of the keyboard. It could then snoop on applications that users search for in Google Play, look for their ad incentive programs, then carry out the ad-clicking routine. The fraudulent app also displays ads of applications with active ad incentives.
Mobile ad fraud can involve fake impressions, clicks, or installs, and employ various techniques. Some use invisible pixels and automatic redirections to simulate ad views. Others replicate touch events such as creating fake clicks on cost-per-click ads, or surreptitiously installing other applications. And unlike a typical mobile malware that expressly asks users for permissions, mobile ad fraud can be hidden even from the advertisers themselves.
What can we expect in mobile threats in 2019 and beyond?
Total number of mobile threats blocked by Trend Micro in 2017 and 2018
Country distribution of mobile threats detected by Trend Micro MARS in 2018
Total number of malicious Android applications sourced and analyzed by Trend Micro MARS
The data from 2018 shows how the real-world value of cryptocurrencies affects the development and prevalence of cryptocurrency-mining malware and ransomware. For example, Monero’s value peaked at US$480 at the start of 2018, steadied by June, and gradually dropped to US$45 by the year’s end. The same could be said for mobile ransomware: When the cryptocurrency’s real-world value is low, it's not used as much as a malware target or payment option for victims.
Mobile banking trojans, on the other hand, will only continue to thrive, and even evolve with automated routines. We’ve already seen the telltale signs this year. Some already use code obfuscation and encryption mechanisms via packer technologies to evade detection and analysis. They are also increasingly using deployment mechanisms that automatically generate completely new samples for each attack vector that exists on a user’s mobile device. In fact, this is one of the reasons for their marked increase in 2018.
On the other hand, cyberespionage campaigns — known for mounting sustained and well-resourced attacks — will take simpler routes. The barriers to entry lowered as open-source tools and off-the-rack spyware are readily available. This apparent ease and convenience will drive the increase of mobile cyberespionage attacks. But with technical know-how no longer a particular requirement, many of these attacks could be easier to monitor and research.
Data privacy regulations like the EU General Data Protection Regulation (GDPR), backed up by heightened consumer awareness about data breaches, will prod SDK providers into rethinking their SDK or app monetization strategies. An SDK provider illicitly selling collected data, for instance, could shift tactics and engage in click fraud instead to reap the same benefits.
Newly developed apps commonly integrate various SDKs, but developers often don’t have the time, resources, or capability to audit them. The integration of additional SDKs (which are also updated themselves) to applications to enrich user experience could be complicated or even uncontrolled, exposing them to security risks. Trend Micro’s Mobile App Reputation Service provides users, organizations, and developers/programmers with application security scanning and resource consumption assessments.
Despite the evolving techniques used by cybercriminals, phishing is still indispensable — from the classic email phishing to SMiShing, voice (vishing), and social media phishing. In fact, 48 percent of phishing attacks reportedly occur on mobile devices, some of which can even bypass HTTPS and SSL as well as and two-factor authentication. The prevalence of XLoader and FakeSpy are an example. Hackers and cybercriminals only need to exploit a vulnerability for which there is no foolproof patch: the human psyche. This highlights the human element’s significance in securing mobile devices, especially those that store and process corporate assets and data.
In today’s era of data breaches where stolen information is currency, app developers as well as product manufacturers should adopt security by design: incorporating privacy and security into an application's and device’s life cycles. Likewise, users should practice security hygiene, while businesses must balance flexibility and security in their Bring-Your-Own-Device (BYOD) policies.
End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for Android™ (available on Google Play), and Trend Micro™ Mobile Security for Apple devices. Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that exploit vulnerabilities, preventing unauthorized access to apps as well as detecting and blocking malware and fraudulent websites.
Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerabilities.
Data on the mobile threats detected and blocked by Trend Micro in 2018 is in this appendix.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.