The Mobile Landscape Roundup: 1H 2014

2014 has been quite the storied year for the mobile threat landscape, and it isn’t even over. From mobile malware reaching the daunting milestone of 2 million to being an accessory to breaking online banking security features, the mobile platform has certainly taken a pounding from cybercriminals – and it doesn’t look like it's going to be stopping anytime soon. Read on to learn more about the most notable events from the first half of 2014, as far as mobile device security is concerned.  
Two Million and Counting

 


Figure 1. Mobile Malware and High-Risk App Total Count

 
Back in March, our on-going surveillance on mobile malware alerted us of a milestone:  the combined amount of mobile malware and high-risk apps has reached two million unique samples. This happened within six months after the number previously reached 1 million. Not only that, this means that mobile malware has effectively outstripped PC malware in growth entirely – as the latter took 22 years to reach the same milestone that the former reached in half the time, according to statistics derived from AV-Test’s Malware Repository.
 

 


Figure 2. PC and Mobile Malware Growth Comparison

 
This shows that the problem of mobile malware will only continue to get bigger. Mobile devices continue to enjoy mainstream popularity, with more than 1.8 billion handsets sold last year. Mobile subscriptions worldwide have also reached nearly 7 billion users globally – and while that does not directly translate to mobile device users, it still provides cybercriminals with a large user base to try and take advantage of.
 
We've also been seeing more types of mobile malware sprouting up, each one either sporting new malicious routines or new behavior. This shows that mobile threats continue to evolve as its numbers continue to rise. It's also proof that cybercriminals continue to pound mobile device users with their malicious creations. 
 
Analyzing the statistics from Mobile App Reputation Service, we can also see that mobile malware activity is particularly strong in Asia and the Middle East. See below for the chart depicting the top 10 countries with the most malicious mobile app downloads by percentage.
 

 


Figure 3. Top 10 Malicious Mobile App Downloads for 1H 2014

 
Israel gains the dubious honor of being at the top of the list, with 6.16% of all apps downloaded that have been scanned by our Mobile App Reputation Service detected to be malicious. Vietnam comes second, with 2.82%. China, South Korea and Angola follow close behind with 1.83%, 1.77% and 1.43%. A reason for this is that app piracy has been proven to be more prevalent in the countries listed, and as such the risk for malware infection increases proportionally. Vietnam in particular is notorious for third-party download sites that sport ‘free’ or ‘cracked’ versions of popular apps.
 
Interestingly, countries with high mobile device user populations such as the US and Japan did not make this list. This may be due to the fact that users from those territories are heavily dependent on first-party app download sites, and that their huge app download numbers are making the malicious app download numbers quite small by comparison – less than 1% (0.12% for US, 0.02% for Japan, 0.1% for Australia/New Zealand).
 
We also found that for the first half of 2014, adware retained its top spot over all other types in terms of threat type distribution, with 44.41%. Premium Service Abusers rank second with 29.96%, and Data Stealers/Info Theft types take third. 

 


Figure 4. Top Threat Type Distribution for 1H 2014


Meanwhile, the top malware and adware families for the first half of 2014 are the OPFAKE family and the GOYEAR family, with 11.22% and 41.14% of the total malware/adware numbers. OPFAKE is a family of Premium Service Abusers that is usually presented as fake apps, while GOYEAR is a family of malicious/legitimate/repackaged apps that are coded to display aggressive advertisements.
 

 


Figure 5. Top Malware Families for 1H 2014



 


Figure 6. Top Adware Families for 1H 2014

 
Malware Evolution
 
We mentioned mobile malware evolving to new types. Here are some of the most notable types that we’ve found:
  • Coin miners – March saw the discovery of the ANDROIDOS_KAGECOIN malware family that had cryptocurrency mining capabilities for mining Bitcoin, Dogecoin and Litecoin. Variants came in the form of repackaged popular apps that, when installed, turned the infected mobile device into a coin miner. 
  • ‘Deep Web’ apps – ANDROIDOS_TORBOT.A, a malicious app that intercept SMS messages and make calls on the mobile device it infects, has also been found to be the first malware to use TOR to conceal its malicious activities. 
  • Ransomware – Late May saw ransomware jumping over to mobile devices, with the discovery of ANDROIDOS_LOCKER.A. It locks users out of their devices by opening a window large enough that it blocks the phone’s UI entirely, preventing the user access as well as preventing itself from being uninstalled. A few weeks later, another type of ransomware was discovered with TOR stealth capabilities.
  • Banking malware – In late July, it was discovered that cybercriminals have found another way to crack two-factor authentication on mobile devices. In a malware campaign we dubbed Emmental, cybercriminals countered this particular security measure through a fake banking app that intercepts 2FA messages from European banks. What’s unique here is that we were able to follow and track every step of this malicious campaign, the first of which involved a malicious spam attachment that modified the affected system’s DNS settings.

Increasing Vulnerabilities 
 
Vulnerabilities that affected Android OS and Android apps were also put in the spotlight the first half of 2014. Notable examples include:
  • Android Custom Permission Vulnerability – a vulnerability that affects how Android OS handles customized permissions was discovered in late March. The weakness lies in how a malicious app could be able to steal protected information from a legitimate app if the former manages to define a specific custom permission before the latter. This could be used to steal financial information from online shopping apps, or reveal browsing/in-app purchase history.
  • Android System Crash Vulnerability – Also found in March, a vulnerability in Google Bouncer™’s infrastructure (which also crosses over with Android OS versions 4.0 and above) resulted in mobile devices being trapped in a booting loop, rendering them useless.  While this can be alleviated by resetting the mobile device to factory settings, it can result in a loss of user data.
  • Heartbleed Vulnerability – When news of the OpenSSL Heartbleed bug broke out in April, users were shocked to discover that their favorite websites could have easily been mined for critical user information easily and stealthily. A few days later, it was also discovered that some mobile apps were also affected by this vulnerability, as their in-app purchase menus also led to websites which could have been affected by Heartbleed. 
  • iOS “Goto Fail” Vulnerability – a vulnerability involving the Secure Sockets Layer (SSL) suite in iOS version 7, it had the potential to allow cybercriminals to eavesdrop and hijack a session taking place on a vulnerable mobile device connected to a shared network. This has already been patched.
Late June also saw Google change its policy on how app permissions were handled. Instead of having the user approve each new permission needed by an app, that new permission is pre-approved IF it belongs to the same group of permissions that a user had already approved.  While not exactly a vulnerability, such a change in the handling of permissions can be abused to grant malicious apps permissions that would allow them to steal personal information.

Socially-Engineered 
 
Big sporting events and popular apps did not escape the attention of cybercriminals during this half of 2014. The biggest examples of these are the 2014 FIFA World Cup, and the worldwide gaming app phenomenon Flappy Bird. 
 
Cybercriminals took advantage of the popularity of both through numerous fake malicious apps and phishing pages, most notable of which is theANDROIDSMS_SMSSTEALER.HBT mobile malware family that attacked World Cup fans. Its variants disguised themselves  as official FIFA 2014 game apps, and once installed, allowed cybercriminals to intercept SMS messages and connect to a C&C server to listen for and execute remote commands.
 
In the case of Flappy Bird, cybercriminals stormed the Internet with fake malicious copies once its popularity reached a fever pitch, peaking when its creator took the game app down due to personal issues. A single third-party store even had 500 variants of such fake malicious apps.

Lessons Learned For The Next Half
 
The first half of 2014 has certainly been a busy one for the mobile threat landscape, with both expected (socially-engineered threats) and unexpected (vulnerabilities) attacks coming to the fore.  We fully expect things to continue as they are, and we’ll be here to help users and businesses protect themselves. Proof of this comes even at the heels of this report, with the discovery of the Android FakeID vulnerability by BlueBox Labs. This vulnerability may allow malicious apps to impersonate legitimate ones.
 
While there's no way to accurately predict what may come for the latter half of 2014 – and what comes after mobile malware reaches three million samples - what users and organizations can do is to protect themselves from what’s already out there, and keep up-to-date with further developments as they arrive. They must also be aware that mobile device attacks can also spread to other platforms and we may see more of this happening.
 
Mobile security solutions, mobile usage guidelines, threat information and education – all of these must be applied for a safer and more secure digital mobile life. 
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.