New Symantec Research: The Motivations of Recent Android Malware

For years now, we in the cyber security industry have been saying an explosion of mobile malware is just around the corner. Beginning in earnest this year, we have indeed observed a marked increase in threats targeting mobile devices – particularly the Android platform. However, it’s probably not accurate to say the expected explosion has in fact occurred. The reality is that cybercriminals are still very much in the exploratory phase of figuring out how to monetize the exploitation of mobile devices. This is the topic of Symantec’s latest research. You can read the whitepaper in its entirety here.

Above all else, our analysis highlights how most current efforts to monetize mobile malware have only a low revenue-per-infection ratio. This has severely limited the return on investment achievable by attackers. It also offers detailed insight into the top current mobile malware monetization schemes observed by Symantec, including how each works and examples of the malware presently being used to carry them out. These schemes are:

  • Premium-rate number billing scams
  • Spyware
  • Search engine poisoning
  • Pay-per-click scams
  • Pay-per-install schemes
  • Adware
  • Stealing mobile transaction authentica¬tion numbers (mTAN)

However, the research also points out that the currently struggling revenue-per-infection ratio is primed to improve. The trigger will likely be advances in mobile payment-type technology and the widespread adoption of using mobile devices for both payment and accepting payment. The key is that these applications rely on devices to transmit financial information —such as mobile banking credentials—backed by real monetary funds. We’ve learned in the PC world just how lucrative the exploitation and sale of this kind of information can be for enterprising cyber criminals.

Many vendors are now using mobile devices such as smartphones and tablets as point-of-sale devices.  For example, a farmer’s market vendor or a taxi driver may now swipe your credit card through their personal smartphone rather than a dedicated point-of-sale device. Alternatively, a big box retailer may replace their existing point-of-sale devices with well known smartphones or tablets. A malicious attacker who has infected these devices, which is likely easier than infecting existing point-of-sale devices, could potentially skim every credit card transaction.

Additional potential revenue-generating schemes likely to be seen in the near future are discussed as well. These include:

  • Selling stolen International Mobile Equipment Identity (IMEI) numbers for use on previously blocked or counterfeit phones.
  • Peddling fake mobile security products—another tactic that has been highly successful in the PC realm.

The paper surmises that only if the current monetization schemes, and those likely to be seen in the near future, succeed will attack¬ers continue to invest in the creation of Android malware.

Whitepaper: Motivations of Recent Android Malware