The Future of Mobile Malware


Mobile World Congress is set to take place this year between February 24 and 27. The event promises to showcase smartphone and tablet innovations that will become a reality over the next 12 months. However, as mobile manufacturers and app developers have upped their game each year, so too have malware authors. Symantec discovered an average of 272 new malware variants and five new malware families per month targeting the Android mobile operating system in 2013. These threats have taken aim at mobile devices in several ways, such as by attempting to steal personal and financial information, track users, send premium rate SMS messages, and display intrusive adware. We have seen some notable threats that could pave the way for what’s next in mobile malware:

More aggressive financial Android threats
Consumers have been increasingly turning to their smartphones and tablets in order to do their online banking or shopping. According to a recent Pew research study, 51 percent of US adults bank online and 35 percent use their mobile phones to do so. Young people are leading the mobile banking trend, suggesting that this could become more widespread as time goes on.

Along with accessing banking apps, mobile devices can be used for two factor authentication (2FA) processes. Once the user tries to log into their online bank account on a computer, a code gets sent to their mobile device, which they can input onto the banking site to verify their identity.

Attackers have caught onto these methods and have developed Android malware to steal these 2FA codes. Threats such as Android.Hesperbot and Android.Perkel intercept SMS messages with 2FA codes and send them directly to attackers. They can also either steal other banking credentials or work with other computer-based threats to compromise victims’ accounts.

These threats could become more prevalent in the next few years as the concept of the mobile wallet catches on. Though the idea of paying for goods in physical stores with a mobile device hasn’t become mainstream yet, it will surely be an avenue that attackers will be keeping an eye on.

Increasing stealth – Android bootkits
Bootkits are used in advanced threats to typically target Windows computers. These threats operate deep within the operating system, usually infecting the computer’s startup code, such as the Master Boot Record, allowing the malware to execute before the operating system starts up. These forms of threats let an attacker maintain persistence on the compromised computer and hide certain processes from detection. As a result, bootkits can be tricky to deal with, as their components are protected by rootkits or other stealth features. Symantec offers Symantec Power EraserNorton Power Eraser, or Norton Bootable Recovery Tool to remove these types of threats on computers.

Recently, a bootkit threat, detected as Android.Gooboot, has been discovered targeting Android devices. The bootkit modifies the Android device’s boot partition and booting script, allowing it to launch while the operating system is starting up. It’s a particularly difficult threat to remove, though the attacker needs physical access to the device in order to infect it in the first place. Along with this, Android.Gooboot does not carry any exploits nor does it elevate privileges. That said, it could be a sign of things to come on the Android malware landscape, as attackers become more aggressive in attempting to infect smartphones. For now, users should be wary of buying rooted phones.

New routes onto the handset
Android malware typically relies on tricking users into installing a malicious application from an Android marketplace. Increased screening of applications is making it more difficult for attackers to get their malicious apps onto the marketplace. Attackers are instead starting to use desktop computers as a vehicle onto Android handsets, leading to the birth of hybrid threats.

A recent threat, which we detect as Trojan.Droidpak, first arrives on the Windows PC and eventually leads to the download of a malicious Android application package file (APK) onto the compromised computer. If the user connects any Android device to the compromised computer, the Trojan will attempt to install the malicious APK, detected as Android.Fakebank.B, onto the mobile device. If installation is successful, the APK looks for particular Korean banking applications and tries to convince users to install malicious versions instead.

To avoid this threat, users should be wary of connecting their mobile device to untrustworthy desktop computers and ensure that they have security software on both their desktop and mobile devices.

Of course, desktops may not be the only medium involved in these hybrid threats. As the Internet of Things becomes a reality, it’s likely we’ll see threats attempt to use mobile devices to infect home automation systems and vice-versa.

The growing mobile malware threat
Mobile malware has continued to evolve, often taking cues from Windows malware developments or attempting to keep up with the latest technology trends. Android malware authors show growing sophistication, evidenced by the use of advanced techniques such as bootkits. As with desktop cybercrime, most attackers are financially motivated. Mobile devices will become increasingly attractive to attackers as mobile payment technology becomes more widely adopted. As users growing more reliant on mobile devices for their personal computing needs, they should ensure that their devices remain protected against today’s and tomorrow’s threats with reputable security software such as Norton Mobile Security.