The Tenth Anniversary of Mobile Malware

Figure. A brief history of mobile malware
2014 marks the tenth anniversary of mobile malware. It all began in 2004, when the first variant of SymbOS.Cabir was submitted to security researchers. The analysis revealed that this worm targeted Symbian OS, which was a very popular mobile operating system at the time. Infected phones would search for nearby Bluetooth devices that had activated discovery mode and then the worm would try to push itself onto them. The user had to manually accept the file transfer and also had to agree to the worm’s installation before the malware could infect the device. This limited the spread of the worm, as the victim had to be in close proximity to devices and needed to interact with the worm. But this was only the beginning. Several variants of Cabir appeared in the wild with different modifications. Some variants stole data, such as phonebook details, and other samples acted as a classic virus and infected local files. 
A few months later, a cracked version of a game called Mosquito appeared on the Internet. Along with the popular game, the package contained Trojan.Mos, which would send premium text messages in the background. This was the first widely seen case of mobile malware with a focus on monetary profit. Today, the same tactic is used on hundreds of Trojanized Android games, which will send expensive text messages after installation. Soon after Mosquito, the first versions of Skull appeared. The threat was named after its main payload, as the malware replaced the icons of most applications with an image of a skull. It also replaced system and application files with garbage, disabling their functionality and rendering the phone nearly unusable. Luckily at that time, ransomware was not yet popular, or else we probably would have seen the malware trying to hold the user’s data or the mobile device itself hostage. This changed in 2013 when we saw the first ransomware samples hitting mobile devices. These threats focus more on holding the phone hostage instead of the data, as frequent device synchronization and automatic data uploads to the cloud provide a better backup utilization for the users.  
In 2005, SymbOS.CommWarrior.A entered the scene. It extended the propagation vector to include sending MMS messages to various numbers in the contacts book. This malware was very successful and CommWarrior variants have been floating around mobile phone networks for years. In 2006, Trojan.RedBrowser.A extended threats that send premium text messages to other operating systems. This was the first Trojan for J2ME that could infect different mobile phone platforms.
Within a year, mobile devices had to deal with malware that was similar to established malware on desktop computers, including worms, data-stealing and profit-making Trojans, and viruses that infect other files. If this wasn’t enough, the rise of adware and spyware did not bypass mobile phones. The commercial Spyware.FlyxiSpy, which was released in 2006, was very successful at monitoring all of the compromised mobile device’s activity. The malware was advertised as the best solution for people who wanted to spy on their spouses. Similar threats followed and evolved further, allowing the user’s every step to be tracked.
With many online banks moving to out-of-band SMS transaction verification methods, the criminals had to follow as well. As a result, in 2010, attackers introduced SymbOS.ZeusMitmo, a threat that was capable of forwarding bank account transaction text messages from the compromised mobile device to the attackers. This allowed attackers to continue to commit online banking fraud. The idea was so successful that soon, mobile malware targeting online banking services appeared for all the major phone operating systems except iOS.
When Android became the biggest mobile phone platform in 2011, malware authors began to take notice. The attackers’ distribution vector of choice is through Trojanized applications and they use some social engineering techniques to make them more palatable. For example, Android.Geinimi was an early, successful bot for mobile devices disguised as a useful app. Mobile botnets have since become popular and are often used for click-fraud and premium text message scams.
Android.Rootcager arrived in the same year and was the first Android threat to use an exploit to elevate its privileges. This also marks one of the few differences between mobile malware and desktop computer threats. On Windows computers, we often see malware that uses an exploit to install itself on the compromised computer. In fact, drive-by-download infections from malicious websites have become the top infection vector. However, on mobile phones, drive-by-downloads happen very rarely. Most of the time, users still have to be tricked into installing the application themselves. It’s not that there are no vulnerabilities for mobile operating systems — there are actually quite a few, it’s just that attackers have not found it necessary to use them yet. In 2010, an iPhone jailbreak website demonstrated how this form of attack could work. The site took advantage of a PDF font-parsing vulnerability to install custom software on the fly. Since then, all mobile phone operating systems have upgraded their security, making it harder for malware to misuse vulnerabilities.
In the last two years, we have seen major growth from Trojans and adware targeting mobile devices, mainly focusing on Android phones. Even targeted attacks now make use of mobile threats for spying purposes. Considering this boom, mobile malware has become a real threat that needs greater attention because it isn’t over yet. In fact, we are likely to see the next evolution of mobile threats soon, especially as mobile phones become identification tokens and payment solutions in the future. 
Symantec recommends that users remain vigilant when installing applications from any unknown sources. Use strong passwords to protect your device and services. Symantec offers various security products for mobile devices that block these threats and we are constantly working on delivering the next level of protection.