Beyond theory: Mobile malware
Beyond theory: Mobile malware

Mobile malware, often distributed through applications, is increasing in scope and sophistication. Is your business ready? Dan Kaplan investigates.

Sometimes, the forecasters guess correctly. That appears to be the case with the myriad statements entering 2010 and 2011 that forecasted a precipitous rise in malware targeting mobile devices.

According to a McAfee report released in February, the number of new mobile malware variants totaled 55,000 last year, a rather large spike of 46 percent compared to 2009. Clearly, the threat landscape has come a long way since 2004, when the first-ever malware for the mobile phone, known as Cabir, was sent to a number of anti-virus firms for inspection. The worm, written for Symbian feature phones, was merely an innocuous proof-of-concept – it was designed to display the word “Caribe” on the phone's display and spread to other devices using Bluetooth signals – but its arrival certainly proved prescient.

A couple of years later, in 2006, Kaspersky Lab identified what it called the first piece of mobile malware designed to steal money – a virus that targets devices running Java. Dubbed RedBrowser, the virus sent text messages to premium-rate numbers without the user even realizing it.

Fast forward to 2011 and it appears the tipping point is near. According to Nielsen, the number of smartphones in the United States, such as the iPhone, BlackBerry and Android, is expected this year to overtake the number of feature phones. This steady ascension, from handhelds that provide few capabilities beyond calling and texting to phones with functionality that resembles a traditional computer, has of course piqued the interest of the malware community.

After years of test runs that largely affected mobile phone users overseas, cybercriminals are now rolling up their sleeves and readying their wares to resemble what malware victims are used to seeing on their desktop or laptop computer.

“Smartphones have all the components you would expect of a traditional PC,” says Andy Chou, co-founder and chief scientist of Coverity, a software integrity firm based in San Francisco. “They are capable and complex. They have operating systems and applications that run on top of them.”

Hackers traditionally have written most of their malware for Symbian and Windows Mobile devices because they are the oldest and most researched. But that all seems to be changing.

According to a Juniper report released in May, malware samples targeting Google Android devices jumped 400 percent between June 2010 and January 2011. This should come as no surprise, though. After all, market share usually dictates malware targets.

A series of surveys conducted by Nielsen between January and March found that 31 percent of consumers planning to purchase a new smartphone now prefer Android, compared to 30 percent who would choose an iPhone and 11 percent who would opt for a BlackBerry. Twenty percent are unsure what they would buy next.

Within enterprises, while BlackBerry is considered the “gold standard” for enterprise security functionality because of its management and encryption capabilities, many workers prefer the bells and whistles that the Android and iPhone provide.

Most experts agree that what makes the Android platform a particularly ripe attack vector compared to other mobile operating systems is its ever-expanding application marketplace. According to Lookout Mobile Security, the number of apps available in the Android Market climbed 127 percent from August 2010 to February 2011, while Apple's App Store grew 44 percent.

The latest figures show that the Android Market contains close to 300,000 applications for download. The problem is, in some cases, these applications are nefarious in nature, customized to install malware on the phone or gain access to sensitive information.

“It is the main delivery mechanism to get on the phone right now,” says Chris Wysopal, co-founder and CTO of Veracode, an application security firm. “Android has gone with the more open model, and they allow developers to sign their own apps and put them up for download in the marketplace.”

While security vendors admit that the lion's share of malware currently is being written for the more lucrative PC environment, that hasn't stopped authors from fashioning their code to penetrate the mobile landscape. And chances are, they'd be effective, considering 85 percent of smartphone users do not use anti-virus, according to Juniper, citing an informal poll conducted by the SANS Institute.

Rogue applications are growing in sophistication. In August 2010, according to Juniper, the first Android trojan appeared in the form of an application that mimics a media player and sends text messages to Russian-based premium-rate numbers at $6 a pop.

When the calendar flipped to 2011, it quickly became evident that mobile malware writers were getting slick in a hurry. One Android trojan that arrived on the scene, dubbed Geinimi, contained botnet-like capabilities. Three months later, Google was forced to remove more than 50 apps from its Android Market because they contained malware, known as “DroidDream,” capable of gaining root access to a device, harvesting data and installing additional malicious code.

“The business of mobile malware is still in the development stage,” says Kevin Mahaffey, CTO of Lookout Mobile Security. “Attackers are still figuring out what the revenue model is. With each new piece of mobile malware, there is a different take on what their likely model is.”