The number of infected Google Android devices actively communicating with command-and-control (C&C) servers has grown significantly in recent months and is expected to continue on that path, according to a report released this week by security firm Damballa.
During the first half of 2011, Damballa’s network of sensors observed nearly 40,000 Android devices in North America engaged in live interaction with criminal operators, according to the report, which chronicles botnet activity this year.
“If the bad guys can compromise the Android device and send and receive commands, then they have all the tools necessary to conduct online banking fraud,” Gunter Ollmann, vice president of research at Damballa, told SCMagazineUS.com on Friday.
In mid-March, the number of infected devices communicating with attackers hit 20,000, before quickly dropping off, the report stated. The rapid decline in infection rates was likely attributable to Google’s use of its “remote kill” functionality to remove a number of malicious applications from affected Android devices.
Then, in early July, the number jumped back up to almost 40,000, the report states.
“This peak of around 40,000 is unlikely to be the peak for the year,” Ollmann said. “We expect this upward trend in victim devices to continue.”
Still, compared to the size of PC-based botnets, which often have hundreds of thousands of nodes, the number of compromised Android endpoints under attacker control is “almost insignificant,” Ollmann said. The numbers do, however, prove that Android devices are increasingly being targeted.
Historically, mobile malware was limited to SMS fraud and other tactics that did not require a C&C infrastructure. But that is changing as adversaries look to more sophisticated and money-making attacks on mobile devices.
Crime isn’t exclusive to the Android platform, Ollmann said. Windows Mobile, Symbian, HP, as well as Apple’s iPhone, are being similarly targeted by criminals.