From Cabir to FakeDefend, the last decade has seen the number of mobile malware explode. In 2013, Fortinet's FortiGuard Labs has seen more than 1,300 new malicious applications per day and is currently tracking more than 300 Android malware families and more than 400,000 malicious Android applications.
Besides the sheer growth in numbers, another important trend is that mobile malware has followed the same evolution as PC malware, but at a much faster pace. Like PC malware, mobile malware quickly evolved into an effective and efficient way of generating a cash stream, while supporting a wide range of business models.
Cabir, unleashed in 2004, was the world's first mobile worm. Designed to infect the Nokia Series 60, its attack resulted in the word “Caribe” appearing on the screen of infected phones. The worm then spread itself by seeking other devices (phones, printers, and game consoles) within close proximity by using the phone's Bluetooth capability.
CommWarrior, discovered in 2005, picked up where Cabir left off by adding the ability to propagate itself using both Bluetooth and MMS. Once installed on the device, CommWarrior would access the infected phone's contact file and send itself via the carrier's MMS service to each contact. The use of MMS as a propagation method introduced an economic aspect: for each MMS message sent, phone owners would incur a charge from their carrier. Altogether, the mobile worm infected more than 115,000 mobile devices and sent more than 450,000 MMS messages without the victims' knowledge, illuminating for the first time that a mobile worm could propagate as quickly as a PC worm.
Following the money
After the demonstrated successes of Cabir and CommWarrior, the security community detected a trojan in 2006 called RedBrowser touting several key differences from its predecessors. The first was that it was designed to infect a phone via the Java 2 Micro Edition (J2ME) platform. By targeting the universally supported Java platform rather than the device's operating system, the trojan's developers were able to target a much larger audience, regardless of the phone's manufacturer or operating system.
In early 2009, Fortinet discovered Yxes (anagram of ”Sexy”), a piece of malware behind the seemingly legitimate ”Sexy View” application. Once infected, the victim's mobile phone would forward its address book to a central server. The server would then forward a SMS containing a URL to each of the contacts. Victims who clicked on the link in the message would download and install a copy of the malware, and the process was repeated.
2010 saw the introduction of the first mobile malware derived from PC malware. Zitmo, Zeus in the mobile, was the first known extension of Zeus, a highly virulent banking trojan developed for the PC world. Working in conjunction with Zeus, Zitmo was leveraged by cyber criminals to bypass the use of SMS messages in online banking transactions, thus circumventing the security process.
With attacks on Android platforms intensifying, more powerful malware began to emerge in 2011. DroidKungFu, emerged with several unique characteristics, and even today is considered one of the most technologically advanced viruses in existence. The malware included a well-known exploit to “root” or become an administrator of the phone giving it total control of the device and the ability to contact a command server. It was also able to evade detection by anti-virus software.
New modes of attack
2013 marked the arrival of FakeDefend, the first ransomware for Android mobile phones. Disguised as an anti-virus, this malware worked in a similar way to the fake anti-virus on PCs. It locked the phone and required the victim to pay a ransom in order to retrieve the contents of the device. It was also in 2013 that Chuli,the first targeted attack on the Android platform, first appeared. Cyber criminals behind the attack leveraged the email account of an activist to target the accounts of other Tibetan Human Rights activists. The emails sent from the hacked account included Chuli as an attachment, designed to collect data such as incoming SMS, SIM card and phone contacts, location information, and recordings of victims' phone calls.
The landscape of mobile threats has changed dramatically over the past decade and the cyber criminal community continues to find new and increasingly ingenious ways of using these attacks for one sole purpose – making money.
And with the explosion of smartphones and other mobile technologies, a reasonable prediction is the convergence of mobile and PC malware. As everything becomes “mobile,” all malware will then be “mobile.”