The next time you open your smartphone, be sure that you know what it's doing behind the scenes. Attackers have been infecting desktop computers for years with malware that enlists them into botnets, hijacking them and placing them under someone else's control. Now, the proliferation of mobile and tablet devices, along with their increasing power, has made them prime targets too.
Tens of millions of devices have been infected and ordered to carry out tasks on the attackers' behalf, undetected by their owners. The era of mobile hijacking is here.
The problem has become increasingly visible to experts recently, explains Dan Waddell, managing director, North America region at (ISC)². “Over the past six years, the category of ‘application vulnerabilities' has maintained its position as the top security concern in the (ISC)² Global Information Security Workforce Study, and mobile devices has been in the top five,” he says.
“The main thing is to steal credentials,” says Solomon Sonya, an assistant professor of computer science at the U.S. Air Force Academy (USAF). Sonya, who has also been an officer in charge at the Air Force Computer Emergency Response Team (AFCERT), presents on mobile security and authored a proof of concept mobile botnet client called Splinter in 2012.
Just as with regular botnets, stealing credentials is a common tactic for malicious applications that hijack smartphones, he says. “So many users will still check their bank accounts on their phones, log into Facebook, and log into their email, which is just as juicy as a bank account.” The reason: an attacker with email access can reset passwords for countless online services.
Mobile application hijacking shares another common payload with traditional desktop botnets: advertising fraud. Online advertisers pay people displaying their ads when visitors click on them, but they often don't distinguish between legitimate and illegitimate publishers. Malicious applications will digitally simulate users without their knowledge, artificially “clicking” online advertisements, using up computing resources and bandwidth on the victim's phone to earn money for the malware authors.
“The actors behind these malicious advertising families are well funded, and have their own internal app development teams that are dedicated to creating unique applications to lure users into installing their applications,” says Andrew Blaich, security researcher at Lookout, which sells mobile endpoint security tools.
A report on ad-serving apps from anti-ad fraud firm Forensiq revealed that these ads will often call online ads as often as 20 times per minute, compared to legitimate apps that call new ads twice a minute at most. They will also access affiliate links to generate revenue for the attackers from those sources.
Some malware also hijacks other legitimate applications running concurrently on the device to show its own ads. For example, NoIcon, a component of the YiSpecter malware found on iOS devices, detects apps running on a device and then uses another malware component, called ADPage, to show full-page ads for its authors.
Gooligan, a form of malware embedded in Android apps downloaded from third-party app stores, focuses on mobile app advertisements. After obtaining root access to the phone it simulates user clicks on advertisements for legitimate apps, and then uses Google Play store account credentials stolen from the phone to install them. The attackers then gets a fee from the unwitting ad network.
Andrew Blaich, security researcher, Lookout
Ad fraud using malicious apps is endemic. Forensiq's report analyzed 5,000 apps flagged for ad fraud over 10 days and found more than 12 million unique devices running at least one of these apps. That puts them on around one percent of all the phones in the U.S. and two to three percent of those in Europe and Asia.
These malicious applications will typically run as a background process on the phone, booting at startup, which makes them difficult to detect. They can be installed in various ways. Sideloading – installing tempting applications from unapproved third-party app stores – is one method. Deliberately jailbreaking or “rooting” phones to install ad hoc, unapproved applications – is another. Both are inadvisable.
Even applications that have been scanned and approved by Google or Apple can be dangerous, though. Sonya recalls the Android/Mapin trojan embedded in many games. “It would wait between one and three days before the malicious payload would execute on the machine,” he says. That makes it hard for automated scanners to spot.
Another approach is simply to compromise the software tools used by a legitimate developer, turning them into your unwitting pawn. That's what happened with XcodeGhost, a malware attack that hit dozens of applications in 2015.
“XcodeGhost embedded itself in the integrated development environment for writing Apple's products,” Sonya recalls. Attackers released a version of the Xcode IDE on Chinese forums, promising faster downloads than Apple's official version, but it added malicious code when they compiled their iOS applications for submission to Apple.
“Many applications were compromised with additional code injected into it from XCode Ghost,” he continues. At the time, experts worried that hundreds of millions may have downloaded the compromised apps, which included regional versions of WeChat and Angry Birds 2.