Facebook Spam Speeding Growth of Mobile Malware: BitDefender

There is no need to wait for the appearance of mobile malware, since spam links on social networking sites are infecting a significant number of mobile devices, according to an analysis of a recent Facebook scam.

Malware from social networking sites are a bigger security threat for mobile devices than for hacked applications or mobile Trojans, according to antivirus software provider BitDefender.

While there is a lot of focus on mobile malware such as Geinimi, the Google Android Trojan, or malicious apps in Apple's App Store, it is far easier and more likely that users are downloading worms and other malware onto their mobile devices by clicking on questionable links on social networking sites, said BitDefender's security researchers.

"By mainly focusing on finding malware specifically designed for mobile platforms, data security researchers may lose sight of a mobile platform threat that's already there: social network scams," said BitDefender Threat Intelligence team leader George Petre, on Malware City.

Social networking malware is largely platform-independent, so even though PCs are the primary target, other devices can be infected, said Petre. The Mac-variant of Koobface proved exactly that, infecting Mac users by tricking them into installing a malicious Facebook application.

"More and more people are accessing Facebook through their mobile devices," Catalin Cosoi, head of online threats at BitDefender Labs, told eWEEK. After noticing "more and more cases" of Facebook scams spreading on mobile devices, BitDefender Labs tracked a single campaign to identify the magnitude of the problem, said Cosoi.

BitDefender analyzed a recent scam that circulated a Facebook alert promising to show a girl's Facebook status update that got her expelled from school, Cosoi said. The "expelled girl" status used several links generated by various URL shorteners, such as bit.ly and Google's goo.gl. Researchers analyzed the traffic information for the short goo.gl URL and found that the link had 28,672 clicks between Jan. 4 and Jan. 5.

For this single link, 24 percent originated from mobile platforms, said Cosoi. Other shorteners were not analyzed because "goo.gl just offered more info," said Cosoi. Bit.ly statistics only provide total clicks, and not information about the user's platform or referrers, he said.

While the majority of the users were on Windows, BlackBerry and iPhone were the second and third most affected platforms, according to the site statistics. Phones from Nokia, Samsung, SonyEricsson, and LG, as well as the iPod Touch, were also included in the top ten affected platforms.

BitDefender researchers extrapolated the statistics collected by Google to determine that if 24 percent of the clicks on a single URL from a single campaign came from mobile devices, then it was likely that these social networking scams affect a significant number of mobile device users, Cosoi said.

According to the Google statistics, Facebook and Facebook mobile were the two top referrers, indicating that those two sites were the "primary victim pool," the researchers said. Since the screen on mobile devices is a lot smaller that that of a computer's display, the chances of getting tricked while socializing from your cell are high, said Cosoi. "Not seeing the entire url and just bits and pieces of the info can be quite tricky," he said.

As for the scam, when users clicked to find out what the scintillating status was, they downloaded a Facebook worm, gave the worm permission to spread by posting itself on the wall, and then were asked to fill out surveys. The surveys were how the scammers monetized this campaign.

There have been a number of Facebook campaigns recently, such as the "My 1st St@tus" survey scam or the Koobface variant that pretends to be a photo album app. The survey scam asks users to fill out surveys in hopes of unlocking some kind of content that never appears. The survey scam itself is not all that dangerous, unless it's bundled with a worm like the "expelled girl" link. In a space of about two weeks, Graham Cluley, a senior technology consultant at Sophos, tracked seven distinct survey scams on Facebook on the Nake Security blog.