Security researchers have long predicted that malware will arrive on mobile platforms, threatening the owner’s sensitive information and using the devices to carry out a variety of scams, from stealing bank funds to racking up premium texting charges.
In some regions, where third-party application stores are numerous and not well secured, malware rates have soared. In North America, however, where applications are usually downloaded from Google’s Play store or Apple’s App Store, the security checks conducted by those companies have kept mobile devices mainly free of malware.
In 2014, for example, only about 0.15 percent of devices that only installed applications from Google Play had a potentially harmful app installed, according to Google.
Yet, that may start to change in 2016, according to researchers. One technique, known as overlays, may allow criminals to steal information in real time and foil the use of smartphones as a second security key used to augment Website login security ranging from Gmail to bank accounts, Limor Kessem, security researcher for IBM’s X-Force research group, told eWEEK. Such techniques may result in much higher infection rates on mobile devices, she said.
“Mobile malware is finally doing what everyone thought it was going to do,” Kessem said.
IBM is not alone in its predictions.
Security firm Webroot found that 52 percent of the 20 million apps that it scanned from app stores worldwide were either potentially unwanted or outright malicious. “When we look at those environments, the stores have a lot of malicious mobile apps—in some cases, upwards of 30 percent,” Grayson Milbourne, Webroot’s security intelligence director, told eWEEK.
And 70 percent of enterprises believe that the company had lost data because of an insecure mobile device, according to a survey conducted by the Ponemon Institute for mobile-security firm Lookout. Fifty-four percent of companies believed that malware had infected a corporate mobile device in the past two years, the survey reported.
From several recently released reports, a fresh picture emerges of the current mobile malware threat.
The relative danger of mobile malware infection, for the most part, continues to be overstated. PCs continue to account for the majority of malicious traffic seen on residential networks, according to data from Nokia’s Application and Analytics group, which released a report on March 1 that summarizes the threats the company saw on both mobile and residential networks in 2015.
About 11 percent of computer systems were infected with malware or potentially unwanted software, such as adware, in the second half of 2015, down from 14 percent in the first half, the company found. Smartphones, meanwhile, only had a 0.3 percent infection rate, the company found, which is in line with Google’s data.
However, the rate of PC infections is falling, while the rate of smartphone infections has begun to climb, according to Nokia. Smartphones now account for the majority of malicious traffic seen on mobile networks, according to Nokia’s Applications and Analytics group.
In the past, a great deal of malware seen on mobile networks could be tracked back to Windows PCs or laptops tethered to mobile phones, but in 2015 that changed with smartphones accounting for about 60 percent of malicious traffic.
New Malware Threats Emerge on Mobile Platforms, Studies Find
“It’s a significant trend and I expect that to continue as mobile devices become more of a target,” Kevin McNamee, director of the Nokia Threat Intelligence Lab, told eWEEK. The mobile infection rate “is 0.3 percent so that means 1 in about every 330 people have malware. That doesn’t seem that large, but if you work it out to everyone across the planet with a mobile phone, that turns into a very large number.”
The initial forays into malware on mobile devices appear to copy successful PC attacks. Because ransomware attacks on computer users has paid dividends for attackers, it isn’t surprising that similar attacks are being used against mobile users, Dimitry Ayrapetov, director of network security product management for Dell Sonicwall, told eWEEK.
“We are starting to see malware that was pioneered on desktop PCs now jumping over to mobile phones,” Ayrapetov said.
While current ransomware attacks on PCs are grounded in encryption—encrypting the data on the hard drive to a key that only the attacker has—early forms of ransomware on mobile devices resembles a type of attack popular on PCs more than three years ago. Known as “locker” ransomware, the attacks use system functions to lock the device and require a payment to unlock the phone.
Such attacks can be undone by a knowledgeable user. However, a well-constructed encryption-based attack leaves users only able to recover data either using backups or buying the key.
Almost all—more than 99 percent—of attempted malware attacks targeted Android-based devices, according to Nokia’s data.
While Android malware accounts for the vast majority of malware on mobile devices, attackers are starting to focus more on iOS, said Nokia’s McNamee. In one month during 2015, the spread of the XCodeGhost Trojan development platform caused malicious traffic from iPhones to jump to 6 percent of infections, Nokia’s report stated.
“So the iPhone has a little bit of a weakness in its armor,” he said.
Still, users who only download their apps from the official app stores are able to avoid most malware. Yet, Apple and Google’s app stores only account for 2.5 million to 3.0 million apps, which means that scans such as Webroot’s overemphasize the impact of less well-vetted app stores with high malware rates.
Still, the malware lurking in those third-party app stores could also be a sign of the future for U.S. mobile attackers, Milbourne said.
“As they get better at refining the ability to remotely break into Android devices, and iOS to some extent, that will translate to these tactics being used against the more mainstream app stores,” he said.
A new tactic could open the door for attackers to steal more information from mobile users. Called the overlay attack, the technique is similar to Web injection attacks, where an attacker—who has already compromised a device—overlays user interface elements on top of certain applications to trick the user into entering in information.
While the attack lacks the sophistication of similar attacks that target Web browsers on PCs, the end result is nearly the same, according to IBM’s Kessem.
“The overlay thing is gaining a lot of popularity and a lot of people in the underground are buying it,” she said.