Mobile threats are on the rise, with more mobile malware coming from lookalike banking apps, adult-only entertainment apps, targeted Trojan viruses and spyware, according to a new report from security solutions provider McAfee Inc.
The report measured the number of mobile threats in the second quarter of 2013, gauging that among web threats like cyberespionage, phishing, and ransomware, the biggest shift this quarter was in mobile malware.
Between 2011 and 2012, the number of mobile threat samples leapt dramatically from less than 5,000 mobile threats to 35,000. So far, at the halfway mark of 2013, there have been about 32,000 threats collected. At that rate, the final count will almost definitely surpass 2012, with McAfee collecting 17,000 more samples of malware to its database from Android’s operating system (OS) this quarter alone.
McAfee found Android is the worst offender as a hotspot for mobile malware because of the openness of its ecosystem, with retired Symbian and Java ME trailing far behind.
“The percentage of users using Android has gone up dramatically, so that’s where [hackers] have focused their malware,” says Doug Cooke, director of sales engineering at McAfee Canada. “And they’ve been very successful in planting their malware into the various areas where users are getting their applications. So not just in the Android marketplace, but other areas that are more dubious.”
Compared to Apple Inc., which has much more stringent rules on what kinds of apps can be added to its App Store, not as many apps are vetted before they reach the Android OS, Cooke adds.
Among the mobile malware types out there, the most prevalent came from sources like banking apps. In Europe and Asia, when users log into their banking systems, they also receive a text from their bank with a code. They then enter the code online to be able to access their accounts.
What hackers do is steal the username and password from a user’s computer, and then they get the user to install malware through their texts. More sophisticated hackers can even replace a bank’s official app with a fake copy, so they can log into users’ accounts and get texts from their banks.
Malware in adult entertainment apps has also spread, partially because law enforcement doesn’t police these apps nearly as often as they would in other sectors. This type of malware is typically spam, but there are some more dangerous types of malware that encourage users to download other pieces of malware that do steal users’ personal information while pretending to be an adult entertainment app.
There are also targeted Trojans, which copy legitimate apps and ride on their popularity and brand name to gain users’ trust. For example, some attackers have been making counterfeit versions of the Kakao Talk app, similar to WhatsApp and hugely popular in Asia.
And then there is mobile spyware. One common type pretends to be a legitimate font installer app, but instead sends users’ location, call logs, texts, and data to a hacker. Another kind pretends to sync users’ phones, but instead sends their personal information to hackers’ servers. This type can even record calls, McAfee researchers found.
Mobile malware in general has increased because hackers tend to migrate towards the newest developments, seeing it as the path of least resistance, Cooke says.
And on the flip side, consumers tend to be less concerned about protecting their security when they’re experimenting with something new, he adds.
“What the malware writers do is that they always move towards the newer platforms, where there’s less sensitivity about it,” he says. “And when users get a new toy… you’re learning to use it. The last thing you think about is security.”
To protect themselves against mobile threats, users need to be careful when downloading apps, Cooke says. For example, they should stick to legitimate sources like Google Play, as opposed to other sites that simply offer apps on download.
Users also need to learn to watch for signs that an app could actually be malicious, he says. For example, if an app asks for permission to access a user’s contacts, that could be a red flag that it is really malware. They can also buy programs that will scan for malware, like McAfee’s Mobile Security tool.
For small to mid-sized businesses and enterprise, concerns surrounding mobile malware are pretty much the same, Cooke says. Yet IT administrators need to ensure their employees are well educated about the dangers of downloading mobile malware, especially if they’re downloading apps to corporate devices, he adds. He recommends IT administrators have the ability to wipe corporate data from their employees’ devices, especially when employees leave their companies.