Spike in mobile malware doubles Android users' chances of infection

'Startup phase of mobile malware' shows experimentation by attackers, says expert

An explosion in mobile malware during the last six months has more than doubled the chance that a user's Android smartphone will become infected, a security researcher said today.

According to Lookout Security, which develops anti-malware software for Android but not for Apple's iPhone, the likelihood of an Android owner encountering malware has jumped by two-and-a-half times since January.

By June, between 1% and 5% of Android users -- the number varies by country -- had been infected by mobile malware, said Kevin Mahaffey, co-founder and CTO of San Francisco-based Lookout.

Mahaffey blamed a dramatic spike in malware targeting Android for improving hackers' odds. "In January, we saw only 80 unique pieces of Android malware, but by the end of June we tracked over 400," said Mahaffey.

Lookout used its Mobile Threat Network, which analyzes apps acquired from both official and independent markets, and the malware-detection results from its security software, to come up with its statistics.

The Android malware problem shot into public view in early March, when Google yanked more than 50 apps infected with the "DroidDream" malware from the Android Marketplace, then continued with several more clusters found on Google's official download site and on third-party markets -- particularly those in China.

The rogue app model -- where attackers pirate a legitimate program, add malicious code and then re-release the app into the wild -- will continue to be the biggest mobile malware threat to Android users. "Repackaging [legitimate] apps will remain popular, simply because it's very effective," Mahaffey said.

But malware makers are getting more innovative, added Mahaffey, who declined to use the word "clever" to describe attackers' evolving tactics.

A new distribution channel, dubbed the "upgrade attack" by Mahaffey, has been used by at least one malware family to increase the pool of potential victims. An upgrade attack sidesteps the problem that hackers face when they release an infected app: The relatively small window of opportunity before their work is discovered and the app pulled from the Android Market or other download site.

"We've started to see [attackers] publish a clean app, then wait for a while before offering an update that's infected," said Mahaffey. "Because most people automatically update their apps, there's less time that the malware is on the market before it's installed by a lot of people."

Hackers are experimenting with different distribution models and various ways to monetize their work, Mahaffey observed.

"How do they get onto the device, and then how do they make money ... both are important," he said. "Mobile malware is now in the experimental stage, where attackers try innovative techniques to distribute their malware, and are engaging in experimental monetization."

Lookout has seen several forms of profit-making by smartphone malware, ranging from charging users hidden fees to sending waves of text messages to premium numbers. "The ability to monetize will be what cracks the market," Mahaffey predicted. "When the bad guys are able to figure that out, watch out."

Although Android owners have faced the brunt of the mobile malware threat, iPhone users aren't immune.

"There has not really been any malware on the [Apple] App Store, but iOS is affected by application vulnerabilities and Web-based threats," said Mahaffey, talking about phishing attacks that rely on malicious websites to fool users into divulging personal information.

Based on the prevalence of Web-based threats in June, Lookout projects that 3-out-10 smartphone owners will encounter an unsafe link this year.

It was the release last month of a new iPhone "jailbreak" -- a hack that lets an owner install software not approved by Apple -- that sparked Mahaffey's interest in iOS threats.

"Although the jailbreak was not malicious, it woke up a lot of IT administrators," he said.

The jailbreak relied on a pair of then-unpatched vulnerabilities in iOS that could be exploited simply by steering an iPhone, iPad or iPod Touch to a special site, essentially mimicking a "drive-by" attack. If criminals possessed similar vulnerabilities, they could hijack an iPhone if they convinced its owner to browse to a malicious site.

Even with the threats climbing, Mahaffey remained cautiously optimistic.

"We're in the startup phase of the mobile malware market, with innovation in distribution and monetization, but I think the threat is manageable," said Mahaffey. "We can have our cake and eat it, too. Yes, there are threats out there, but if people remember that their smartphone is essentially a PC and to be as careful [when using their smartphone] as they are when using a PC, they can be safe."

Lookout's mobile threat report can be viewed on or downloaded as a PDF from company's website.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

See more articles by Gregg Keizer .

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleMobile Apps and ServicesGooglesecurityMalware and Vulnerabilities

More about AppleetworkGoogleMicrosoftTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place