Android threats growing in number and complexity, report says

The Android threat landscape is starting to resemble that of Windows, F-Secure researchers say

The Android threat landscape is growing in both size and complexity with cybercriminals adopting new distribution methods and building Android-focused malware services, according to a report from Finnish security vendor F-Secure.

The number of mobile threats has increased by nearly 50 percent during the first three months of 2013, from 100 to 149 families and variants, F-Secure said in its Mobile Threat Report for Q1 2013 that was released on Tuesday. Over 91 percent of those threats target the Android platform and the rest target Symbian.

"While the raw amount of Android malware continues to rise significantly, it is the increased commoditization of those malware that is the more worrying trend," the F-Secure researchers said in the report. "The Android malware ecosystem is beginning to resemble that which surrounds Windows, where highly specialized suppliers provide commoditized malware services."

One example of this is an Android Trojan program dubbed Stels that was distributed through fake Internal Revenue Service emails sent by the Cutwail spam botnet during the first quarter of 2013.

Those spam emails contained links that directed recipients to a website asking them to download and update their Flash Player software. This "fake update" social engineering technique has been used in the past to distribute Windows or Mac malware.

"By installing the so-called 'Flash Player,' the victim unknowingly grants the trojan the permission to make phone calls," the F-Secure researchers said. "Stels will capitalize on this permission to reap profit by placing long-lined (a.k.a. short-stopped) calls while the device owner is asleep."

Traditionally, Android malware writers have tricked mobile users into installing malicious applications on their devices by passing them off as legitimate apps on Google Play or third-party app stores. According to the F-Secure researchers, the new email-based distribution method now extends the risk of malware infection to Android users who are not actively searching for new apps, but are regularly checking email from their phones and tablets.

However, not only financially motivated cybercriminals have started using email to distribute Android malware -- hacker groups behind targeted attacks do it too.

Back in April, security researchers from antivirus vendor Kaspersky Lab uncovered an email attack targeting Uyghur activists that distributed an Android Trojan program as an attachment. The attackers expected that some of their targets would check their email from their Android phones and designed the malware to steal contact details, call logs, text messages and other information from the infected devices.

An Android Trojan program called Perkele that's designed to be used in conjunction with Windows online banking malware like Zeus to bypass SMS-based two-factor authentication schemes, is another example of an Android malware being offered as a service on the underground market.

Android Trojan apps like Perkele have been used as part of online banking fraud attacks in the past, but they have been generally available only to more sophisticated cybercriminal gangs. However, the creator of Perkele started selling his creation to smaller and less resourceful fraudsters for affordable prices.

"This signals the shift to malware as a service -- Zeus-in-the-mobile (Zitmo) for the masses," the F-Secure researchers said in the report. "Now anybody running a Zeus botnet can find affordable options for Zitmo."

"In a way, Android is experiencing the same fate as Windows where its huge market share works in both good and bad ways," the F-Secure researchers said. "Malware authors see plenty of opportunities yet to be explored on the relatively new and growing platform and they are drawing inspiration from Windows malware's approaches, which is why we are now seeing trends such as commoditization of malware services, targeted attacks and 419 scams popping up in the mobile threat scene."

Join the CSO newsletter!

Error: Please check your email address.

Tags securitymobile securityf-securespywaremalwarekaspersky lab

More about F-SecureGoogleInternal Revenue ServiceKasperskyKasperskySymbian

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place