In comparison, the same quarter last year brought 149 new threat families and variants, 91% of which targeted Android, according to F-Secure’s Mobile Threat Report.
The first quarter also saw a number of firsts for Android malware, which indicates the mobile threatscape is continuing to develop in sophistication and complexity. The quarter saw the first cryptocurrency miner, which hijacks the device to mine for virtual currencies, such as Litecoin. It also saw the first bootkit, which affects the earliest stages of the device’s bootup routine and is extremely difficult to detect and remove. In addition, the first Tor trojan and the first Windows banking trojan hopping over to Android were also discovered.
“These developments give us signs as to the direction of malware authors,” says Mikko Hyppönen, chief research officer at F-Secure, in a statement. “We’ll very likely see more of these in the coming months. For example, mobile phones are getting more powerful, making it possible for cybercriminals to profit by using them to mine for cryptocurrencies.”
Great Britain experienced the highest level of mobile malware measured by F-Secure in Q1, with 15 to 20 malware files blocked per 10,000 users (or about one in 500 users). The US, India and Germany all had five to 10 malware files blocked for every 10,000 users. In Saudi Arabia and the Netherlands, two to five malware files were blocked per 10,000 users.
Trojans make up the bulk of the baddies. Backdoors were the second most common malware type, accounting for 5% of the malicious samples from this quarter. Other types of malware seen – exploits, worms and so on – made up under 5% combined. However, the low volume of non-trojan samples is made up for by the technical interest of those few that did emerge.
“The sole new exploit reported was the Pileup vulnerabilities announced by university researchers and involved malware gaining privilege escalations during a system upgrade, while the newly found Dendroid toolkit, which we categorize as a backdoor, is being touted to malware authors looking to automate creation of remote access Trojans (RATs) that can evade Google Play Store security,” the report explained. “If the toolkit does gain widespread use among malware purveyors, app market security may become more critical than before.”
In terms of what most mobile threats do once they’ve infected a device, the report found that 83% of mobile trojans send SMS messages to premium numbers or SMS-based subscription services – by far the most common malicious activity.
Threats perform a number of actions, such as downloading or installing unsolicited files or apps onto the device; silently tracking device location or audio or video to monitor the user; pretending to be a mobile anti-virus solution but actually having no useful functionality; silently connecting to websites in order to inflate the site’s visit counters; silently monitoring and diverting banking-related SMS messages for fraud; stealing personal data like files, contacts, photos and other private details; and charging a “fee” for use, update or installation of a legitimate and usually free app.
About one-fifth (19%) of the new families or variants found in the first quarter secretly connected over the internet to a remote command-and-control (C&C) server as part of a botnet.