At the end of the second quarter of 2013, the firm found there to be 700 thousand malicious and risky apps in the wild, leading it to predict that Android malware would reach the dubious one million milestone by the end of the year. But that day has arrived one quarter early.
“Our Mobile App Reputation data indicates that there are now one million mobile malware (such as premium service abusers) and high-risk apps (apps that aggressively serve ads that lead to dubious sites),” said Gelo Abendan, in a blog on the findings. “Among the one million questionable apps we found, 75% perform outright malicious routines, while 25% exhibits dubious routines, which include adware.”
Malware families such as FAKEINST (34%) and OPFAKE (30%) are the top samples making the rounds today, the firm found.
FAKEINST malware are typically disguised as legitimate apps, but they instead send unauthorized text messages to certain numbers and register users to costly services. One high-profile incident involving FAKEINST is the fake Bad Piggies versions.
The OPFAKE malware is similar to FAKEINST, in that it mimics legitimate apps. However, a variant (ANDROIDOS_OPFAKE.CTD) was found to open an HTML file that asks users to download a possibly malicious file.
On the high-risk apps front, ARPUSH and LEADBLT lead the pack, gathering 33% and 27% of the total number, respectively. Both are known adware and infostealers, collecting device-related data such as OS information, GPS location, IMEI and so on, according to Trend Micro.
Then there’s the banking Trojan arena. “Threat actors are also pouncing on mobile users’ banking transactions, with the likes of FAKEBANK and FAKETOKEN malware threatening users,” explained Abendan. “As with other app types, users may encounter Trojanized or fake apps disguised as legitimate banking apps. Cybercriminals will use different tricks to mimic legitimate apps. They can use the same images and icons or closely imitate the publisher’s name.”
FAKEBANK for example was first spotted in the second quarter of 2013.
“Once installed, it uses the Google Play icon to stay low-key,” Trend Micro explained in a report on mobile banking malware. “During installation, it replaces parts of legitimate banking app files with malicious code, but it does not modify their icons and user interface. Once users access these apps, they unwittingly give out their account information. Aside from this, FAKEBANK also steals call logs and received text messages.”
The FAKETOKEN malware meanwhile mimics the token generator app of a financial institution. Users who wind up with this malicious app end up giving out their password to avoid receiving an error message. Once users enter their password, the malware generates a fake token and sends the stolen information to a specific number.
Also, mobile users may also encounter smishing (SMS phishing) or vishing (voice phishing). While the techniques differ—smishing relies on text messages while vishing relies on voice calls—the end goal remains the same: steal information.
And despite the focus on the escalating state of mobile malware, it’s worth remembering that threats can be simpler than users think. “Losing a phone by accident or via theft can have dire consequences, especially if it isn’t secured with a PIN or pattern and its owner leaves his online banking account open in it,” Trend Micro noted.
Recently at the Hacker Halted conference in Atlanta, researcher Charlie Miller told the audience that mobile malware and threats are "mostly hype."