Android malware up sixfold in Q3

That’s the conclusion from Trend Micro's report in its third-quarter security roundup report, which found that the 30,000 malicious and potentially dangerous or high-risk Android apps identified in June have increased to total almost 175,000 between July and September.

“At the end of the day... all mobile apps are essentially web clients; therefore, they are as unsecure as a browser and that’s how you should treat them,” said David Sancho, senior threat researcher at Trend Micro.

And like the PC, much of today’s mobile malware preys upon the unwary, the firm noted. However, the nature of the mobile malware threat is in some ways very different, thanks to the applications-centric and anytime, anywhere nature of the wireless world.

For instance, Trend Micro noted that fake versions of legitimate Android apps are the most prevalent type of Android malware. This quarter, data-stealers like Solar Charge and premium service abusers like Live Wallpapers in China or fake versions of best-selling apps that spread in Russia further raised concerns about the open nature of the Android ecosystem.

As an adjunct, Trend Micro found that malicious Android application package files are still in the early stages of development. Developed by the Luckycat APT campaign attackers, these can execute commands sent from a remote command-and-control (C&C) server and collect sensitive device information and upload it to a remote repository. They also can download files to acquire a newer version of the malware.

Trend Micro said that a remote shell is also available as one of the commands in the apps, but that the current APKs appear incomplete in this regard. In fact, overall, the apps look like they are still in the early stages of development, researchers said.

The real implication of this latest development is the risk it poses to corporate environment. “For the BYOD phenomenon, the existence of these apps demonstrate even more vividly the risks of allowing smartphones and tablets to connect to the corporate network in an unsecure manner,” the report noted. “Mobile devices may be small, handy and convenient, but they can open users to the same threats that used to be the sole domain of the desktop.”

When it comes to targeted attacks, this development suggests that threat actors are actively adapting to the specific network environment trends of their targets. “While it has been predicted that APT attackers will likely develop the capacity to attack targets via mobile devices, our discovery indicates that the development of such a capability is something they are pursuing,” the company said.

For consumers, a rising threat also lies in aggressive mobile adware which is used for displaying ads on infected devices in order to generate profit for app developers. They also tend to gather personal information without the users’ explicit knowledge or consent, the report noted. But the worst aspect of it is the fact that adware servers can be used as vectors for serving more than marketing. Trend Micro found that adware significantly contributed to the rise in the number of malicious and high-risk Android apps, led by variants that used legitimate ad networks to push malicious ads--some variants of which even pushed ads via notifications.

Unfortunately, adware is often tied to popular apps. The Obama vs. Romney Android app for instance, which served potentially unwanted ads, was downloaded as many as 1,000 times from Google Play alone.

“Though most adware are designed to collect user information, a fine line exists between collecting data for simple advertising and violating one’s privacy,” the company noted. “Because they normally collect user information for legitimate purposes, they can serve as an effective means to gather more data than some would want to give out.”

Trend Micro also examined threat landscape for non-mobile endpoints. ZeroAccess malware, sometimes found on peer-to-peer (P2P) sharing sites, was the top infector in the computing public this quarter, up from third place one quarter ago (the DOWNAD/ Conficker worm came a close second). Trend Micro recorded more than 900,000 instances of the malware, which has the ability to patch system files.

Meanwhile, PayPal attracted the most “phishermen,” while Linkedin topped the list of chosen BlackHole Exploit Kit targets.

BlackHole 2.0 is believed to be undergoing beta testing using a different URL format as one of the improvements to evade detection. “The unusual combination (i.e., using Blackhole Exploit Kit 1.0 attack
URLs and removing the plugin detect function in scripts) indicates that the authors of Blackhole Exploit Kit 2.0 may still be beta-testing specific feature before fully releasing it into the wild,” said Jon Oliver, software architecture director.

And finally, the top spamming countries this quarter were Saudi Arabia (which generated 21% of spam) and India (18%). The FESTI botnet uses SaudiNet for spamming activities, Trend Micro noted.

What’s Hot on Infosecurity Magazine?