Mobile Malware and Criminals Are Both Getting Smarter

James Lyne at Sophos said threats are getting, in his own words, "smarter, shadier and stealthier"
James Lyne at Sophos said threats are getting, in his own words, "smarter, shadier and stealthier"

Infosecurity spoke to James Lyne, global head of security research at Sophos following the launch of the 'Security Threat Report 2014', and asked him to pick out the two most pressing examples of how threats are getting, in his own words, "smarter, shadier and stealthier." He chose mobile malware and more sophisticated criminal infrastructures.

"For the last couple of years," he said, "everyone has described mobile is the big growing threat – to such an extent that people have become a bit blasé about it. The reality, however, is that many companies have talked about this threat, but haven't actually implemented a BYOD security management system – it's been more a topic of discussion than action."

But he warns that while the defenders have done very little, the attackers have been busy. "In the latter part of this year, we've seen an interesting change in the behavior of mobile malware, mostly on Android. We've got about 350,000 samples of malicious Android code – still small compared to the PC environment but certainly big enough to worry about. In the first part of the year they were simple pieces of malicious code (fake or pirated applications with malicious code attached) – very 1990s PC style – but in the latter part of the year, it's like the malware authors have collapsed ten years of PC learning into a single year on mobile. We're seeing encrypted C&C, polymorphism, and mobile botnets. To be blunt, the mobile malware guys have not just caught up, they've moved slightly ahead of where most people are in mobile security defenses."

He believes that this trend will continue. Mobile security is no longer just about configuration management, preventing accidental data loss and complying with data protection regulations, it is about countering "a direct, serious and growing threat from sophisticated malicious code. Our mobile devices are becoming replicas of our PCs, but with lower security considerations; and that's what's making them an interesting target."

For the moment, he suggests, the attractiveness of the mobile market is to develop botnets (because mobile bandwidth is actually quite large), to steal personal financial data (because we're living more and more of our daily lives on the mobile platform), and to find a conduit onto the corporate network. "I expect all of these to ramp up over the next couple of years as the devices get smarter and more integrated into the workplace."

Lyne's second example of how the threat landscape is evolving is the way in which the cybercriminals are generally making their infrastructure far more resilient. "They're putting up a fight," he said. "In earlier years, when the security industry detected and tackled a threat, the criminals would give up and move on and do something different, and that was the end of it. But what's happened this year is that we've started to see the cybercriminals pushing back and not giving up quite so easily. They're redesigning their infrastructures in an attempt to withstand the attacks from the security industry."

He gave ZeroAccess as an example. When Sophos and other security companies sink-holed the botnet's traffic back in October, its use fell off dramatically. But then, almost immediately, it came back stronger than ever, far in excess of anything the botnet had done before the security industry attacks. "What happened there," he said, "is that the botnet authors came up with a new design that would circumvent the security industry attacks. That's a great example of the mindset we're going to see more of in the cybercriminal community." He calls it the 'continued professionalization and improved proficiency of the black economy.'

Since the Sophos research that produced this new report, Microsoft has had a new and major success against ZeroAccess. Infosecurity asked Lyne whether he thought the new resilience within the criminal community meant that ZeroAccess would survive and continue. "We have seen a drop off of ZeroAccess activity since the Microsoft action, but it's too soon to tell whether that will last," he said.

Pressed for a personal opinion, he replied, "So far the numbers have dropped off massively, but I wouldn't be surprised if ZeroAccess authors come back with a new command and control mechanism and continue to fight back. I expect it will look completely different; but I don't think they'll just move on."

The implication is fairly clear – if ZeroAccess fights back for a second time, Sophos is right and the criminal community is entering a new phase in its war against the security industry. It is doing what security experts urge industry to do – it is building resilience into its infrastructure.

What’s Hot on Infosecurity Magazine?