Mobile Malware Spikes 30% in First Half of 2013

The FortiGuard threat landscape research report for the first six months of the year found that there are now more than 300 unique Android malware families in existence
The FortiGuard threat landscape research report for the first six months of the year found that there are now more than 300 unique Android malware families in existence

The FortiGuard threat landscape research report for the first six months of the year found that there are now more than 300 unique Android malware families in existence, with more than 250,000 unique malicious Android samples uncovered to date.

Financially lucrative ransomware is one of the top threats now, Fortinet observed. "Ransomware has been incredibly successful financially for cybercriminals, it's no surprise they've turned their attention to mobile devices," said Richard Henderson, security strategist for Fortinet's FortiGuard Labs, in a statement. "The Fake Defender malware for Android follows the same M.O. as PC fake antivirus software – it pretends to be altruistic, but in reality, it lies in wait to launch its true form. This malware then locks the victim's phone and demands payment before unlocking the device. Once the phone is locked, the victim can either pay the ransom or completely erase their device, losing all their photos and data unless they have a full back up elsewhere."

Also, even though recent patches for Ruby on Rails, Java, Adobe Acrobat and Apache have solved some of the issues with mobile devices, FortiGuard Labs is finding attackers are still exploiting those old vulnerabilities.

For instance, in January, it was announced that a critical vulnerability in the Ruby on Rails (RoR) Framework could allow a remote attacker to execute code on the underlying web server.

RoR is a web application framework for the Ruby programming language, allowing for rapid, easy and elegant deployment of "Web 2.0" sites. It’s used by hundreds of thousands of websites, and a Metasploit module was made available to scan for the vulnerability, making the ability to find a web server to exploit a trivial matter.

"The exploit involved a flaw in the XML processor deserialization routine, which is used to create Ruby objects on the fly," said Henderson. "RoR was patched to correct the flaw, but four months later it was discovered that an attacker or attackers was searching for and exploiting, unpatched Web servers in order to infect them with software."

Similarly, in January, a zero-day exploit that was able to bypass Java's sandbox and run arbitrary Java code was discovered. Attacks were discovered in the wild and the exploit was quickly integrated into many popular crimeware attack kits, such as BlackHole, Redkit and Nuclear Pack, giving purchasers of these kits the ability to take advantage of the exploit and install malware on computers. A Metasploit module was also created for the vulnerability, making the ability to find victims a simple point-and-click affair.

"The exploit involved a flaw in a JMX (Java Management Extensions) component that allowed the malicious applet to elevate its privileges and run any Java code it wished," Henderson said.

Oracle was quick to release a patch for the flaw, but similar to other exploits integrated into crimeware kits, many new victims were found – and continue to be found – running unpatched versions of Java, allowing malware to be installed.

One significant factor in the spiking of mobile malware is the prevalence of lax policies governing the bring-your-own-device (BYOD) phenomenon, where employees use personal tablets, laptops and smartphones for work. While BYOD increases employee efficiency and productivity, it opens up a vector for mobile malware infecting the user's device and, subsequently, the business network.

"Three years ago, mobile malware wasn't much of a concern for users or businesses,” said Axelle Apvrille, senior mobile anti-virus researcher for Fortinet's FortiGuard Labs, in a statement. “Most malware at the time targeting smartphones and tablets were nothing more than annoyware, such as the Cabir virus, or scam software used to commit SMS fraud or replace icons."

Apvrille added, "However, as devices have proliferated, so, too, have cybercriminals eager to capitalize on the growing user base, and our research shows the proliferation of mobile malware will not abate anytime soon."

The report also breaks down some of the history of mobile malware, and points to the causes for its recent snowballing in volume. In 2009, the majority of mobile malware in existence targeted the Symbian OS and Nokia phones, which dominated the mobile phone scene when the Apple iPhone was new to the marketplace and Android was just beginning to be talked about. In addition, a large number of the malware was coded by programmers in Eastern Europe and China, places where Symbian commanded a large share of the user base.

Just four years later, in 2013, wide-scale manufacturer adoption of Google's Android OS globally has led to an explosion of smartphones in the marketplace. “Android devices are available in every market, at price levels from the incredibly inexpensive to feature-rich, cutting-edge computing monsters,” the report noted. “Coupled with the explosion of available applications to extend device functionality, cybercriminals and other nefarious types have used this platform as a new business opportunity.”

What’s hot on Infosecurity Magazine?