Fortinet has been collecting mobile malware data for the last two years, and just recently published some of its findings for the first time. The firm’s threat researchers track and log mobile malware families (not variants) as they are discovered, logging them by the date they were created by the author.
To date, Fortinet has attributed 33% of all mobile malware it has detected to Russian sources, with China taking the runner-up spot at 28%. The US comes in a distant third at 7%, followed by Indonesia (5%) and India (4%).
Axelle Apvrille, an expert in cryptology and senior anti-virus analyst with Fortinet, discussed some of the findings in her recent security blog, where she was quick to point out that, when it comes to malware, “the attribution of origin in nearly always uncertain”.
However, Apvrille told Infosecurity that there are several clues she looks for when examining mobile malware that may help indicate the source. In one particular example she provided, a piece of malware could be downloaded from a Chinese website; it then contacted another Chinese site and sent an SMS to a Chinese phone number.
“We usually attribute a given family to a country when we spot several indications leading to the same country”, Apvrille noted in her recent blog. “Yet, even ‘strong’ hints can be misleading”, she warned, adding “they could intentionally be left in the malware, for example”.
Another interesting find from the data shows the Symbian mobile operating system as the most frequently targeted (>50%), according to the samples collected by Fortinet, with another 15% affecting Java ME midlets.
Apvrille said that the percentage of malware targeting Symbian has decreased as of late. She did add that the company has registered several new Android malware pieces over the last few weeks, but cautioned that the data cannot be easily converted “into reliable statistics” because Fortinet’s stats include only malware families, and “does not take into account the fact [that] a given family may have several variants or be particularly active”.