July 13, 2015 By Ori Bach 4 min read

Fraudsters have all the tools they need to effectively turn mobile malware threats into one of the biggest security problems we’ve ever seen. As security measures lag and infection rates rise, cybercriminals use an increasingly wide array of schemes to monetize mobile malware.

The Malware Is Out There

Mobile malware remains a significant cybersecurity threat, with 1.12 percent of mobile devices monitored by IBM Trusteer in the first half of 2015 exhibiting an active malware infection. This is equal to PC infection rates, signifying that cybercriminals are shifting their resources and attention to the mobile channel.

Unsurprisingly, financial Trojans were the most prevalent form of mobile malware, with approximately 30 percent of the distinct variants targeted at stealing financial information. The remainder are capable of performing malicious actions such as stealing personal information, sending SMS to premium numbers, keylogging and deploying cryptographic ransomeware on the device, effectively hijacking images and files stored on it.

Mobile malware threats form a rich ecosystem, and some of the most prolific mobile Trojans also act as distribution mechanisms for more targeted infections. For example, the DroidDream malware, which was the fifth-most prolific mobile malware, establishes a unique identification for the device and awaits further instruction from its operator, running in the background without the user’s knowledge. The operator can then instruct the malware to download additional malicious programs as well as open the phone up to remote control to allow for more targeted attacks, all without the user ever being aware.

In another example, the third-most prolific mobile malware, Android Exploit Masterkey, modifies Android application packages (APKs), the file format used to distribute and install applications onto Android OS. This effectively allows a hacker to turn any legitimate application into a malicious Trojan.

Learn more: Watch the on-demand webinar on the rise of mobile malware

User Complacency and System Vulnerabilities

Consumer awareness of mobile security threats still lags behind the reality of the situation. Users who would never install software from an unverified source on their PC readily click on links in SMS messages and unwittingly download files from unknown sources on their mobile devices.

As a result, SMiShing (SMS phishing) campaigns designed to distribute mobile malware are exponentially more effective then email phishing, especially when customized to target the client base of a specific financial institution or service provider.

Users are also notoriously slow to update their mobile devices’ OS. It is therefore no surprise that mobile malware commonly observed in attacks on consumers, such as the Basebridge Trojan, exploit vulnerabilities in outdated mobile systems.

Worst yet, a significant segment of mobile users actually take steps to jailbreak or root their devices in order to access unofficial app markets or get free programs. In doing so, they not only annihilate their phone’s built-in security, but also drastically increase the risk of downloading a malicious app. In fact, according to recent reports, up to 32 percent of apps on unofficial markets contain malicious content.

Are the Official App Markets Safe?

While unofficial markets are a major risk, malicious apps are also finding their way to official stores. How easy is it for malware-infected apps to make it to the official stores? That question is best answered by the following quirky story.

In late 2014, an official Android market app playing morning and evening prayers in Arabic was flagged by antivirus vendors as infected by the banking Trojan Ramnit. Since the Ramnit malware only affects Windows environments, mobile users who downloaded the app were not really at risk. The app has since been removed from the official store.

Unbeknownst to the developer, Ramnit PC Trojan infected multiple files on his workstation, including the source code for the mobile app that was later repackaged and uploaded to the Android market. In other words, an infected app was able to make its way to the official app store without the malware developer even intending to do so.

Mobile Security Is Lagging

The majority of organizations that allow mobile access to internal resources, as well as financial institutions that service consumers through the mobile channel, have yet to adopt a comprehensive mobile security strategy. A recent IBM-sponsored Ponemon Institute study revealed the alarming state of mobile security for apps with over half of the companies examined devoting zero budget to mobile security.

With lagging security for rapidly increasing and highly popular mobility, financial institutions in particular will face challenges when offering mobile payment technology to consumers and attempting to secure transactions from fraud.

A Mobile Cybercrime Underground Market Is Flourishing

Mobile malware has become one of the most popular commodities sold in underground venues. Because of the ease of obtaining mobile bots and monetizing them, demand is high, and prices for mobile malware regularly sell for upwards of $5,000. This is also the average historical price for PC-based Trojan kits.

The offerings available on the mobile cybercrime underground cover the full range of the cybercrime ecosystem. Take the MazelTov malware-spreading kit recently discovered by IBM researchers. This kit offers an effective way to turn a piece of mobile malware into an active infection campaign that is readily available to any would-be fraudster. All an attacker would need to do is get the malware, load it and start amassing new mobile zombies.

Mitigating the Risk of Mobile Malware Threats

A successful strategy for mitigating mobile cybercrime risks must not only address current malware threats, but also take into account the dynamic nature of cybercrime and the connection between mobile and cross-channel fraud.

Mobile defenses must protect organizations from today’s threats. And considering the rapid pace of innovation set by cybercriminals, security teams must also demonstrate the ability to track threats and turn around new protections in a very timely manner. For the full IBM Trusteer Mobile Threat report and further insights on the subject of mobile security, please watch our on-demand webinar titled “2015 Mobile Threat Report — The Rise of Mobile Malware.”

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today