Fraudsters have all the tools they need to effectively turn mobile malware threats into one of the biggest security problems we’ve ever seen. As security measures lag and infection rates rise, cybercriminals use an increasingly wide array of schemes to monetize mobile malware.

The Malware Is Out There

Mobile malware remains a significant cybersecurity threat, with 1.12 percent of mobile devices monitored by IBM Trusteer in the first half of 2015 exhibiting an active malware infection. This is equal to PC infection rates, signifying that cybercriminals are shifting their resources and attention to the mobile channel.

Unsurprisingly, financial Trojans were the most prevalent form of mobile malware, with approximately 30 percent of the distinct variants targeted at stealing financial information. The remainder are capable of performing malicious actions such as stealing personal information, sending SMS to premium numbers, keylogging and deploying cryptographic ransomeware on the device, effectively hijacking images and files stored on it.

Mobile malware threats form a rich ecosystem, and some of the most prolific mobile Trojans also act as distribution mechanisms for more targeted infections. For example, the DroidDream malware, which was the fifth-most prolific mobile malware, establishes a unique identification for the device and awaits further instruction from its operator, running in the background without the user’s knowledge. The operator can then instruct the malware to download additional malicious programs as well as open the phone up to remote control to allow for more targeted attacks, all without the user ever being aware.

In another example, the third-most prolific mobile malware, Android Exploit Masterkey, modifies Android application packages (APKs), the file format used to distribute and install applications onto Android OS. This effectively allows a hacker to turn any legitimate application into a malicious Trojan.

Learn more: Watch the on-demand webinar on the rise of mobile malware

User Complacency and System Vulnerabilities

Consumer awareness of mobile security threats still lags behind the reality of the situation. Users who would never install software from an unverified source on their PC readily click on links in SMS messages and unwittingly download files from unknown sources on their mobile devices.

As a result, SMiShing (SMS phishing) campaigns designed to distribute mobile malware are exponentially more effective then email phishing, especially when customized to target the client base of a specific financial institution or service provider.

Users are also notoriously slow to update their mobile devices’ OS. It is therefore no surprise that mobile malware commonly observed in attacks on consumers, such as the Basebridge Trojan, exploit vulnerabilities in outdated mobile systems.

Worst yet, a significant segment of mobile users actually take steps to jailbreak or root their devices in order to access unofficial app markets or get free programs. In doing so, they not only annihilate their phone’s built-in security, but also drastically increase the risk of downloading a malicious app. In fact, according to recent reports, up to 32 percent of apps on unofficial markets contain malicious content.

Are the Official App Markets Safe?

While unofficial markets are a major risk, malicious apps are also finding their way to official stores. How easy is it for malware-infected apps to make it to the official stores? That question is best answered by the following quirky story.

In late 2014, an official Android market app playing morning and evening prayers in Arabic was flagged by antivirus vendors as infected by the banking Trojan Ramnit. Since the Ramnit malware only affects Windows environments, mobile users who downloaded the app were not really at risk. The app has since been removed from the official store.

Unbeknownst to the developer, Ramnit PC Trojan infected multiple files on his workstation, including the source code for the mobile app that was later repackaged and uploaded to the Android market. In other words, an infected app was able to make its way to the official app store without the malware developer even intending to do so.

Mobile Security Is Lagging

The majority of organizations that allow mobile access to internal resources, as well as financial institutions that service consumers through the mobile channel, have yet to adopt a comprehensive mobile security strategy. A recent IBM-sponsored Ponemon Institute study revealed the alarming state of mobile security for apps with over half of the companies examined devoting zero budget to mobile security.

With lagging security for rapidly increasing and highly popular mobility, financial institutions in particular will face challenges when offering mobile payment technology to consumers and attempting to secure transactions from fraud.

A Mobile Cybercrime Underground Market Is Flourishing

Mobile malware has become one of the most popular commodities sold in underground venues. Because of the ease of obtaining mobile bots and monetizing them, demand is high, and prices for mobile malware regularly sell for upwards of $5,000. This is also the average historical price for PC-based Trojan kits.

The offerings available on the mobile cybercrime underground cover the full range of the cybercrime ecosystem. Take the MazelTov malware-spreading kit recently discovered by IBM researchers. This kit offers an effective way to turn a piece of mobile malware into an active infection campaign that is readily available to any would-be fraudster. All an attacker would need to do is get the malware, load it and start amassing new mobile zombies.

Mitigating the Risk of Mobile Malware Threats

A successful strategy for mitigating mobile cybercrime risks must not only address current malware threats, but also take into account the dynamic nature of cybercrime and the connection between mobile and cross-channel fraud.

Mobile defenses must protect organizations from today’s threats. And considering the rapid pace of innovation set by cybercriminals, security teams must also demonstrate the ability to track threats and turn around new protections in a very timely manner. For the full IBM Trusteer Mobile Threat report and further insights on the subject of mobile security, please watch our on-demand webinar titled “2015 Mobile Threat Report — The Rise of Mobile Malware.”

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read