Fraudsters have all the tools they need to effectively turn mobile malware threats into one of the biggest security problems we’ve ever seen. As security measures lag and infection rates rise, cybercriminals use an increasingly wide array of schemes to monetize mobile malware.
The Malware Is Out There
Mobile malware remains a significant cybersecurity threat, with 1.12 percent of mobile devices monitored by IBM Trusteer in the first half of 2015 exhibiting an active malware infection. This is equal to PC infection rates, signifying that cybercriminals are shifting their resources and attention to the mobile channel.
Unsurprisingly, financial Trojans were the most prevalent form of mobile malware, with approximately 30 percent of the distinct variants targeted at stealing financial information. The remainder are capable of performing malicious actions such as stealing personal information, sending SMS to premium numbers, keylogging and deploying cryptographic ransomeware on the device, effectively hijacking images and files stored on it.
Mobile malware threats form a rich ecosystem, and some of the most prolific mobile Trojans also act as distribution mechanisms for more targeted infections. For example, the DroidDream malware, which was the fifth-most prolific mobile malware, establishes a unique identification for the device and awaits further instruction from its operator, running in the background without the user’s knowledge. The operator can then instruct the malware to download additional malicious programs as well as open the phone up to remote control to allow for more targeted attacks, all without the user ever being aware.
In another example, the third-most prolific mobile malware, Android Exploit Masterkey, modifies Android application packages (APKs), the file format used to distribute and install applications onto Android OS. This effectively allows a hacker to turn any legitimate application into a malicious Trojan.
User Complacency and System Vulnerabilities
Consumer awareness of mobile security threats still lags behind the reality of the situation. Users who would never install software from an unverified source on their PC readily click on links in SMS messages and unwittingly download files from unknown sources on their mobile devices.
As a result, SMiShing (SMS phishing) campaigns designed to distribute mobile malware are exponentially more effective then email phishing, especially when customized to target the client base of a specific financial institution or service provider.
Users are also notoriously slow to update their mobile devices’ OS. It is therefore no surprise that mobile malware commonly observed in attacks on consumers, such as the Basebridge Trojan, exploit vulnerabilities in outdated mobile systems.
Worst yet, a significant segment of mobile users actually take steps to jailbreak or root their devices in order to access unofficial app markets or get free programs. In doing so, they not only annihilate their phone’s built-in security, but also drastically increase the risk of downloading a malicious app. In fact, according to recent reports, up to 32 percent of apps on unofficial markets contain malicious content.
Are the Official App Markets Safe?
While unofficial markets are a major risk, malicious apps are also finding their way to official stores. How easy is it for malware-infected apps to make it to the official stores? That question is best answered by the following quirky story.
In late 2014, an official Android market app playing morning and evening prayers in Arabic was flagged by antivirus vendors as infected by the banking Trojan Ramnit. Since the Ramnit malware only affects Windows environments, mobile users who downloaded the app were not really at risk. The app has since been removed from the official store.
Unbeknownst to the developer, Ramnit PC Trojan infected multiple files on his workstation, including the source code for the mobile app that was later repackaged and uploaded to the Android market. In other words, an infected app was able to make its way to the official app store without the malware developer even intending to do so.
Mobile Security Is Lagging
The majority of organizations that allow mobile access to internal resources, as well as financial institutions that service consumers through the mobile channel, have yet to adopt a comprehensive mobile security strategy. A recent IBM-sponsored Ponemon Institute study revealed the alarming state of mobile security for apps with over half of the companies examined devoting zero budget to mobile security.
With lagging security for rapidly increasing and highly popular mobility, financial institutions in particular will face challenges when offering mobile payment technology to consumers and attempting to secure transactions from fraud.
A Mobile Cybercrime Underground Market Is Flourishing
Mobile malware has become one of the most popular commodities sold in underground venues. Because of the ease of obtaining mobile bots and monetizing them, demand is high, and prices for mobile malware regularly sell for upwards of $5,000. This is also the average historical price for PC-based Trojan kits.
The offerings available on the mobile cybercrime underground cover the full range of the cybercrime ecosystem. Take the MazelTov malware-spreading kit recently discovered by IBM researchers. This kit offers an effective way to turn a piece of mobile malware into an active infection campaign that is readily available to any would-be fraudster. All an attacker would need to do is get the malware, load it and start amassing new mobile zombies.
Mitigating the Risk of Mobile Malware Threats
A successful strategy for mitigating mobile cybercrime risks must not only address current malware threats, but also take into account the dynamic nature of cybercrime and the connection between mobile and cross-channel fraud.
Mobile defenses must protect organizations from today’s threats. And considering the rapid pace of innovation set by cybercriminals, security teams must also demonstrate the ability to track threats and turn around new protections in a very timely manner. For the full IBM Trusteer Mobile Threat report and further insights on the subject of mobile security, please watch our on-demand webinar titled “2015 Mobile Threat Report — The Rise of Mobile Malware.”