Mobile Threat report
Q4 2012
Android malware has been strengthening its position in the mobile threat scene. Every
quarter, malware authors bring forth new threat families and variants to lure more
victims and to update on the existing ones. In the fourth quarter alone, 96 new families
and variants of Android threats were discovered, which almost doubles the number
recorded in the previous quarter. A large portion of this number was contributed by
PremiumSMS—a family of malware that generates profit through shady SMS-sending
practices—which unleashed 21 new variants.
Quite a number of Android malware employ an operation similar to PremiumSMS. It
is a popular method for making direct monetary profit. The malware quietly sends
out SMS messages to premium rate numbers or signs up the victims to an SMS-based
subscription service. Any tell-tale messages or notifications from these numbers and/
or services will be intercepted and deleted; therefore, the users will be completely
unaware of these activities until the charges appear on their bills.
In addition to SMS-sending malware, some malware authors or distributors may choose
to make profit through banking trojans. Citmo.A (a mobile version of the Carberp
trojan) recently made its debut in Q4. Just like Zitmo (Zeus for mobile) and Spitmo
(SpyEye for mobile), Citmo.A operates in the same manner—it steals the mobile
Transaction Authentication Number (mTAN) that banks send via SMS to customers
to validate an online banking transaction. Using this number, it can transfer money
from the victims’ account and the banks will proceed with the transaction because it
appears to be coming from the rightful account owner.
Such is the case with Eurograbber, a variant of the Zeus trojan; Bank Info Security
reported that Eurograbber managed to steal USD47 million from over 30,000 retail and
corporate accounts in Europe . It first infected the victims’ personal computers before tricking them into installing a version of it onto their mobile devices. By positioning itself on both the victims’ computers and devices, Eurograbber can impersonate the victims and carry out transactions without raising suspicions from either the victim or the banking institution. The trojan had been found to infect not only devices running on Android, but also Symbian and BlackBerry operating systems.
The rise of Android malware can be largely attributed to the operating system’s
increasing foothold in the mobile market. Android’s market share has risen to 68.8%
in 2012, compared to 49.2% in 2011. On the threat side, its share rose to 79% in 2012 from 66.7% in 2011. Symbian on the other hand, is suffering from the opposite fate. In 2012, it only held 3.3% market share which is a huge drop from 16.5% in the year before its share in the threat scene also reflected this drop, going from 29.7% in 2011 to 19% in 2012. Nokia’s decision to halt all Symbian development in February 2012 may have contributed to the huge drop in numbers. As its market share declines, so does
malware authors’ interest in the platform as evidenced by the statistics seen in Q4
where only four new families and variants of Symbian malware were recorded.
As for the other platforms, i.e., Blackberry, iOS, windows Mobile, they may see some
threats popping up once in a while. But most likely, the threats are intended for
multiple platforms similar to the case of FinSpy.
In full (pdf form)
Q4 2012
Android malware has been strengthening its position in the mobile threat scene. Every
quarter, malware authors bring forth new threat families and variants to lure more
victims and to update on the existing ones. In the fourth quarter alone, 96 new families
and variants of Android threats were discovered, which almost doubles the number
recorded in the previous quarter. A large portion of this number was contributed by
PremiumSMS—a family of malware that generates profit through shady SMS-sending
practices—which unleashed 21 new variants.
Quite a number of Android malware employ an operation similar to PremiumSMS. It
is a popular method for making direct monetary profit. The malware quietly sends
out SMS messages to premium rate numbers or signs up the victims to an SMS-based
subscription service. Any tell-tale messages or notifications from these numbers and/
or services will be intercepted and deleted; therefore, the users will be completely
unaware of these activities until the charges appear on their bills.
In addition to SMS-sending malware, some malware authors or distributors may choose
to make profit through banking trojans. Citmo.A (a mobile version of the Carberp
trojan) recently made its debut in Q4. Just like Zitmo (Zeus for mobile) and Spitmo
(SpyEye for mobile), Citmo.A operates in the same manner—it steals the mobile
Transaction Authentication Number (mTAN) that banks send via SMS to customers
to validate an online banking transaction. Using this number, it can transfer money
from the victims’ account and the banks will proceed with the transaction because it
appears to be coming from the rightful account owner.
Such is the case with Eurograbber, a variant of the Zeus trojan; Bank Info Security
reported that Eurograbber managed to steal USD47 million from over 30,000 retail and
corporate accounts in Europe . It first infected the victims’ personal computers before tricking them into installing a version of it onto their mobile devices. By positioning itself on both the victims’ computers and devices, Eurograbber can impersonate the victims and carry out transactions without raising suspicions from either the victim or the banking institution. The trojan had been found to infect not only devices running on Android, but also Symbian and BlackBerry operating systems.
The rise of Android malware can be largely attributed to the operating system’s
increasing foothold in the mobile market. Android’s market share has risen to 68.8%
in 2012, compared to 49.2% in 2011. On the threat side, its share rose to 79% in 2012 from 66.7% in 2011. Symbian on the other hand, is suffering from the opposite fate. In 2012, it only held 3.3% market share which is a huge drop from 16.5% in the year before its share in the threat scene also reflected this drop, going from 29.7% in 2011 to 19% in 2012. Nokia’s decision to halt all Symbian development in February 2012 may have contributed to the huge drop in numbers. As its market share declines, so does
malware authors’ interest in the platform as evidenced by the statistics seen in Q4
where only four new families and variants of Symbian malware were recorded.
As for the other platforms, i.e., Blackberry, iOS, windows Mobile, they may see some
threats popping up once in a while. But most likely, the threats are intended for
multiple platforms similar to the case of FinSpy.
In full (pdf form)
