Just six months after mobile malware and high risk apps reached the one million mark, we have learned that that number has now doubled.
Figure 1. The number of malicious and high risk apps reaches the 2M mark
This milestone comes at the heels of the “tenth anniversary” of mobile malware. 2004 saw the first mobile malware—a proof-of-concept (PoC) malware named SYMBOS_CABIR—which infected Nokia phones. But it wasn’t until during the start of the smartphone era that mobile malware exploded onto the threat landscape. From relatively harmless pop-up messages, mobile malware has since evolved to include premium service abuse, information theft, backdoors, and even rootkits.
And the threats continue to evolve. After hitting the 1M mark, we are now seeing mobile malware veer into pioneer territory. These malware could very well be the bellwether for the kinds of malware we’ll be seeing in the following months.
Anonymity with TORBOT
The Onion Router (more commonly known as TOR) is known as one way for users to become “anonymous” online. It’s also known for its connection to underground markets. Cybercriminals are now using TOR to hide their malicious mobile routines. ANDROIDOS_TORBOT.A is the first mobile malware to use TOR to connect to a remote server. Once connected, it performs routines like make phone calls, intercept and read text messages, and send text messages to a specific number. The use of the TOR network makes it more difficult to track down the activity and trace the C&C server.
Proliferation with DENDROID
We’ve often discussed how the number of mobile malware keeps increasing at a rapid pace. The creation of a particular remote access Trojan (RAT) mobile malware may soon become a significant contributor to that number.
ANDROIDOS_DENDROID.HBT can take screenshots, photos, and video and audio recordings. It can also record calls. But what makes DENDROID notable is that it is also peddled as a crimeware tool. DENDROID is being sold in underground markets for US$300 with the promise of easily “Trojanizing” legitimate apps. DENDROID provides an APK binder tool, an APK client, and a background control panel for would-be buyers to repack created apps. Perhaps making it more alarming is that DENDROID was actually found in the Google Play Store.; the malware was able to bypass Google Bouncer and avoid detection.
Mobile Devices Are Now Miners
Cybercriminals have also branched out to making miners out of mobile devices. ANDROIDOS_KAGECOIN.HBT has the ability to mine cryptocurrencies like Bitcoin, Dogecoin, and Litecoin. The mining only occurs once the mobile device is charging so the excess usage will not be noticeable. However subtle the routine might try to be, the routine takes a definite toll on the mobile device. Mining for digital currencies requires a lot of processing power that most phones do not have so users will end up with phones with sluggish performance.
The New Frontier for Mobile Threats
One thing to note is that the malware discussed in this entry involve topics that are pretty popular within the tech landscape. TOR continues to gain popularity and awareness due to concerns over online privacy. Cryptocurrencies, like Bitcoin and Dogecoin, are fast becoming popular with the public as their monetary values continue to rise (and fall). This only shows that cybercriminals are willing to tap into anything remotely feasible in order to gain new victims.
With mobile threats reaching the 2 million mark , it’s important that users take the time to secure their devices. Scrutinizing apps, avoiding unknown URLs, and deleting suspicious messages and emails can contribute to a device’s security. Paying close attention to reported software vulnerabilities and flaws—such as the ones involving custom permissions and a system crash vulnerability—is also needed as cybercriminals are wont to exploit these. The Trend Micro Mobile Threat Hub provides helpful information about mobile threats and other security tips for smartphones, tablets and other gadgets.