Traditionally, malware has been much more prevalent on Microsoft Windows than other operating systems. As recently as 2010, more than 99 percent of all viruses and other threats were specifically designed for the popular OS. More recently, though, malware authors have diversified their targets, addressing Macs but especially mobile devices running Android.
In 2011, Trend Micro researchers identified a search engine optimization campaign that went after both PCs and Macs. Around that time, MacDefender – a rogue program that lured users in via Google Image Search and then tried to fool them with a fake antivirus interface – caught the attention of cybersecurity specialists, signaling the imminent decline of Windows’ virtual monopoly on malware. Since then, growth of Mac sales has only continued to outpace that of the PC industry at large. Latter-day threats such as the “Kyle & Stan” advertising network address both Windows and OS X through compromised Internet domains.
Moreover, much of the longstanding cybercriminal attention to Windows was always rooted in its market share rather than any particulars of its design. To give a sense of scale, Windows 8 alone sold 200 million licenses through its first 15 months on the market, yet was considered a “disappointment” compared to Windows 7, which easily crossed the 600 million threshold less than 3 years after its release. Factor in the persistence of Windows XP – it still accounted for almost one-quarter of all desktops worldwide in August 2014 – and the installed base is still large enough to be a reliable magnet for malicious activity.
What happens when Windows is no longer number one
But even Windows’ size isn’t enough to make it an outlier anymore. Consider that Android, the open source mobile OS primarily managed by Google, will ship on more than 1 billion devices this year alone, meaning that 2014 shipments would be larger than the number of Windows 7 licenses sold ever.
With such popularity, Android was bound to eventually rival Windows as a target of malware. Not only have threats multiplied in recent years, but they have also become more sophisticated, underscoring the broad transition from desktop to mobile computing:
- Trend Micro identified almost 1 million risky Android malware samples by September 2013, reaching the milestone well ahead of original projections of year-end 2013. Premium service abusers and fake apps (the hit game “Bad Piggies” was a prominent example) were among the biggest problems.
- Anti-malware apps for Android are readily available and are important mitigation tools for high-risk devices (e.g., ones that rely on third-party app stores), but cybercriminals have also used them to gain an advantage. Mobile banking users in Poland recently encountered a threat that disguised itself as a security solution so that it could harvest data such as voice calls and SMS.
- Some Android malware taps into command-and-control servers for relaying data and instructions. This September, researchers trawled one to discover a trove of authentication codes for Google and Facebook, as well as VPN passwords. The malware that actually harvested these credentials, KorBanker, was known to disguise itself within fake apps imitating popular ones such as the Google Play Store.
The fake apps issue is real, representing one of the biggest threats to consumers and enterprises that buy apps through first- and/or third-party app stores. The latter are far riskier, but even the official store isn’t in the clear. This summer, Trend Micro researchers discovered that 77 percent of the top 50 free apps in the Google Play Store had downloadable knockoffs, many of which carried an extra malicious payload.
“We’ve been tracking the activity of malicious or high-risk apps for nearly five years,” said JD Sherry, vice president of technology and solutions at Trend Micro. “The potential for people to slip things past the gate and appear legitimate is much easier.”
While the typical Android owner may go through the Google Play Store without ever encountering a harmful fake, there are three incidents from earlier this year that highlight how malware creators can sometimes deceive users:
- Virus Shield was an app that pretty much did nothing. It purported to protect any Android device from malware, but simply displayed an icon. Nevertheless, a botnet helped drive it to the top of the paid apps chart.
- The overnight sensation “Flappy Bird” was one of the most popular mobile games this winter, before it was pulled by its developer. Not long after it disappeared, several fake versions appeared that asked for extensive access to device permissions, so that they could send premium text messages.
- BlackBerry finally released BlackBerry Messenger for Android this year, but not before knockoffs were downloaded more than 100,000 times.
Taking stock of all devices and OSes when formulating cybersecurity strategy
We’ve looked mostly at Android here, if only because in many respects it has become the new Windows. But that doesn’t mean that other platforms – from iOS to Windows Phone – are completely safe from harm, nor that Windows itself has become irrelevant in the shift from desktop to mobile.
In fact, two of the most high-profile breaches over the last year – the ones at Target and Home Depot – were triggered by malware that spread between point-of-sale terminals running Windows. In August, Trend Micro researchers confirmed that the strain, called BlackPOS, had evolved to lift payment card data directly from physical memory of a compromised endpoint.
Perhaps the more interesting discovery was that BlackPOS was now disguising itself as a fake antivirus app. From Windows to Android, there appears to be a trend of malware attempting to slip past the gates by pretending to be something else. CIOs and network security architects have many challenges like this one to deal with. Deep discovery tools that can screen apps and distinguish between legitimate and rogue software will be increasingly valuable going forward, especially as enterprise computing is remade by bring-your-own-device policies and more diverse endpoint fleets.