65 million: the number of times we’ve blocked mobile threats in 2016. By December 2016, the total number of unique samples of malicious Android apps we’ve collected and analyzed hit the 19.2 million mark—a huge leap from the 10.7 million samples collected in 2015.
Indeed, the ubiquity of mobile devices among individual users and organizations, along with advances in technologies that power them, reflect the exponential proliferation, increasing complexity and expanding capabilities of mobile threats.
While the routines and infection chain of mobile threats are familiar territory, 2016 brought threats with increased diversity, scale, and scope to the mobile landscape. More enterprises felt the brunt of mobile malware as BYOD and company-owned devices become more commonplace, while ransomware became rampant as the mobile user base continued to become a viable target for cybercriminals. More vulnerabilities were also discovered and disclosed, enabling bad guys to broaden their attack vectors, fine-tune their malware, increase their distribution methods, and in particular, invade iOS’s walled garden.
Globally, exploits and rooting malware were the most prevalent, while mobile ransomware was the most pervasive in Japan. In the United States, malware that surreptitiously collect and leak information, as well as perform functions such as sending and receiving text messages, were the most widespread.
Here are the highlights of 2016’s mobile threat landscape based on feedback from our Mobile App Reputation Service (MARS) and Smart Protection Network™ as well as external research/data of last year’s notable incidents:
Mobile Malware Continued to Affect Enterprises
The upward trend of Bring Your Own Device (BYOD) programs and use of smartphones to access company networks, services, and assets continued to affect mobile threats’ impact on businesses. Conversely, we have not observed malware coded specifically to target enterprises. The infections we saw were commonly triggered by downloading malicious apps—often from third-party app marketplaces—and installing them in devices that connect to corporate networks and handle company files. QVOD (detected by Trend Micro as ANDROIDOS_EHOOPAY.AXM), for instance, is disguised as a video player. It subscribes users to premium Short Message Service (SMS) services without their knowledge, which can rack up hefty phone bill charges. The information-stealing DressCode (ANDROIDOS_SOCKSBOT.A) malware masqueraded as phone optimization tools and recreational apps, while the Jopsik (ANDROIDOS_JOPSIK.OPSLB) spyware presented itself an Android OS update or gaming app.
Based on feedback from our Trend Micro™ Mobile Security for Enterprise, threats that affected enterprises the most in 2016 were potentially unwanted applications (PUAs) such as adware, as well as spyware, and banking, rooting, and SMS Trojans. Detections were highest in China, France, Brazil, Germany, and Poland.
Figure 1. Detections of mobile malware in enterprises, from January to December 2016
While a considerable number of samples we analyzed were distributed by third-party app stores, we also saw malicious apps make their way into legitimate marketplaces. Out of more than 3.22 million Google Play apps we sourced and delved into, 1.02% of them were malicious and PUAs (of which their emergence in the platform was proactively addressed by Google), including DressCode and Jopsik. Detections for Dresscode were the highest among American, French, Israeli, and Ukranian organizations.
Mobile Ransomware Marked an Unprecedented Growth
Mobile ransomware boomed in 2016. The samples we analyzed in the fourth quarter of 2016, for instance, were thrice as many compared to the same period in 2015. Despite the growth, these malware shared a common modus operandi: abuse, bait, intimidate, extort. Most were screen lockers that abused Android OS’s features, and employed social lures such as fake system updates, popular games, and pornography. Unwitting users were also conned into granting them administrator privileges that allowed them to change the device’s lock screen password and ensure they weren’t uninstalled.
Figure 3. Comparison of mobile ransomware samples we analyzed in 2015 and 2016
Based on our detection and analysis, we’ve roughly classified several families of mobile ransomware to:
- SLocker/Simple Locker (ANDROIDOS_SLOCKER)
- FLocker/Frantic Locker (ANDROIDOS_FLOCKER)
- SMSLocker (ANDROIDOS_SMSLOCKER)
- Svpeng (ANDROIDOS_SVPENG)
- Koler (ANDROIDOS_KOLER)
SLocker and Koler are known to pose as law enforcement agencies that accuse victims of crimes to coerce them into coughing up a ransom. SMSLocker (an iteration of SLocker), and Svpeng also operate as banking Trojans; locking the device and extorting ransom are done via command and control (C&C) commands. FLocker made headlines by the end of 2016’s first quarter when it crossed over and infected smart TVs. It remained a prevalent threat in Japan for 2016, with our detections for FLocker in the country peaking at more than 32,000 during April.
Mobile ransomware detections surged from August to September 2016 due to increased activity in Indonesia and Russia. In August 2016, a variant of SLocker (AndroidOS_Slocker.AXBDA) became widespread in Indonesia when fake music and video player apps boomed in the country during the time. In September, a version of Svpeng (AndroidOS_Svpeng.AXM) was seen being heavily distributed in Russia. Indeed, Indonesia and Russia were among countries with the highest mobile ransomware detections and infections in 2016, along with India and Japan.
Figure 4. Mobile ransomware detections from January to December 2016
Rooting Malware and Exploits Took On More Vulnerabilities
In 2016, we discovered more than 30 Android vulnerabilities and disclosed them to Google and Qualcomm. These security flaws were in the Android framework, device drivers, and kernel. Five of them were critical, which when exploited enabled attackers to carry out local privilege elevation (root), or remote code execution. More than 10 vulnerabilities we uncovered can be leveraged to compromise system-privileged processes, or as part of an exploit chain to compromise the kernel. This included a critical flaw in the kernel crypto engine (CVE-2016-8418) which can enable attackers to do remote code execution (remote root). We also reported a series of critical vulnerabilities in Android’s performance system modules which can compromise the kernel when abused. Our coordination with Google panned out into enabling additional security mechanisms for Android.
Other notable vulnerabilities and exploits disclosed for Android during 2016 included Dirty COW (CVE-2016-5195), Rowhammer (CVE-2016-6728), Drammer and Quadrooter, all capable of granting attackers root access to the device.
Attack vectors for rooting malware and exploits broadened as more security flaws were disclosed. CVE-2015-1805, a privilege elevation vulnerability, was incorporated in the Kingroot rooting app whose downloads reached 290 million. It has been used in attacks after its source code became publicly available. Godless (ANDROIDOS_GODLESS.HRX) used an open-source rooting framework containing several exploits. It affected over 850,000 Android devices by June, and now has more than 79,780 variants in the wild. Ghost Push hid its rooting exploits in apps listed in Google Play, and now has 4,383 variants in the wild. LibSkin (ANDROIDOS_LIBSKIN.A), which emerged in February 2016 with 1,163 variants, is capable of rooting the device to covertly download and install other apps while collecting user data.
Banking Trojans Stole More than just Account Credentials
In 2016, most of the mobile banking Trojans we’ve seen targeted mobile users in Russia; in fact, it accounted for 74% of our global detections. China, Australia, Japan, Romania, Germany, Ukraine, and Taiwan rounded out the countries most affected by these malware. Based on the samples we uncovered and analyzed, their distribution was most active during the last quarter.
Figure 6. New samples of mobile banking Trojans detected in 2016
We’ve identified more than 15 families of these threats, with FakeToken (ANDROIDOS_FAKETOKEN), Agent (ANDROIDOS_AGENT), Asacub (ANDROIDOS_ASACUB) and HQWar (ANDROIDOS_HQWAR) taking the lion’s share in terms of versions and samples. However, Svpeng—a banking and ransomware combo malware—stole the spotlight in 2016: around 67% of infections and attacks we saw in the wild were from Svpeng.
Svpeng peaked in September 2016, when detections for the malware reached over 80,000. Svpeng steals SMS messages, contacts, call logs and browser history, as well as phish for credit card data, and lock the device’s screen and demand ransom. Given how Svpeng targets Russian banks, Russian-speaking users were naturally the most affected—particularly those in Russia and Ukraine, along with Romania.
Another notable family we’ve seen in 2016 was FakeToken, known for hiding itself after installation and using C&C communications to bypass two-factor authentication. Detections were prevalent in China, followed by Russia and Germany. SMSSecurity (ANDROIDOS_FAKEBANK), which targeted banks in Austria, Hungary, Romania, and Switzerland, uses TeamViewer to control the device, while Marcher (ANDROIDOS_FOBUS)—one of the families employed in Avalanche’s campaigns—created a shell console for attackers.
More Effort Exerted to Breach Apple’s Walled Garden
In 2016, attacks on Apple devices focused on seeking out ways to curtail Apple’s stringent control over its ecosystem to distribute malware. Abuse of Apple’s enterprise certificate was a staple technique used to sneak malicious content into non-jailbroken iOS devices. More vulnerabilities were also exploited—a reflection of how more software flaws in Apple products are projected to be disclosed, given their expanding market share.
Most of the PUAs and malware we’ve seen in 2016 tailored their behavior and routines based on the device’s location. ZergHelper (IOS_ZERGHELPER.A), for instance, functioned as a third-party marketplace for pirated apps in China, but worked as an English-learning app elsewhere. Also of note is China-based third-party app store Haima (and Vietnam-based HiStore). These marketplaces distributed adware-laden, repackaged apps (IOS_LANDMINE.A), abused several processes and features in iOS, and leveraged vulnerabilities to circumvent iOS’s privacy protection mechanism.
Attack vectors for iOS also diversified. Several malicious apps we’ve analyzed, for instance, renamed their dynamic libraries (dylib) to postfix.PND to pass it off as a benign Portable Network Graphics (PNG) file. JsPatch, which lets applications load their code dynamically after launch, was also abused to bypass Apple’s vetting process and enable malicious content to be surreptitiously pushed to the app via updates. AceDeceiver (IOS_ACEDECEIVER.A) was notable for its use of design flaws in Apple’s DRM protection mechanism to continue spreading, even if the App Store already removed and blocked it. We also saw crafted .MP4 files (IOS_CraftDOSMP4.A) that can render the device unresponsive.
We also disclosed vulnerabilities in Apple devices. CVE-2016-1721 and CVE-2016-4653 were memory corruption flaws that can allow attackers to execute arbitrary code with kernel privileges, while CVE-2016-4627 and CVE-2016-4628 are vulnerabilities in IOAcceleratorFamily, a component of Apple devices. CVE-2016-4606 is a data inheritance flaw in iOS’s Privacy Setting (permissions vector), while CVE-2016-4659 is an app overriding issue; both are related to Bundle IDs in repackaged apps. CVE-2016-7651 is an issue where authorization settings are not reset after uninstalling an app.
Other notable vulnerabilities include CVE-2016-4654, which can be used to jailbreak iOS devices, as well as CVE-2016-4655, CVE-2016-4656, and CVE-2016-4657, which were part of the Pegasus/Trident exploit chain that can remotely root the device and let attackers infect it with spyware.
Navigating the Mobile Platform in 2017 and Beyond
The mobile threat landscape of 2016 was marked by the disruptive impact of mobile malware to enterprises, their diverse attack vectors, as well as the scale and scope of their distribution. Last year’s notable incidents also mirrored how more vulnerabilities were exploited to take devices hostage and extort their owners. Fake apps banked on the popularity of its legitimate counterparts—Pokèmon Go, Mario Super Run and QQ (a popular IM app in China), to name a few—to deliver malicious content. In QQ’s case, UTF-8 byte order mark (BOM) are added in the app label to spoof the genuine app. PUAs like adware also remained constant threats that exposed users to bank-emptying and information-stealing malware.
In 2015, the vulnerabilities disclosed were considerably related to Android frameworks, especially the mediaserver process. In 2016, however, we’ve observed more disclosures on kernel vulnerabilities, the bulk of which are kernel drivers in Qualcomm, MediaTech, and Nvidia—manufacturers of systems on a chip (SOCs) used in Android devices. We also saw more bugs in upstream Linux kernels, both used by Android and traditional Linux systems. Given how Android also utilizes specific kernel drivers and uplevel frameworks, the added components and their susceptibility to bugs may expose the platform more to security risks than traditional Linux systems.
With Google and Qualcomm’s own Vulnerability Rewards Programs, we expect to see more vulnerabilities being discovered this year—especially in device drivers. With kernel security flaws being more prominent in 2016, we may also see more cross-platform (with Linux kernel) vulnerabilities disclosed, or even exploited in the wild.
For mobile ransomware, its saturation in the threat landscape may cause its growth to plateau in 2017. Additionally, while Android OS natively prevents third-party apps from having carte blanche over the device’s data, the rollout of Android Nougat has further secured some of the application program interfaces (APIs) often abused by mobile ransomware. Passwords, for instance, can now only be changed if there is currently no password set; the OS also deprecated the API onDisableRequested to render it unusable in case a user cancels an app’s administrator privilege. The malware can also be removed by enabling the device’s root and Android Debug Bridge (ADB) or by booting into safe mode.
Indeed, the outlook for the mobile landscape can go both ways. As the platform increasingly plays a vital role in everyday life and business productivity, so will malware and vulnerabilities in the eyes of bad guys looking to tap a lucrative pool of victims. At the same time though, these prompt keener scrutiny on mobile device security to prevent malware infection and misuse of personal and corporate data—as echoed by our continuous initiatives on mobile vulnerability research, for instance. To comply with regulatory and legal requirements, Deutsche Bank AG recently vetoed the use of unapproved text messaging and communication applications on company-issued mobile devices.
App developers, as well as original equipment and design manufacturers, are in a good position to emphasize privacy and security in their products/applications. Organizations and individual end users also need to strengthen their security posture to mitigate these threats. Their risks serve as reminder to beware of suspicious app marketplaces, keep the device’s OS up-to-date, and practice good security habits. Organizations implementing BYOD policies must strike a balance between their need for mobility and productivity, and the importance of privacy and security.
End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for Android™ (available on Google Play), and Trend Micro™ Mobile Security for Apple devices (available on the App Store). Trend Micro™ Mobile Security for Enterprise provide device, compliance and application management, data protection, and configuration provisioning, as well as protect devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.
A table of the top Android mobile malware that affected users in 2016 (based on our detections), as well as a list of Android and iOS/macOS vulnerabilities disclosed by Trend Micro in 2016, can be found in this appendix.
Updated on January 27, 2017, 12:15 AM (UTC-7):
Figures 1 and 4 have been modified based on updated information.