Threat Activity Trends

Threat Activity Trends | Spam and Fraud Activity Trends | Malicious Website Activity | Analysis of Malicious Web Activity by Attack Toolkits | Analysis of Web-based Spyware and Adware Activity | Analysis of Web Policy Risks from Inappropriate Use | Analysis of Website Categories Exploited to Deliver Malicious Code | Bot-infected Computers | Analysis of Mobile Threats | Data Breaches that Could Lead to Identity Theft

Analysis of Mobile Threats

Background

Since the first smartphone arrived in the hands of consumers, speculation about threats targeting these devices has abounded. While threats targeted early “smart” devices such as those based on Symbian and Palm OS in the past, none of these threats ever became widespread and many remained proof-of-concept. Recently, with the growing uptake in smartphones and tablets, and their increasing connectivity and capability, there has been a corresponding increase in attention, both from threat developers and security researchers.
While the number of immediate threats to mobile devices remains relatively low in comparison to threats targeting PCs, there have been new developments in the field. And as malicious code for mobile begins to generate revenue for malware authors, there will be more threats created for these devices, especially as people increasingly use mobile devices for sensitive transactions such as online shopping and banking.
As with desktop computers, the exploitation of a vulnerability can be a way for malicious code to be installed on a mobile device.

Methodology

In 2011, there were a significant number of vulnerabilities reported that affect mobile devices. Symantec documented 315 vulnerabilities in mobile device operating systems in 2011, compared to 163 in 2010, an increase of 93.3%.
Symantec tracks the number of threats discovered against mobile platforms by tracking malicious threats identified by Symantec’s own security products and confirmed vulnerabilities documented by mobile vendors.
Currently most malicious code for mobile devices consists of Trojans that pose as legitimate applications. These applications are uploaded to mobile application (“app”) marketplaces in the hope that users will download and install them, often trying to pass themselves off as legitimate apps or games. Attackers have also taken popular legitimate applications and added additional code to them. Symantec has classified the types of threats into a variety of categories based on their functionality.

Data

Figure A.20. Mobile threats: Newly discovered malicious code, 2010-2011. Source: Symantec
Figure A.21. Mobile threats: Newly discovered malicious code, 2010-2011. Source: Symantec
Figure A.22. Mobile threats: Malicious code families, 2010-2011. Source: Symantec
Figure A.23. Mobile threats: Malicious code by type, 2011. Source: Symantec NB. For a more detailed breakdown of these larger categories: each subcategory is color-coded to indicate with primary category above it belongs to.

The following are specific definitions of each subcategory:

  • Collects Device Data—gathers information that is specific to the functionality of the device, such as IMEI, IMSI , operating system, and phone configuration data.
  • Spies on User—intentionally gathers information from the device to keep monitor a user, such as phone logs and SMS messages, and sends them to a remote source.
  • Sends Premium SMS—sends SMS messages to premium-rate numbers that are charged to the user’s mobile account.
  • Downloader—can download other risks on to the compromised device.
  • Back door—opens a back door on the compromised device, allowing attackers to perform arbitrary actions.
  • Tracks Location—gathers GPS information from the device specifically to track the user’s location.
  • Modifies Settings—changes configuration settings on the compromised device.
  • Spam—sends spam email messages from the compromised device.
  • Steals Media—sends media, such as pictures, to a remote source.
  • Elevates Privileges—attempts to gain privileges beyond those laid out when installing the app bundled with the risk.
  • Banking Trojan—monitors the device for banking transactions, gathering the sensitive details for further malicious actions.
  • SEO Poisoning—periodically sends the phone’s browser to predetermined URLs in order to boost search rankings.

Commentary

Mobile applications (“apps”) with malicious intentions rose to prominence in 2011, presenting serious risks to users of mobile devices. These metrics show the different functions that these bad mobile apps performed during the year. The data was compiled by analyzing the key functionality of malicious mobile apps. Symantec has identified five primary mobile risk types:
Collect Data. Most common among bad mobile apps was the collection of data from the compromised device. This was typically done with the intent to to carry out further malicious activities, in much the way an information-stealing Trojan might. This includes both device- and user-specific data, ranging from configuration data to banking details. This information can be used in a number of ways, but for the most part, it is fairly innocuous with IMEI8 and IMSI9 numbers, taken by attackers as a way to uniquely identify a device. More concerning is data gathered about the device software, such as operating system (OS) version or applications installed, to carry out further attacks (say, by exploiting a software vulnerability). Rarer, but of greatest concern is when user-specific data, such as banking details, is gathered in an attempt to make unauthorized transactions. While this category covers a broad range of data, the distinction between device and user data is given in more detail in the subcategories below.
Track User. The next most common purpose was to track a user’s personal behavior and actions. These risks take data specifically to spy on the individual using the phone. This is done by gathering up various communication data, such as SMS messages and phone call logs, and sending them to another computer or device. In some instances they may even record phone calls. In other cases these risks track GPS coordinates, essentially keeping tabs on the location of the device (and their user) at any given time. Gathering pictures taken with the phone also falls into this category.
Send Content. The third-largest group of risks is bad apps that send out content. These risks are different from the first two categories because their direct intent is to make money for the attacker. Most of these risks will send a text message to a premium SMS number, ultimately appearing on the mobile bill of the device’s owner. Also within this category are risks that can be used as email spam relays, controlled by the attackers and sending unwanted emails from addresses registered to the device. One threat in this category constantly sent HTTP requests in the hopes of bumping certain pages within search rankings.
Traditional Threats. The fourth group contains more traditional threats, such as back doors and downloaders. Attackers seem keen to port these types of risks from PCs to mobile devices, and progress has been made in 2011.
Change Settings. Finally there are a small number of risks that focus on making configuration changes. These types attempt to elevate privileges or simply modify various settings within the operating system. The goal for this final group seems to be to perform further actions on the compromised devices.

Growth in Android Threats

The Opfake family, a threat targeting Eastern Europe, is a good example. This threat was originally written for Windows Mobile/Symbian/JAVAME phones. Similar experiments have occurred in China where Android.Adsms and Android.Stiniter have appeared. Both originated as Symbian threats before the malware authors moved to Android. We expect this to be a common trend, especially among affiliate network related threats

Old tricks moving to new platforms

Premium SMS dialers have always been a problem on the mobile threat landscape, especially in Eastern Europe, where dialers showed up on mobiles phones not to long after the introduction of the micro edition of Java virtual machine for mobile devices. It should be no surprise that the authors who have been leveraging this lucrative revenue source appear to be making a switch to the newer, popular platforms.
The creators of mobile threats are getting more strategic and bolder in their efforts. A good example of this is the attempts to complicate the uninstallation of an infection. One such strategy being used is to breakdown the malicious packages into staged payloads. The idea is simple, instead of having one payload carry the entire malicious content; not to mention the telltale sign of a huge overzealous permissions list that goes with it; break the threat into separate download modules. The smaller pieces are easier to hide, appear to be harmless updates and complicate the revocation process built in by the service provider, market place etc.
Figure A.24. Mobile threats: Staged payload. Source: Symantec
This still requires the end user to accept the installation of subsequent “update” download, potentially a major hurdle. But another threat discovered in the wild in 2011, ‘Android.Jsmshider’ found a way around this hurdle.
Although this trick only worked for custom mods, by signing the payload with an ASOP (Android Open Source Project) certificate, it allowed installation to take place without any interactions or prompts. The underlying devices considered the payload to be a system update or new component, by virtue of the certificate.
Figure A.25. Mobile threats: Android.Jmshider. Source: Symantec
With all this complication you may be forgiven for thinking that the final rivaled something like Stuxnet, but in fact the final payload in the majority of the cases was nothing more than a garden variety premium SMS sender.
Most premium SMS senders and/or dialers lack sophistication and depend largely on social engineering to work. However, they have been around for many years and can have the quickest return on investment for the criminals behind them. Research suggests that the average price of stolen credit card can be as low as 40 – 80 cents (USD), but a typical dialer targeting North America would pay the author $9.99 (USD) per successful install and execution. Moreover, if it was not detected by the user, each subsequent execution would result in another payment, creating a continuous revenue stream. This stream would only stop once the device owner recognized the charge on his bill as fraudulent.
Another interesting trend that Symantec observed is the use of in-app promotions to encourage the downloading of other apps. This app may require the user to download from a browser or a third party app store and is undocumented functionality of the app from the official market place.
Figure A.26. Mobile threats: Example of in-app promotion to download threat. Source: Symantec
Even though user interaction is required to install any additional apps, the concern here is that this sort of vector has an element of social engineering because the end user assumes that since the first app was downloaded from the official channel any additional apps would also be originating from there.

Social engineering a key tool used by mobile malware authors

Because of the so called “Hardware Fragmentation10” ” issue surrounding the Android Platform, a popular online streaming video service in the US; had initially pushed an Android client app in a limited release, only to certain devices that provided the best user experience.
Owing to the popularity of the service, shortly after the initial release multiple unsanctioned developer projects sprung up around to port an unofficial copy of the app to devices that were not officially supported.
A gap in availability for certain devices combined with large interest from users in getting the app on their Android device created the perfect cover for Android.Flicker, a text-book example of an info-stealer targeting account information.
The malicious app is not at all complex to understand. Divided into two main parts, the app is largely just a splash screen followed by a login screen where the user info is captured and posted to a server. There are multiple permissions requested at the time of installation, usually a sign of a malicious app. But in this case they are identical to the permissions required by the legitimate app. This was probably done to further the illusion that the legitimate app is being installed.
There was no attempt to verify if the data entered by an unsuspecting user was accurate or not. Right after clicking on the sign in button, a user is presented with a screen indicating incompatibility with the current hardware and the recommendation to install another version of the app. On hitting the “Cancel” button, the app then attempts to uninstall itself. Attempts to cancel the uninstall process results in the user returning back to the prior screen with the incompatibility message.

The rise of mobile threats with political agendas

Hactivism is not restricted to PC. Mobile malware with no visible monetary gain but instead with a goal is to send a message was seen in 2011. An example: for many across the Arab World, December 18 2010 marked the birth of what is now come to be commonly known as the ‘Arab Spring’. Among the many tools used to coordinate and inform, to get the word out about the mass ‘market protests’; Symantec discovered a Trojan mass mailer/downloader embedded in an Android App.
Figure A.27. Mobile threats: Android.DroidDreamLight – GameService. Source: Symantec
The Trojan was embedded into a pirated version of a popular Islamic compass app. From our research the Trojanized version was only distributed via forums focusing on Middle Eastern issues. The official version of the app available on the Android Market is not infected. After the installation of the pirated app, the code goes to work on device startup/reboot, silently working in the background as a service called ‘alArabiyyah’. It picks out one link randomly from a list of eighteen and then sends out a SMS message to every contact in the address book of the infected device, sending them a link to a forum site. The content on the forum site appears to be a tribute to Mohamed Bouaziz11.

App Store here… App Store there… App everywhere….

With the projected growth of smart phone sales set to overtake that of regular featured phones, it’s no surprise to see the demand for content drive the emergence of new application market places, app stores, and download sites. Sales in 2011 alone are expected to bring in $15 billion dollars (USD).
Taking advantage of the growing demand for content, not to mention the absence of official outlets presences in certain regions, the number of unregulated markets has seen a dramatic rise, providing a perfect incubator and propagation engine for malware.
Figure A.28. Mobile threats: Additional components/updates being downloaded. Source: Symantec
From a security analyst’s perspective, the mobile content distribution ecosystem can be broken down roughly into three groups:
Group I, the traditional file download site and user forum file share sites. These services have been around as long as the Internet. Originally started to cater to content hungry users looking for software for Windows and Mac users, these sites started adding on download sections for handheld devices and now phones. They may or may not provide file hosting mirrors of the software. User feedback on apps is usually either inconclusive or very basic. On one of these sites, Symantec discovered a download link to a live threat, right next to an RSS feed of a blog talking about the threat. Security measures to screen software tend to be limited to using off the shelf anti-virus software, often not anti-virus software for a mobile device, but Windows-based software.
Group II, “Vendor certified/Web 2.0 Markets.” These manufacturers and vendors have introduced concepts such as on device signature verification, a single point of distribution, and platform app certification, (which sanitized code by extensive and rigorous testing to ensure that software meets not only the manufactures design and platform standards). But by no means is any screening system foolproof and the occasional threat slipped through (once, twice, and even a third time) becoming the focus of many security analysts’ blogs.
Group III, A loose coupling of independent pockets of cloud hosted file repositories brought together via a storefront app (usually only accessible via a mobile device) these fly by night operations seem to be using the same play book used by radio pirates operating off the coast of England in the 1970s.
Their operations tend to be limited in their broadcast. Once they are discovered and/or have to move for one reason or another, the user is required to update the repository list or download a newer version of the app with the location of the file server or repositories.
Figure A.29. Mobile threats: Group III type mobile threats – storefront apps. Source: Symantec
In regions such as China Symantec has noticed these service providers tend to be a little bolder and operate with what can be best described as entrepreneurial flair. In addition to having the usual mobile storefront app, they also have a strong visible Web presence and use that visibility (and the absences of an official market place) to encourage local authors to submit original content; using ad revenue sharing as the monetary incentive. Ironically, in some cases they use the same ad revenue services as managed and/or owned by official marketplaces; thus blurring the line even more between legitimate sites dealing with pirated content uploaded by rouge users and illegal site trying to go legitimate after growing a user base off the back of pirated content sharing.
With projected sales of around $15 billion in 2011, the number of app stores in China will continue to grow at a dramatic rate. As the primary screening mechanisms for content is usually user feedback, pirated or malicious content isn’t immediately flagged and site administrators are quick to point out this fact and disclaim any warranty on damages arising from the usage of downloaded software. From a malicious author’s perspective, these sites tend to be the easiest to target, as the users who patronage these sites have turned off device security checks to allow the installation of unsigned software. This is called side loading.
China (followed closely by Eastern Europe) has long been plagued with threats and trojanized apps targeting mobile platforms. Threats that silently send out SMS messages to premium numbers have become so prevalent that the Chinese government had to take setup regulations to crack down on not only the creators but also on unscrupulous handset resellers. These resellers were intentionally selling phones preloaded with malware that carried out charge backs. The smaller the charge back, the longer it takes before a user suspects anything is wrong, especially in the case of first time buyers who aren’t used to normal monthly charges for their phone bills.
In conclusion, malware threats against mobile platforms are still relatively uncommon when compared with threats targeting desktop operating systems; however, it is clear that a significant step change occurred in 2011, where mobile attacks have grown considerably and we expect this trend to continue in 2012.