HackDig : Dig high-quality web security articles for hacker

Mobile malware – shows us the money

2014-11-07 06:55

One trend we saw last year at Mobile Pwn2Own was the installation of malware as the payload of successful exploits. In this post, we have a look at some of the most common mobile malware payloads from 2014; that is, what they’re targeting and how they’re targeting it.


First up, I have to note here that while sources indicate that the instances of mobile malware are increasing in the wild (Kaspersky, for example, said in spring 2014 that they saw a 14-fold year-over-year increase in malicious programs targeting financial data on Android devices), the numbers are still dwarfed by the volume of malware on the desktop. Let’s be cautious, but not alarmed. The desktop still offers lots of opportunity to attackers, and because attackers are lazy and generally approach the softest targets first, the impetus for mobile, while growing, isn’t quite to the tipping point yet. (Even if mobile eclipses the desktop on many fronts, with malware the older way still “wins.”) Regardless, we and other commentators certainly expect this situation to change. Let’s take a peek into the future by looking at a sample of the current threats.



On the desktop, generally speaking, malware gets onto the machine by exploiting vulnerabilities. Those vulnerabilities might be in the software, sometimes in the hardware, and oft-times in the habits of the people who sit in front of the screens. On mobile platforms, the current low number of published vulnerabilities in hardware and software means that most of the time, attackers target the people holding the device.


Nothing new to see here: Common examples of ruses include the classic Trojan variety, in which an app pretends to be something that it isn’t – which might mean it’s masquerading as something legitimate, or as some kind of tool that you use to access “free content. Generally speaking, though, mobile malware gets onto the device at the hands of the user who installs it and then becomes its victim – the practice known as social engineering. The graphic below shows one potential social-engineering attack. In this case, the user takes an action of the attacker’s choice in response to an unexpected message -- a letter from an “admirer”:


Figure 1: A love letter concealing malware breaks the recipient’s phone and his heart.


Payloads – follow the money


As we mentioned in an earlier post, it has recently been in the news that most mobile malware attacks are committed for financial gain (one can only assume that it was a slow news day). We can break down the list of some of the current mobile malware payloads according to how the attacker is financially benefitted.


  • Ransomware – As is often the case, an old successful approach moves onto a new platform. Generally speaking, ransomware locks your device in some way and then extorts a ransom from you in order to unlock the device. Often this type of malware tries to be additionally persuasive by suggesting that you’ve been behaving in an illegal manner and that unless you pay the ransom the appropriate authorities will be notified. This type of malware may actually make good on its threat of locking the device by encrypting files (as in the case of Slocker) or it might use other tricks to make it appear as if the device has been locked (as in the case of Koler).
  • Sending messages to premium-charge messaging services – Again, a history lesson in the form of modern mobile malware; this particular payload goes back a long way. Back in the day, this form of malware dropped you off your dial-up connection and re-connected you through a premium service that resulted in some very large phone bills. It was known as a porn dialer. This newer version does something very similar, although in this case your smart phone might be sending messages to premium SMS numbers without your permission or knowledge. The SMSSend family is an example of this type of malware.
  • Targeting financial or other sensitive data for fraud – This is malware that steals your sensitive information – most likely by socially engineering it out of you by using artifice and deception, or by inserting itself along the path of communications in which sensitive data is sent (e.g. Android/FakeToken or the infamous Zeus). Current data seems to indicate that mobile malware specifically targeting banking and mobile payment systems might be more common in Russia than in other parts of the world, but according to Kaspersky and Interpol this is changing. They also predict that this type of malware for mobile platforms is on the rise.
  • Cryptocurrency mining – A less prevalent payload involves monetizing use of the device’s resources by surreptitiously mining for virtual currencies. Trend Micro this spring published a blog on an example, called AndroidOS_KageCoin, that mined for BitCoin, LiteCoin, and DogeCoin, although they did mention that they didn’t expect this trend to be particularly influential due to the relatively low processing power of these devices and the obvious symptoms of compromise.

Looking at this list, I could almost swear that I’ve seen all of this before. Oh, that’s right – I have – on the desktop over the last 15 years. This certainly isn’t a complete list and I’m not suggesting that there aren’t substantial differences between the mobile and desktop ecosystems that affect the way malware operates, because there really are (and we can talk about them in a later post). However, money really does make the malware world go ‘round, regardless of platform.


Perhaps unsurprisingly because of these similarities, the advice on how to protect yourself from malware on these platforms isn’t really very different to how you might protect yourself on more traditional platforms:

  1. Only download apps from reputable sources.
  2. Pay close attention to permissions when installing apps – read the EULA. If the permissions seem excessive, out of context for the app, or unjustifiable, don’t install the app.
  3. Consider speaking to your service provider to block premium-rate services (sending messages to premium rate services is a popular payload for some mobile malware; block these services and remove the risk).
  4. Use a reputable antivirus scanner appropriate to the device’s platform. Much modern malware is complex, cloud-based, and multi-component – and the same holds true on mobile platforms. In many cases determining the actual behavior and intent of a mobile application is a difficult job for even experienced researchers. Trust the experts.

We look forward to gathering with interested mobile-vulnerability researchers in Tokyo next week at Mobile Pwn2Own. See you there!

Read:3321 | Comments:0 | Tags:No Tag

“Mobile malware – shows us the money”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud