Total Apps

Mobile malware to have doubled in 2013, says McAfee

By Robin Arnfield

Contributing writer

The Internet security firm McAfee Labs said it identified 17,000 new unique forms of mobile malware targeting Android-based devices in the second quarter of 2013, a 21-percent rise on the 14,000 new unique strains it identified in the first quarter.

In the document, "McAfee Threats Report: Second Quarter 2013," the Santa Clara, Calif.-based firm said it expects malware strains to double this year from 2012.

A key driver in the growth is the proliferation of backdoor Trojans that steal personal data without the victim's knowledge, along with banking malware that attacks user log-in information.

Crimes of opportunity

Mobile malware is growing because criminals go where the money and users are, said Dave Jevans, chairman and chief technology officer for the IT security firm Marble Security and chairman of the Anti-Phishing Working Group. .

"All the massive growth in users is on the mobile platforms," he said. "Banks are also increasingly adopting a 'mobile first' strategy for new development, meaning that the latest and most powerful features in online banking and payments will be offered first on mobile devices, and then later on PCs and Macs. This is a real departure from the last 20 years."

Many banks use SMS-based two-factor authentication systems to protect online banking accounts. After a customer enters a user name and password on the online banking site, an SMS message containing a mobile transaction authentication number, or mTAN, is sent to the customer. That information must be entered to access the account. A different mTAN is sent via SMS each time the user logs into his or her bank account.

Jevans said most SMS interceptors or fake SMS apps are designed to intercept banking authentication SMS messages on a per-log-in basis.

An attacker would need to steal both the user's login information — username and password — and the mTAN in the SMS message, said Jimmy Shah, a mobile security researcher at McAfee.

And SMS interceptors forward any SMS messages containing mTANs sent by the targeted bank. "Most will also delete the message after forwarding it, so that the victim is unaware that anyone is logging into their account," Shah said.

Numerous variations

McAfee has identified several principal malware families that steal user names and passwords and intercept SMS-based mTAN messages, and each includes hundreds of individual variants, according to James Walter, manager of the McAfee Threat Intelligence Service at McAfee's Office of the CTO.

Shah said the Android/Zitmo, Android/Spitmo and Android/Citmo mobile malware families work in conjunction with the Zeus, Spy Eye and Carberp Windows crimeware suites. On the Windows PC, he said, they intercept user login information from the browser, while on mobile phones they intercept the mTAN messages.

"Normally, we advise users to employ only the official app provided by their banks for any online banking," McAfee said in the report. "Android/FakeBankDropper.A is an example of mobile banking malware which counters that defense by replacing the bank's official app with Android/FakeBank.A. While the victims think they have the original app installed, the attacker logs into the users' accounts to get the latest SMS from the bank."

Android

Walter said most of the currently available mobile banking malware targets Android-based devices because its open-platform approach creates vulnerabilities that aren't present on other mobile operating systems.

Jevans said McAfee's Android malware data is accurate but that some observers think it's on the conservative side.

According to an April report by the APWG, 5.6 million potentially malicious files have been reported on the Android platform, with 1.3 million confirmed as malicious by multiple anti-virus vendors.

"There are many ways to characterize malware on a mobile device," Jevans said. "For example, NQ Mobile found more than 65,000 malicious apps and related malware in 2012. F-secure saw 238 new mobile malware families in 2012. Each family can result in thousands of instances. Trend Micro detected 350,000 malicious and high-risk mobile app samples, and 605 new malicious families. It depends on how wide your monitoring network is, and how you categorize and analyze mobile malware."

Unapproved apps

Jevans said the prime threat APWG sees in the U.S. involves SMS authentication interception malware, while Europe experiences more fake mobile banking apps that emulate a bank's logo and mobile banking login.

"Malicious apps and malware can get onto the phone in a number of ways," he said. "Firstly, the phone is jail-broken or rooted, allowing users to download apps from any website."

Jail-breaking refers to running third-party apps on an iOS device that have not been approved by Apple, while rooting describes the same dynamic on Android devices.

"Secondly, on Android, the user chooses to install an app from any of the 100 non-mediated, non-Google app stores," he said. "Thirdly, on iOS, the user visits a site that installs a malicious profile on the device, allowing attackers to install malicious apps or overwrite legitimate apps. Finally, a zero-day vulnerability is found in the device's operating system or in one of the apps, allowing attackers to modify legitimate apps or to tamper with the operating system (so-called 'root kits')."

A zero-day vulnerability is one that is previously unknown and only discovered on "day zero" of the awareness of the vulnerability.

According to the APWG, hackers can buy mobile banking malware toolkits for $10,000 to $30,000 on the underground market.

Apple

Mobile malware doesn't affect Apple iOS to the extent that it hits Android devices because of Apple's "walled garden" approach, said BC Krishna, founder and CEO of the banking software vendor MineralTree. Android's platform is open, he said.

"Apple's policy of making apps run through a gauntlet before they are placed in the single, definitive Apple AppStore greatly limits the risks of rogue applications infiltrating iOS devices," Krishna said. "But users shouldn't assume that iOS is completely risk-free when it comes to mobile banking. Malicious apps sometimes make it past Apple's review gates, but the incidents are few and far between."

Krishna said banks offering mobile banking applications on the Android platform need to be aware of where the risks originate so they can implement better risk management strategies.

"I advise banks to monitor Android-based accesses more closely," he said. "They should ensure that payment applications and money movement applications have additional confirmation, and perhaps lower limits. (And) they should encourage customers to use landlines and 'call-to-verify' systems to complete authentication, rather than SMS text messages."

What about other smartphone platforms? The report didn't look at them, but Jevans said Blackberry's historically lower functionality and diminishing market share don't present an attractive target for malware authors, and it's too soon to say about Windows Phone, which has about 3.7 percent of smartphone market share.

"The Windows phone operating system is believed to not be as secure as other phone operating systems," he said, "but we will have to wait for more market adoption before we see marked increase in malicious apps."

Photo: IntelFreePress via Flickr

Learn more about security.

Related Content

User Comments – Give us your opinion!
  • mikey E
    18290261
    It's always McAfee that says this... I wonder why?! :P Come on, NQ Mobile just confirmed that mobile malware infections fell in the US between the first and second quarters of this year... Google, Airpush, Lookout, and others - especially in the Android ecosystem - have implemented a ton of safeguards and raised even more awareness about protecting yourself from mobile malware. I don't believe the problem is getting worse. Then again, if you sell an antivirus product, you don't want to hear that.
Products & Services

Infobip Mobile Payments - Centili

http://global.networldalliance.com/new/images/products/6115.png

6115/Infobip-Mobile-Payments-Centili

Cardholder Present

http://global.networldalliance.com/new/images/products/6745.png

6745/Cardholder-Present

Cellum Solutions for Public Transport

http://global.networldalliance.com/new/images/products/6751.png

6751/Cellum-Solutions-for-Public-Transport

QwickPAY Mobile POS

http://global.networldalliance.com/new/images/products/4293.png

4293/QwickPAY-Mobile-POS

TIO Mobile Pay

http://global.networldalliance.com/new/images/products/4446.png

4446/TIO-Mobile-Pay

Mobile Money Cash Solution

http://global.networldalliance.com/new/images/products/6415.png

6415/Mobile-Money-Cash-Solution

Bulk SMS

http://global.networldalliance.com/new/images/products/6121.png

6121/Bulk-SMS

Direct Operator Billing

http://global.networldalliance.com/new/images/products/6031.png

6031/Direct-Operator-Billing

Peer-to-Peer

http://global.networldalliance.com/new/images/products/6743.png

6743/Peer-to-Peer

Digital Signage Application – WWS Seegnage Manager

http://global.networldalliance.com/new/images/products/6221.png

6221/Digital-Signage-Application-WWS-Seegnage-Manager

Magtek QwickPay
Wallet Wars
Request Information From Suppliers
Save time looking for suppliers. Complete this form to submit a Request for Information to our entire network of partners.