By Robin Arnfield
The Internet security firm McAfee Labs said it identified 17,000 new unique forms of mobile malware targeting Android-based devices in the second quarter of 2013, a 21-percent rise on the 14,000 new unique strains it identified in the first quarter.
In the document, "McAfee Threats Report: Second Quarter 2013," the Santa Clara, Calif.-based firm said it expects malware strains to double this year from 2012.
A key driver in the growth is the proliferation of backdoor Trojans that steal personal data without the victim's knowledge, along with banking malware that attacks user log-in information.
Crimes of opportunity
Mobile malware is growing because criminals go where the money and users are, said Dave Jevans, chairman and chief technology officer for the IT security firm Marble Security and chairman of the Anti-Phishing Working Group. .
"All the massive growth in users is on the mobile platforms," he said. "Banks are also increasingly adopting a 'mobile first' strategy for new development, meaning that the latest and most powerful features in online banking and payments will be offered first on mobile devices, and then later on PCs and Macs. This is a real departure from the last 20 years."
Many banks use SMS-based two-factor authentication systems to protect online banking accounts. After a customer enters a user name and password on the online banking site, an SMS message containing a mobile transaction authentication number, or mTAN, is sent to the customer. That information must be entered to access the account. A different mTAN is sent via SMS each time the user logs into his or her bank account.
Jevans said most SMS interceptors or fake SMS apps are designed to intercept banking authentication SMS messages on a per-log-in basis.
An attacker would need to steal both the user's login information — username and password — and the mTAN in the SMS message, said Jimmy Shah, a mobile security researcher at McAfee.
And SMS interceptors forward any SMS messages containing mTANs sent by the targeted bank. "Most will also delete the message after forwarding it, so that the victim is unaware that anyone is logging into their account," Shah said.
McAfee has identified several principal malware families that steal user names and passwords and intercept SMS-based mTAN messages, and each includes hundreds of individual variants, according to James Walter, manager of the McAfee Threat Intelligence Service at McAfee's Office of the CTO.
Shah said the Android/Zitmo, Android/Spitmo and Android/Citmo mobile malware families work in conjunction with the Zeus, Spy Eye and Carberp Windows crimeware suites. On the Windows PC, he said, they intercept user login information from the browser, while on mobile phones they intercept the mTAN messages.
"Normally, we advise users to employ only the official app provided by their banks for any online banking," McAfee said in the report. "Android/FakeBankDropper.A is an example of mobile banking malware which counters that defense by replacing the bank's official app with Android/FakeBank.A. While the victims think they have the original app installed, the attacker logs into the users' accounts to get the latest SMS from the bank."
Walter said most of the currently available mobile banking malware targets Android-based devices because its open-platform approach creates vulnerabilities that aren't present on other mobile operating systems.
Jevans said McAfee's Android malware data is accurate but that some observers think it's on the conservative side.
According to an April report by the APWG, 5.6 million potentially malicious files have been reported on the Android platform, with 1.3 million confirmed as malicious by multiple anti-virus vendors.
"There are many ways to characterize malware on a mobile device," Jevans said. "For example, NQ Mobile found more than 65,000 malicious apps and related malware in 2012. F-secure saw 238 new mobile malware families in 2012. Each family can result in thousands of instances. Trend Micro detected 350,000 malicious and high-risk mobile app samples, and 605 new malicious families. It depends on how wide your monitoring network is, and how you categorize and analyze mobile malware."
Jevans said the prime threat APWG sees in the U.S. involves SMS authentication interception malware, while Europe experiences more fake mobile banking apps that emulate a bank's logo and mobile banking login.
"Malicious apps and malware can get onto the phone in a number of ways," he said. "Firstly, the phone is jail-broken or rooted, allowing users to download apps from any website."
Jail-breaking refers to running third-party apps on an iOS device that have not been approved by Apple, while rooting describes the same dynamic on Android devices.
"Secondly, on Android, the user chooses to install an app from any of the 100 non-mediated, non-Google app stores," he said. "Thirdly, on iOS, the user visits a site that installs a malicious profile on the device, allowing attackers to install malicious apps or overwrite legitimate apps. Finally, a zero-day vulnerability is found in the device's operating system or in one of the apps, allowing attackers to modify legitimate apps or to tamper with the operating system (so-called 'root kits')."
A zero-day vulnerability is one that is previously unknown and only discovered on "day zero" of the awareness of the vulnerability.
According to the APWG, hackers can buy mobile banking malware toolkits for $10,000 to $30,000 on the underground market.
Mobile malware doesn't affect Apple iOS to the extent that it hits Android devices because of Apple's "walled garden" approach, said BC Krishna, founder and CEO of the banking software vendor MineralTree. Android's platform is open, he said.
"Apple's policy of making apps run through a gauntlet before they are placed in the single, definitive Apple AppStore greatly limits the risks of rogue applications infiltrating iOS devices," Krishna said. "But users shouldn't assume that iOS is completely risk-free when it comes to mobile banking. Malicious apps sometimes make it past Apple's review gates, but the incidents are few and far between."
Krishna said banks offering mobile banking applications on the Android platform need to be aware of where the risks originate so they can implement better risk management strategies.
"I advise banks to monitor Android-based accesses more closely," he said. "They should ensure that payment applications and money movement applications have additional confirmation, and perhaps lower limits. (And) they should encourage customers to use landlines and 'call-to-verify' systems to complete authentication, rather than SMS text messages."
What about other smartphone platforms? The report didn't look at them, but Jevans said Blackberry's historically lower functionality and diminishing market share don't present an attractive target for malware authors, and it's too soon to say about Windows Phone, which has about 3.7 percent of smartphone market share.
"The Windows phone operating system is believed to not be as secure as other phone operating systems," he said, "but we will have to wait for more market adoption before we see marked increase in malicious apps."
Photo: IntelFreePress via Flickr
Learn more about security.