Mobile malware trick: Give users real apps, plus infection on the side

New trick, wrapping malware around good code, gives profit-oriented malware a boost

Since 2009 malware writers with a yen for mobile hardware and the clink of hard Bitcoin have been doing something unusual in the malware market – using it increasingly as a way to make money rather than just mess with people.

Sounds obvious, right? Why else would you produce malware? Even Trojans that build botnets are designed to create a malicious resource that ultimately makes the developer money, right?

According to F-Secure's Q1 Mobile Threat Report, which was published earlier this week, very little malware aimed at mobile devices ever had a profit motive behind it. At least, that's the way it was from 2004 to 2009, when Android was first introduced.

Malware with a profit motive actually began to increase in 2006, started to snowball, from 18 percent in 2008 to 68 percent in 2009.

In 2010 and 2011 the percentages dropped, to 51 percent and 52 percent, respectively. The overall numbers increased exponentially, though, driving the number of profit-oriented malware even higher.

The combination of outright profit motive and the solid, popular Android development platform has attracted a different type of malware producers – more focused on efficacy and payback – that made Android a base of fans and software developers its actual users could do without.

"The most credible threat is coming from hackers who want to profit monetarily with their attacks," according to F-Secure’s Chief Research Officer Mikko Hypponen. "Right now we’re seeing more profit-motivated mobile malware than ever before."

Each bit of malware comes with a family of variants, making the overall numbers of unique threats look artificially low.

During the first quarter of 2011, for example, F-Secure found 10 new types of malware; this year the number was 37, almost four times as many as the year before.

Individual Android applications turned into malware also spiked (they're the members of those 37 malware families).

In 2011 there were 3,063 individual APKs that turned out to be malware, compared to 139 the year before.

The curve is interesting, too. A bar chart of bad APKs found each month of 2011 stays low, low, low until September, when it jumps from 105 to 267.

It goes up sharply from 267 to 373 in October, 646 in November, and then shoots straight up to 1639 in December.

During the first quarter of this year the number of mobile threats on Android jumped to more than 7,000, according to another malware report, this time from McAfee security.

The biggest increase came from drive-by downloads, in which a user authorizes the download of a seemingly innocent ActiveX control or Java applet and ends up infected.

Earlier this month analysts with Lookout Mobile Security identified the first drive-by poisoned web sites targeting Android, adding a new class of malware, new distribution system and new source for more infections. Many of the drive-bys were designed to turn Android devices into proxies the controllers could use to penetrate new networks or distribute malware among Android devices from within the firewall.

New thing in malware: rather than fake offers as bait, use real ones

The most interesting variation are those designed as wrappers around often-legitimate code. The approach is a variant on an old trick – offering "free" services to lure victims into installing the software. During installation, if the malware would throw an error as the fake install process ran out of gas, according to F-Secure.

The install couldn't complete because the APK was malware, not the app it pretended to be.

That turned out to be a problem because the more-sophisticated smartphone users of two or three years ago would go online to look for a solution, often discovering along the way that they'd accidentally installed a Trojan.

The solution? Get a copy of the real app, wrap it in malware and distribute that.

The app installs, behaves like it's supposed to, and the malware installs in the background without tipping off the victim. (See video from F-Secure showing compromised version of Angry Birds installing, below.)

Neat.

Of course, now that smartphones have spread beyond uber-geeks and top execs with gadget budgets to blow, less sophisticated users are getting ahold of the bait software.

If the malware throws an error, those users don't even check to see what happened, according to F-Secure's writeup. They just keep installing.

Even the sharpies are fooled by real software wrapped by malware, however,

"Nothing to troubleshoot…how many n on-nerds to do you think will find getting what they were promised (the poisoned APK) to be suspicious?" F-Secure's blog asks. "It's quite possible somebody could compromise their phone and never come to realize it.

"Android malware is certainly evolving."

Yeah, evolving to be smarter than the OS or the security companies trying to stop it.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies