Surprisingly sophisticated mobile malware targets Android

Identity theft is down, but your phone is working for the bad guys

From the good news/bad news department:

The cost of identity theft dropped by a third in the U.S. during 2010, to $37 billion, compared to $56 billion in 2009, according to a survey of consumer fraud from security and financial analysis researchers Javelin Strategy and Research.

On the other hand the number of pieces of malware designed for cellphones rose 46 percent in 2010 compared to 2009, according to security vendor McAfee's most recent quarterly Threats Report.

The report identified 20 million new pieces of malware of all kinds, for a total of 55 million. Thirty-six percent of those were created during 2010.

Of the mobile malware, "one of the most important threats of the quarter" was a Trojan called Android/Geinimi that can steal data on both phones and SD cards. It travels through infected applications, usually downloaded from third-party sites, a pathway that labels the apps "side-loading" because they don't come from the primary Android apps market.

Geinimi first showed up in China toward the end of the year, travelling by grafting itself onto legitimate software in Chinese third-party Android app markets, according to smartphone security software vendor Lookout.

When the infected application runs, Geinimi launches in the background and collects private inforrmation, including unique identifiers for the device and SIM card. Ever five minutes it tries to upload the information to one of ten domain names., sometimes communicating with live servers, sometimes not.

The Trojan can also download or launch an additional app to help it work, thought the owner still has to approve the launch of the new app.

Lookout describes the Trojan as a new level of sophistication in Android malware, partly for the multifaceted infection mechanism, partly for the ways it tries to hide itself on the phone using code from "an off-the-shelf bytecode obfuscator" (which is my new favorite phrase in geekspeak).

Geinimi could be doing anything from just swiping information to building a highly mobile botnet; it's hard to be sure, according to Lookout.

It's more traditional and data-focused than a newer, even more innovative bit of malware created by researchers at the University of Hong Kong and Indiana University, just to prove they can do it.

Called Soundminer, the low-profile Trojan monitors your phone calls and records when someone speaks a credit card number or other key phrase. Then it sends that information back to its masters across the Internet.

"Our study shows that an individual's credit card number can be reliably identified and stealthily disclosed. Therefore, the threat of such an attack is real," according to one of the researchers.

The Web was a favorite source for infection by less-impressive malware during 2010, according to McAfee, and for a wider array of devices – including tablets, phones, and Internet TVs, most notably Zeus-Murofet, Conficker and Koobface.

Phishing URLs continue to proliferate and do a much better job than legitimate sites of getting themselves placed high in Google searches. McAfee found 51 percent of the 100 results from top daily search terms led to malicious sites, each of which had an average of five malicious links.

The trend will continue during 2011, McAfee predicted. Unnecessarily.

Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon