Sage Advice - Cybersecurity Blog

Mobile Malware’s Getting Smarter

smarter-mobile-malware.jpgDespite their immense popularity, ubiquity, and ability to find their way into just about any IT conversation and industry content, mobile devices haven’t attracted much interest from the attack side. Though device infections did reach a new high in April 2016, they comprised just 1.06% of total malware infections, explained Kevin McNamee, director of Nokia’s Threat Intelligence Lab, during his presentation at the 2016 CyberCrime Symposium.

While this particular threat vector has been a minor blip on the infosec radar screen, it’s growing – and at a rate that’s hard to ignore. “Malware infections in smartphones increased 96% in the first half of 2016 over the previous six months,” said McNamee, principal author of Nokia’s bi-annual Threat Intelligence Report, which publishes findings extrapolated from data captured and analyzed by the Threat Intelligence Lab, which monitors nearly 100 million devices in mobile networks worldwide.

Smartphones, not surprisingly, were by far the hottest mobile target, accounting for 78% of the malware detected in mobile networks. Equally predictable, based on historical data trends, was the Android’s contribution to smartphone infections – these devices were responsible for 74% of all smartphone infections. Further, the Android infection samples captured by the lab increased 75% in the first six months of 2016.

However, Windows laptops and PCs were also a significant part of the 2016 mix. Nearly a quarter of the infections identified – 22% – were found on Windows laptops and PCs connected to mobile networks through wireless adapters and other means.

Breaking It Down - Mobile Malware Threats

The Threat Intelligence Lab monitors networks for malware command and control servers, exploits, distributed denial-of-service (DDoS) attacks, and hacking activity. Based on Nokia’s analysis of the data captured in the first half of 2016, the three leading mobile threats and their threat levels were:

Uapush.A. This malware is an Android adware Trojan that uses command and control servers based in China. Categorized as a moderate threat, it’s able to use compromised devices to send Short SMS messages and steal any stored personal information.

Kasandra.B. On the other end of the threat-level spectrum is this Android Trojan, built to leverage the cyber-attack benefits of remote access. According to McNamee, its developers designed the malware to look like Kaspersky’s Mobile Security App. Instead of getting the expected security tools, users get a Trojan that provides actors with unrestricted remote access to such jewels as contact lists, SMS messages, call logs, stored GPS location data, and browser history. It’s able to package and store all this data in a file on the device’s SD card, and then upload it to command and control servers.

SMS Tracker. This Android Spy Phone app is another productive malware type that’s on the high end of the threat curve. It's a full-service remote phone-tracking and monitoring system targeting Androids. Once on the device, SMS Tracker lets actors remotely monitor all SMS and MMS communications, text messages, and voice calls, as well as the user’s GPS location and browser history.

Guess What? Mobile Malware's Getting More Sophisticated.

Like everything else cybersecurity professionals face, mobile malware is becoming increasingly sophisticated, and if that was a good thing, “2016 would have been a banner year,” said McNamee. And, while smartphones are the most lucrative mobile threat vector, with Androids the most infected, the iPhone isn’t immune. Malware developers just tend to focus the majority of their efforts on exploits that find mobile networks to be hospitable, such as SMS Trojans, Spy Phone apps and Trojans, scareware, and adware.

"In 2016," said McNamee, "the industry started to see more sophisticated threats." These take more effort, but also deliver higher payoff.  With newer strains of malware focusing on, for example, systematic rooting, so they can take up permanent residence on a device and gain total control.

Another emerging malware type is designed to get hooks into privilege-protected apps, by injecting them with malicious code. McNamee cited activity with Google Play as an example of what this malware can do. In this case, developers used malware to control Google Play’s buy and install function to link them to ad clicks, creating a nice revenue stream for operators. This kind of higher-level activity means actors are going to focus more effort on an area that, to date, hasn’t been a huge area of concern, so it will become increasing important in coming months to monitor mobile networks, capture data on suspicious activity, and apply sophisticated analytics to understand threats and develop effective defenses.

Being mobile in business is essential – and determining how your business manages mobile devices is important.  With the increasing sophistication of mobile malware, security considerations should be an integral part of your mobile device strategy.  Click here for tips on creating your business’ mobile device policy.  

This is the third in our series presenting key takeaways from Sage Data Security’s 2016 CyberCrime Symposium, held November 3-4, 2016. If you couldn’t get a seat at the event or just want a refresher, check-in weekly for the latest installment featuring actionable insight from select presentations.   


Need Some Cybersecurity Expertise on Your Team?

Sage's Cybersecurity Partnership Program gives you access to our cybersecurity advisors. You receive oversight, guidance, and counsel toward meeting compliance objectives and improving the security posture throughout your organization.

 Learn More

Topics: CyberCrime Symposium, Malware, Mobile Security


The Sage Cybersecurity Lifecycle

The Sage Data Security Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More