Story image

Paranoid Android? Examining three key trends in Android malware

08 May 2019

Article by Check Point head of mobile security product marketing, Brian Gleeson.

It’s just over 10 years since the first commercial smartphone using Google’s Android operating system was launched, and it has grown fast.  Android is now the market-leading mobile OS, with a massive 88% market share and installed on an estimated 2 billion-plus devices globally.  But success has its drawbacks:  it’s also a target for criminal activity.  

Google recently published its annual Android security report which sheds light on attempts to exploit the Android mobile ecosystem. The report states that 0.04% of all downloads from Google Play were classified as potentially harmful applications – double the number detected in 2017.  

That 0.04% may not sound like much, but the total number of Android app downloads in 2018 has been estimated at over 75 billion. So that equates to an estimated 30 million potentially harmful apps in the Play store, which contain malicious components such as mobile botnets, crypto-miners, adware and data-harvesting tools.  

And it isn’t just criminals looking to make a quick buck. Nation-state actors have stepped-up activities targeting mobiles, using sophisticated Trojans that are capable of achieving complete control over targeted devices. So it definitely doesn’t mean you are paranoid if you’re worried about Android security:  the threat landscape is growing in every dimension.  Here we will examine three of the key trends in malware that target Android.    

1.    Mobile adware botnets dominate the mobile malware arena

In 2016,  researchers discovered the world’s first large-scale mobile botnet – Viking Horde – on Google Play. A zombie army of IP address proxies were disguised as ad clicks to generate revenue for the attacker.

Since then, mobile adware botnets have proliferated alarmingly in both spread and capabilities. HummingBad, created by the Chinese ad network Yingmob, controlled over 10 million devices globally and generated $300,000 a month in fraudulent ad revenue. DressCode, which again used Google Play to spread, introduced new mobile botnet capabilities, allowing attackers to route communications through a victim’s device, enabling access to its internal networks and therefore compromising security for individuals and organisations alike.

In May 2017, researchers uncovered Judy, an auto-clicking adware that was conceivably the largest malware infection ever on Google Play – and botnets have greatly progressed even since then. Lately, attackers used this powerful cyber weapon to conduct mass DDoS attacks, and even mine crypto-currencies, raising fears that the worst uses of mobile botnets have yet to come. 

2.    Mobile bankers keep on marching

Banking malware is one of the more dangerous threat types targeting mobile users today. These malicious pieces of code are designed to steal financial information and transfer funds directly to the attacker’s accounts – and over the years, perpetrators have managed to overcome obstacles such as two-factor authentication and defenses set in different versions of Android, such is their drive to complete these thefts.

Surprisingly, mobile banking malware requires little technical knowledge to develop, and even less to operate. The malware searches for a banking app on the infected device and creates a fake overlay page once the user opens it. The user will then enter the user’s credentials, sending it directly to the attacker’s server. To operate a thriving banker campaign, a hacker needs only a couple of persuasive overlay pages, a server, and an infection method. For this reason, many mobile bankers, such as Marcher, are operated in a malware-as-a-service business model or as open source projects.

This combination of rich potential rewards and ease of setup makes mobile bankers among the most alarming and insidious threat facing Android users. And, like any cyberthreat, they are continually evolving. The latest addition to the world of mobile banking malware is the new family of cryptocurrency bankers. Researchers have discovered malware masquerading as legitimate cryptocurrency wallets, but in fact steal the money from the secure ‘wallet’ they claim to provide. As cryptocurrency trade activity continues, we are sure to see new and sophisticated malware trying to steal from additional users.

3.    State actors and common criminals sharing code

Broadly speaking, mobile malware developers can be classified into four types. The most sophisticated are the nation state-level developers, who create malware aimed at reconnaissance, like those found in the Vault 7 leaks. Next, are exploiters that develop espionage capabilities for governments and organizations, like the NSO group which developed the Pegasus malware for iOS, and its twin, the Chrysaor malware for Android.

Personal spyware developers who create tools enabling private users to spy on other devices make up the third group, and then we have the so-called ‘ordinary malware’ hackers driven by gaining illegal profits.  It is important to understand, however, that these groups do not operate independently from each other. They share tactics, technologies and code. 

As such, the state-level malware campaigns such as Domestic Kitten and GlaceLove which have been revealed at record-breaking rates in recent months are even more sinister than they first appear. This trend poses a threat to all mobile users, since mobile hackers often ‘borrow’ code from each other. And it’s a two-way street, as many criminal hackers imitate the sophisticated state-level malware and learn from their advanced features. To build comprehensive network protection requires that you view all cyber threats as inter-related, no matter their point of origin.

Advanced mobile defenses are a must

What do these three trends tell us? They show that the mobile threat landscape is expanding, and that multiple varieties of mobile malware are penetrating Google Play, infecting millions of unsuspecting Android users. They also show the threat landscape is interconnected, with advancements introduced by state-level actors then mimicked by ordinary malware, and vice versa. All cyber threats are related to each other, no matter their origin. Although the motives behind mobile hacks may vary, they do impact and enrich each other, improving their success rates.

To protect company resources and data against these mobile threats, it’s critical to deploy advanced defenses capable of detecting and blocking attacks before they inflect damage. The mobile security solution should integrate features such as anti-phishing, safe browsing tools, conditional access, anti-bot, URL filtering and WiFi network security capabilities.  With the right approach to mobile security, there’s no need to be paranoid about threats to Android devices.  

Forescout strengthens investment in OT security
Forescout’s latest features will provide enterprises with improved productivity, lower risk profiles and faster mitigation of threats.
Hybrid cloud security big concern for business leaders
A new study highlights that IT and security professionals have significant concerns around security for hybrid cloud and multi-cloud environments.
GitHub launches fund to sponsor open source developers
In addition to GitHub Sponsors, GitHub is launching the GitHub Sponsors, GitHub will match all contributions up to $5,000 during a developer’s first year in GitHub Sponsors.
Check Point announces integration with Microsoft Azure
The integration of Check Point’s advanced policy enforcement capabilities with Microsoft AIP’s file classification and protection features enables enterprises to keep their business data and IP secure, irrespective of how it is shared. 
ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.