f5-nz logo
Story image

Paranoid Android? Examining three key trends in Android malware

08 May 2019

Article by Check Point head of mobile security product marketing, Brian Gleeson.

It’s just over 10 years since the first commercial smartphone using Google’s Android operating system was launched, and it has grown fast.  Android is now the market-leading mobile OS, with a massive 88% market share and installed on an estimated 2 billion-plus devices globally.  But success has its drawbacks:  it’s also a target for criminal activity.  

Google recently published its annual Android security report which sheds light on attempts to exploit the Android mobile ecosystem. The report states that 0.04% of all downloads from Google Play were classified as potentially harmful applications – double the number detected in 2017.  

That 0.04% may not sound like much, but the total number of Android app downloads in 2018 has been estimated at over 75 billion. So that equates to an estimated 30 million potentially harmful apps in the Play store, which contain malicious components such as mobile botnets, crypto-miners, adware and data-harvesting tools.  

And it isn’t just criminals looking to make a quick buck. Nation-state actors have stepped-up activities targeting mobiles, using sophisticated Trojans that are capable of achieving complete control over targeted devices. So it definitely doesn’t mean you are paranoid if you’re worried about Android security:  the threat landscape is growing in every dimension.  Here we will examine three of the key trends in malware that target Android.    

1.    Mobile adware botnets dominate the mobile malware arena

In 2016,  researchers discovered the world’s first large-scale mobile botnet – Viking Horde – on Google Play. A zombie army of IP address proxies were disguised as ad clicks to generate revenue for the attacker.

Since then, mobile adware botnets have proliferated alarmingly in both spread and capabilities. HummingBad, created by the Chinese ad network Yingmob, controlled over 10 million devices globally and generated $300,000 a month in fraudulent ad revenue. DressCode, which again used Google Play to spread, introduced new mobile botnet capabilities, allowing attackers to route communications through a victim’s device, enabling access to its internal networks and therefore compromising security for individuals and organisations alike.

In May 2017, researchers uncovered Judy, an auto-clicking adware that was conceivably the largest malware infection ever on Google Play – and botnets have greatly progressed even since then. Lately, attackers used this powerful cyber weapon to conduct mass DDoS attacks, and even mine crypto-currencies, raising fears that the worst uses of mobile botnets have yet to come. 

2.    Mobile bankers keep on marching

Banking malware is one of the more dangerous threat types targeting mobile users today. These malicious pieces of code are designed to steal financial information and transfer funds directly to the attacker’s accounts – and over the years, perpetrators have managed to overcome obstacles such as two-factor authentication and defenses set in different versions of Android, such is their drive to complete these thefts.

Surprisingly, mobile banking malware requires little technical knowledge to develop, and even less to operate. The malware searches for a banking app on the infected device and creates a fake overlay page once the user opens it. The user will then enter the user’s credentials, sending it directly to the attacker’s server. To operate a thriving banker campaign, a hacker needs only a couple of persuasive overlay pages, a server, and an infection method. For this reason, many mobile bankers, such as Marcher, are operated in a malware-as-a-service business model or as open source projects.

This combination of rich potential rewards and ease of setup makes mobile bankers among the most alarming and insidious threat facing Android users. And, like any cyberthreat, they are continually evolving. The latest addition to the world of mobile banking malware is the new family of cryptocurrency bankers. Researchers have discovered malware masquerading as legitimate cryptocurrency wallets, but in fact steal the money from the secure ‘wallet’ they claim to provide. As cryptocurrency trade activity continues, we are sure to see new and sophisticated malware trying to steal from additional users.

3.    State actors and common criminals sharing code

Broadly speaking, mobile malware developers can be classified into four types. The most sophisticated are the nation state-level developers, who create malware aimed at reconnaissance, like those found in the Vault 7 leaks. Next, are exploiters that develop espionage capabilities for governments and organizations, like the NSO group which developed the Pegasus malware for iOS, and its twin, the Chrysaor malware for Android.

Personal spyware developers who create tools enabling private users to spy on other devices make up the third group, and then we have the so-called ‘ordinary malware’ hackers driven by gaining illegal profits.  It is important to understand, however, that these groups do not operate independently from each other. They share tactics, technologies and code. 

As such, the state-level malware campaigns such as Domestic Kitten and GlaceLove which have been revealed at record-breaking rates in recent months are even more sinister than they first appear. This trend poses a threat to all mobile users, since mobile hackers often ‘borrow’ code from each other. And it’s a two-way street, as many criminal hackers imitate the sophisticated state-level malware and learn from their advanced features. To build comprehensive network protection requires that you view all cyber threats as inter-related, no matter their point of origin.

Advanced mobile defenses are a must

What do these three trends tell us? They show that the mobile threat landscape is expanding, and that multiple varieties of mobile malware are penetrating Google Play, infecting millions of unsuspecting Android users. They also show the threat landscape is interconnected, with advancements introduced by state-level actors then mimicked by ordinary malware, and vice versa. All cyber threats are related to each other, no matter their origin. Although the motives behind mobile hacks may vary, they do impact and enrich each other, improving their success rates.

To protect company resources and data against these mobile threats, it’s critical to deploy advanced defenses capable of detecting and blocking attacks before they inflect damage. The mobile security solution should integrate features such as anti-phishing, safe browsing tools, conditional access, anti-bot, URL filtering and WiFi network security capabilities.  With the right approach to mobile security, there’s no need to be paranoid about threats to Android devices.  

Story image
Kiwi scoops grand photography prize at Sony Alpha Awards
Wanaka-based Oscar Hetherington won this year’s award for his seascape photo, called ‘Back Wash’. He’s the fourth consecutive Kiwi to win the grand prize – and $10,000 worth of Sony camera gear to boot.More
Story image
Hands-on review: OPPO A72, the budget phone with killer cameras
I never expect budget phones to come with a fast charger, but this is another area where OPPO made sure to take care of the consumer. More
Story image
PNY launches high-performance XLR8 Gaming RGB Memory
PNY’s XLR8 range is aimed at the PC enthusiast market. The range sports a more aggressive industrial styling suited to high-end PC cases that show off the components inside.More
Story image
Apple unveils iPadOS 14, with redesigns for Siri, Search, widgets and more
“With iPadOS 14, we’re excited to build on the distinct experience of iPad and deliver new capabilities that help customers boost productivity, be more creative, and have more fun.”More
Story image
Game review: Borderlands Legendary Collection on Nintendo Switch
I was pleasantly surprised when I opened Borderlands (2009) and the highly stylised art direction and animation didn’t seem like it was from the same year that Barack Obama first took office.More
Story image
Advertisers modelling GFC behaviour as Facebook ad costs tank and Google Ads rise 
"Marketers are looking to prove return on investment by spending on what is measurable and targeting customers who are already searching and already in the click and buy cycle."More