Story image

Paranoid Android? Examining three key trends in Android malware

08 May 2019

Article by Check Point head of mobile security product marketing, Brian Gleeson.

It’s just over 10 years since the first commercial smartphone using Google’s Android operating system was launched, and it has grown fast.  Android is now the market-leading mobile OS, with a massive 88% market share and installed on an estimated 2 billion-plus devices globally.  But success has its drawbacks:  it’s also a target for criminal activity.  

Google recently published its annual Android security report which sheds light on attempts to exploit the Android mobile ecosystem. The report states that 0.04% of all downloads from Google Play were classified as potentially harmful applications – double the number detected in 2017.  

That 0.04% may not sound like much, but the total number of Android app downloads in 2018 has been estimated at over 75 billion. So that equates to an estimated 30 million potentially harmful apps in the Play store, which contain malicious components such as mobile botnets, crypto-miners, adware and data-harvesting tools.  

And it isn’t just criminals looking to make a quick buck. Nation-state actors have stepped-up activities targeting mobiles, using sophisticated Trojans that are capable of achieving complete control over targeted devices. So it definitely doesn’t mean you are paranoid if you’re worried about Android security:  the threat landscape is growing in every dimension.  Here we will examine three of the key trends in malware that target Android.    

1.    Mobile adware botnets dominate the mobile malware arena

In 2016,  researchers discovered the world’s first large-scale mobile botnet – Viking Horde – on Google Play. A zombie army of IP address proxies were disguised as ad clicks to generate revenue for the attacker.

Since then, mobile adware botnets have proliferated alarmingly in both spread and capabilities. HummingBad, created by the Chinese ad network Yingmob, controlled over 10 million devices globally and generated $300,000 a month in fraudulent ad revenue. DressCode, which again used Google Play to spread, introduced new mobile botnet capabilities, allowing attackers to route communications through a victim’s device, enabling access to its internal networks and therefore compromising security for individuals and organisations alike.

In May 2017, researchers uncovered Judy, an auto-clicking adware that was conceivably the largest malware infection ever on Google Play – and botnets have greatly progressed even since then. Lately, attackers used this powerful cyber weapon to conduct mass DDoS attacks, and even mine crypto-currencies, raising fears that the worst uses of mobile botnets have yet to come. 

2.    Mobile bankers keep on marching

Banking malware is one of the more dangerous threat types targeting mobile users today. These malicious pieces of code are designed to steal financial information and transfer funds directly to the attacker’s accounts – and over the years, perpetrators have managed to overcome obstacles such as two-factor authentication and defenses set in different versions of Android, such is their drive to complete these thefts.

Surprisingly, mobile banking malware requires little technical knowledge to develop, and even less to operate. The malware searches for a banking app on the infected device and creates a fake overlay page once the user opens it. The user will then enter the user’s credentials, sending it directly to the attacker’s server. To operate a thriving banker campaign, a hacker needs only a couple of persuasive overlay pages, a server, and an infection method. For this reason, many mobile bankers, such as Marcher, are operated in a malware-as-a-service business model or as open source projects.

This combination of rich potential rewards and ease of setup makes mobile bankers among the most alarming and insidious threat facing Android users. And, like any cyberthreat, they are continually evolving. The latest addition to the world of mobile banking malware is the new family of cryptocurrency bankers. Researchers have discovered malware masquerading as legitimate cryptocurrency wallets, but in fact steal the money from the secure ‘wallet’ they claim to provide. As cryptocurrency trade activity continues, we are sure to see new and sophisticated malware trying to steal from additional users.

3.    State actors and common criminals sharing code

Broadly speaking, mobile malware developers can be classified into four types. The most sophisticated are the nation state-level developers, who create malware aimed at reconnaissance, like those found in the Vault 7 leaks. Next, are exploiters that develop espionage capabilities for governments and organizations, like the NSO group which developed the Pegasus malware for iOS, and its twin, the Chrysaor malware for Android.

Personal spyware developers who create tools enabling private users to spy on other devices make up the third group, and then we have the so-called ‘ordinary malware’ hackers driven by gaining illegal profits.  It is important to understand, however, that these groups do not operate independently from each other. They share tactics, technologies and code. 

As such, the state-level malware campaigns such as Domestic Kitten and GlaceLove which have been revealed at record-breaking rates in recent months are even more sinister than they first appear. This trend poses a threat to all mobile users, since mobile hackers often ‘borrow’ code from each other. And it’s a two-way street, as many criminal hackers imitate the sophisticated state-level malware and learn from their advanced features. To build comprehensive network protection requires that you view all cyber threats as inter-related, no matter their point of origin.

Advanced mobile defenses are a must

What do these three trends tell us? They show that the mobile threat landscape is expanding, and that multiple varieties of mobile malware are penetrating Google Play, infecting millions of unsuspecting Android users. They also show the threat landscape is interconnected, with advancements introduced by state-level actors then mimicked by ordinary malware, and vice versa. All cyber threats are related to each other, no matter their origin. Although the motives behind mobile hacks may vary, they do impact and enrich each other, improving their success rates.

To protect company resources and data against these mobile threats, it’s critical to deploy advanced defenses capable of detecting and blocking attacks before they inflect damage. The mobile security solution should integrate features such as anti-phishing, safe browsing tools, conditional access, anti-bot, URL filtering and WiFi network security capabilities.  With the right approach to mobile security, there’s no need to be paranoid about threats to Android devices.  

Story image
29 Oct
Apple AirPods Pro: A new design, but no battery improvements
Apple’s Airpods now welcome a new ‘Pro’ edition to the family, and Apple says these come with an all-new lightweight in-ear design, but there have been no improvements to battery life.More
Story image
06 Nov
Game review: Hideo Kojima presents Death Stranding
Death Stranding is a fun and unique game if you want to play something new and different. If you want all-out action, you may want to go out and play something else instead. It’s best to research the game as much as you can before you decide to buy it though.More
Story image
11 Nov
Broadband Compare and TUANZ name best broadband in NZ
"This year’s winners highlight the growing range of options available to the consumer in the NZ broadband market.”More
Story image
04 Nov
Adobe provides a ‘jolt’ of inspiration through Amazon Alexa
Where do you turn to for a source of creative inspiration? If you happen to own an Amazon Alexa, you can now train the device to give you a dose of inspiration when you need it most.More
Story image
31 Oct
Alibaba Cloud and Animal Logic extend collaboration
Through this partnership, the parties hope to drive efficiencies of media production by utilising more cloud computing technologies, according to a statement.More
Story image
11 Nov
PwC report: Nextgens will lead family businesses into the digital age
Family businesses should look to next generation (nextgen) leaders if their company is to thrive in the digital age, but that can only happen with greater support and trust by those currently in charge.More