The Evolution of Mobile Malware

The landscape of cybersecurity is constantly evolving, as hackers constantly try to out-manoeuvre cybersecurity protectors with ever-changing threats and tools to gain the upper hand in the virtual cyber-war

With this in mind, it is crucial that businesses regularly review their security strategies – or risk becoming extremely vulnerable, amidst the rapid rate of change in technology. In this age, every connected device is vulnerable to cyber-attacks.

Mobile malware is grabbing the headlines at the moment, playing a significant and growing role in the threat landscape. With more companies than ever before relying on mobile devices, criminals have spotted the opportunity to exploit this for their own gains.

Mobile malware can result in the loss of money and sensitive corporate data, and provides a mechanism for attackers to gain access to a corporate network. This can also lead to increased battery usage, and traffic, which can add further costs and strains to businesses.

Kaspersky Lab’s most notable trends in the evolution of mobile malware are:

Increase in WAP clickers

Kaspersky Lab researchers have recorded a comeback in the amount of mobile Trojan clickers that are stealing money from Android users through WAP-billing, a type of direct mobile payment with no additional registration. They click on pages with paid services, and once a subscription is activated, money from a victim’s account flows directly to the hackers’ accounts. This trend is growing in regularity, and in 2017 the mobile threat started to spread actively. Some of the discovered WAP-clickers also had modules for crypto-currency mining.

The rise in price of crypto-currency makes mining a more profitable business, even though the performance of mobile devices is not that good. Mining results in rapid battery consumption, and in some cases even device failure. Kaspersky Lab also discovered several new Trojans posing as useful applications that were mining crypto-currency on an infected device. As crypto-currency mining continues in 2018, there will most likely be a rise in new miners and techniques.

The rise and fall of mobile ransomware programs

The ransomware epidemics that hit the business world last year were also reflected in the mobile threat landscape. Kaspersky Lab discovered 544,107 installation packages for mobile ransomware Trojans. This is twice as many as in 2016 and 17 times as 2015. Much of this increased volume occurred during the first few months of the year due to the high activity of the Congur Trojan family (83 per cent of all installation packages in 2017), a blocker that sets, or resets, a device PIN (passcode) and then demands money for unblocking the device.

Mobile ransomware remains both simple and effective, with its capabilities and techniques almost unchanged – and still posing significant threats to both consumers and businesses.

Mobile advertising Trojans

Mobile advertising Trojans, the former top mobile malware threat from 2016, continue to aggressively infect devices, but hackers have been forced to change their techniques over the last 12 months. Some Trojan families have started to use monetisation schemes involving paid SMS and WAP-billing services to preserve and increase profits.

This shift was triggered by the overall decrease in the number of mobile devices running older versions of Android, which are the main targets of Trojans. This is primarily because the common vulnerabilities they exploit are usually patched in the newer versions of the system.

As a result, advertising Trojans are increasingly confronted with devices on which they cannot gain a foothold. This provides the victim with the chance to get rid of this malware once it starts aggressively displaying ads, or installing new applications.

Mobile malware as part of targeted campaigns

Mobile malware isn’t just an opportunistic tactic for cybercriminals. Kaspersky Lab is also seeing its use as part of targeted, prolonged campaigns that can affect many victims.

One of the most notable discoveries this year was Skygofree. It is one of the most advanced mobile implants that Kaspersky Lab has ever seen. It has been active since 2014, and was designed for targeted cyber-surveillance. It is spread through web pages, mimicking leading mobile network operators.

This was high-end mobile malware that is very difficult to identify and block, and the developers behind Skygofree have clearly used this to their advantage: creating and evolving an implant that can spy extensively on targets without arousing suspicion.

Rooting software – still a threat

In recent times, rooting malware has been the biggest threat to Android users. These Trojans are difficult to detect, boast an array of capabilities, and have been very popular among cybercriminals. Once an attacker has root access, the door is open to do almost anything. Their main goal is to show victims as many ads as possible, and to silently install and launch the apps that are advertised.

The number of victims attacked by rooting malware in 2017 decreased compared to the previous year. However, this threat is still among the most popular types of malware – almost half the Trojans in our Top 20 rating belong to families that can get root privileges. The decrease in their popularity among cybercriminals was probably due a decline in the number of devices running older versions of Android – the malware’s main targets.

To reduce the risk of infection and to stay protected, Kaspersky Lab advises people to do the following:

  • Restrict what apps can be installed on corporate devices.
  • Exercise caution when receiving emails from people or organisations you don’t know, or with unexpected requests or attachments.
  • Always double-check the integrity and origin of websites before clicking on links. If in doubt, call the service provider to verify.
  • Manage mobile devices so that personal and business data is separated, if the business has a BYOD policy.
  • Provide a secure VPN for staff to connect remotely to the corporate network.
  • Always implement the latest updates to your operating system and apps.

About the Author

David Emm is Principal Security Researcher at Kaspersky Lab. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialised security solutions and services to fight sophisticated and evolving digital threats.