The Changing Landscape of Malware for Mobile Devices

Mobile phones are now part of the battlefield that encompasses Internet-based crimes. Recent incidents involved the deployment of trojan Android an iOS apps, as well as ZeuS variants designed for Symbian, Blackberry, Windows Mobile and Android platforms. This is just the beginning. Malware authors are paying attention to such mobile devices because they’re increasingly used for sensitive transactions, including payments, banking and two-factor authentication.

The majority of mobile device infections witnessed to date have involved an element of social engineering, but soon enough exploits will play a role in large-scale distribution of mobile device malware. Attackers have submitted trojan programs to app stores that seemed legitimate but included malicious capabilities. This problem has been plaguing the Android platform, which provides its users with multiple app stores and incorporates minimal oversight over the listed apps.

Typical Capabilities of Mobile Device Malware

Pjapps/SteamyScr looked like a legitimate game that let made the Android phone’s screen appear steamed up, letting the user wipe the “steam” off the screen. However, the trojan also turned the phone into a bot that an attacker could remotely control. According to Symantec, the malicious program could “install applications, navigate to websites, add bookmarks to your browser, send text messages, and optionally block text message responses.”

As another Android example, DrdDream appeared in the from of various legitimate-looking games and apps that incorporated exploits to provide the attacker with deeper access to the device than even its user enjoyed. DrDream stole sensitive data from the user’s phone, but could also be used by the attacker in many other ways.

McAfee described another example of Android malware called Bgyoulu, which “appears to sign up a user to a premium-rate SMS service and then deletes the incoming confirmation message. With no indication that the user using a for-pay service, the malware manages to silently steal data and phone information.” Lookout described another trojan named GGTracker that stealthily sent messages to premium SMS services from the victim’s phone.

Going After Two-Factor Authentication

Perhaps the most nefarious use of mobile device malware is its ability to intercept authentication codes that may be sent to the phone when it’s used as a second authentication factor. This is an especially risky development, considering the apparently growing use of mobile phones, instead of dedicated hardware tokens, for two-factor authentication.

ZeuS malware family has been on the forefront of going after this aspect of information security. The attack involves social engineering and flows like this:

  1. The victim’s PC gets infected with a Windows version of ZeuS
  2. The victim is asked to download a certificate or a security app to his mobile phone
  3. The victim installs ZeuS on the mobile phone
  4. The malicious program intercepts SMS messages that the phone receives and transmits them to the attacker

As the result, the attacker not only obtains the victim’s banking logon credentials from the infected PC, but is also able to collect one-time authentication codes transmitted to the person’s phone.

ZeuS now affects most mobile device platforms. Here’s the approximate timeline of ZeuS’ support for intercepting SMS authentication codes on mobile devices:

How long until ZeuS conquers iOS? I’m not sure…

Apple vs. Android Exposure to Malware

iOS devices aren’t immune to the problem of trojan programs being listed in the App Store. To date, the users of iOS devices have benefited from the much tighter control that Apple exercises over its App Store listings. Yet, it’s technologically impossible to confirm that an app doesn’t have malicious capabilities.

Moreover, iOS isn’t without exploits, as evidenced by the availability of jailbreaking applications; attackers can use these types of exploits to remotely compromise iOS devices via drive-by and other techniques. Brian Krebs recently quoted Truster’s Mickey Boodaei predicting that exploit kits will begin exploiting such vulnerabilities on mobile devices when the user visits a malicious website. This would be a logical evolution of the mobile malware trends we’re observing now.

Symantec explained that malware authors have stayed away from iOS because:

"(A) they must register and pay to obtain a signing certificate from Apple, which makes it more likely they will get identified and prosecuted if they perform malicious activities, and (B) Apple tests each and every application that is submitted for publication on the App store for malicious behavior or violations of their policies, making it more likely that the attacker will be caught. Finally (C), Apple’s code signing model prevents tampering with published apps—there is no way for an attacker to maliciously modify another app (for example, to add spyware to it) without breaking the ‘seal’ on that app’s digital signature."

The caveat is that a mobile device that has been jailbroken—either by the user or by a drive-by exploit—won’t enforce Apple’s restrictions on which apps can run on iOS.

Should exploits begin targeting iOS, iPhone/iPad/iPod users will have to rely pretty exclusively on Apple for help. This is because iOS doesn’t provide the low-level API that would allow third parties-like antivirus companies to develop powerful security tools. On the one hand, the tight grip that Apple maintains on iOS makes it harder to attack this platform. On the other hand, it could limit the sources of protection should Apple fail to respond quickly to attacks.

Wrapping it Up

The landscape of malware for mobile devices is changing rapidly. At the moment, Android is the most targeted OS, and will remain an attractive target due to the popularity and fragmentation of this platform. iOS is harder to attack; yet, it is very popular and therefore will not avoid the crosshairs of Internet attackers and malware authors.


Lenny Zeltser


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more