"For malware to be successful for the cybercriminals, they've got to be able to make money, and what we're seeing here are the early days of them trying out strategies to see what works," said John Harrison, group manager with Symantec Security Response, in an interview. "They're getting a pretty low return on the effort, and pretty low revenue, and they're still trying to see where--as you'd say in the PC world--the easy money is.
When might mobile malware really take off? In "Motivations of Recent Android Malware," a report published Tuesday, author Eric Chien, technical director of Symantec's security technology and response group, said three factors are necessary for mobile malware to surge: open platforms, ubiquity, and financial gain.
[Think your mobile security strategy is sound? Learn about One Mobile Device Security Threat You Haven't Considered.]
Use of Apple iOS is widespread, but the operating system is closed and all applications vetted before being offered for sale, which accounts for the relative absence of malware targeting iPhones or iPads. But Android is open, able to use third-party application markets, and ubiquitous. Indeed, according to Gartner, from April to June 2011, Android accounted for 43% of all smartphone sales. All of those factors make Android the most attractive mobile platform to exploit.
Furthermore, there are few technical barriers to taking legitimate Android applications and adding attack code--a process known as "Trojanizing" them. "I don't know if you've seen how easy it is to Trojanize an app , but you take a released application, bring it down to your desktop, use a Java developer kit, add Trojan code, and then upload it after renaming it as a 'free' version of the real app," said Harrison. "You've got unsuspecting users who say, oh great, here's the free version of whatever, and behind the scenes, they don't know what's going on."
Despite the ease of Trojanizing legitimate Android apps, however, such malware has yet to hit the monetization mark, despite extensive experimentation by attackers. "Only if these monetization schemes succeed do we expect attackers to continue to invest in the creation of Android malware," said Chien. Of course, that's good news for Android users, especially since according to a SANS study conducted last year, only 15% of smartphone users employ add-on security tools.
Experimentally speaking, so far criminals have been testing the many techniques that pay handsome dividends when used for PC attacks, including fake AV campaigns, which trick users into thinking that their device is infected with malware, and then sell fake software that magically removes the (nonexistent) infection.
Meanwhile, pay per install--in wide use for exploiting PCs and using them en masse to launch distributed denial-of-service attacks or serve as spam relays--is likewise being used to distribute Android malware. Other techniques include installing spyware--which can record phone calls, if the device has first been rooted--as well as search engine poisoning and pay-per-click attacks, which use exploited Android smartphones to artificially inflate website hit rates, thus generating increased advertising revenue for the website owner. Meanwhile, other Android malware has served adware or stolen people's banking transaction identification numbers.
But attackers apparently haven't yet found the magic mobile malware monetization combination. "For each attack we have seen on Android, none were repeated. It is possible that the attackers did not generate enough revenue, and thus did not repeat the effort," said Chien. "So while we will continue to see malicious Android applications, additional advances in the mobile technology space that allow greater monetization are likely [to be] required before malicious Android applications reach parity with Windows."