Mobile
News
10/11/2011
09:29 AM
Connect Directly
RSS
E-Mail
50%
50%

Android Mobile Malware Fails To Make Money

Attackers haven't yet achieved mobile malware returns that equal the payoff from a Windows PC infection or fake antivirus campaign.

Lookout Mobile Security Protects Android Smartphones
Slideshow: Lookout Mobile Security Protects Android Smartphones
(click image for larger view and for slideshow)
Mobile malware attacks don't pay--at least not yet. While the quantity of attacks aimed at exploiting Android devices has been increasing dramatically over the past year, the criminals behind mobile malware have so far largely failed to cash in on their creations.

"For malware to be successful for the cybercriminals, they've got to be able to make money, and what we're seeing here are the early days of them trying out strategies to see what works," said John Harrison, group manager with Symantec Security Response, in an interview. "They're getting a pretty low return on the effort, and pretty low revenue, and they're still trying to see where--as you'd say in the PC world--the easy money is.

When might mobile malware really take off? In "Motivations of Recent Android Malware," a report published Tuesday, author Eric Chien, technical director of Symantec's security technology and response group, said three factors are necessary for mobile malware to surge: open platforms, ubiquity, and financial gain.

[Think your mobile security strategy is sound? Learn about One Mobile Device Security Threat You Haven't Considered.]

Use of Apple iOS is widespread, but the operating system is closed and all applications vetted before being offered for sale, which accounts for the relative absence of malware targeting iPhones or iPads. But Android is open, able to use third-party application markets, and ubiquitous. Indeed, according to Gartner, from April to June 2011, Android accounted for 43% of all smartphone sales. All of those factors make Android the most attractive mobile platform to exploit.

Furthermore, there are few technical barriers to taking legitimate Android applications and adding attack code--a process known as "Trojanizing" them. "I don't know if you've seen how easy it is to Trojanize an app , but you take a released application, bring it down to your desktop, use a Java developer kit, add Trojan code, and then upload it after renaming it as a 'free' version of the real app," said Harrison. "You've got unsuspecting users who say, oh great, here's the free version of whatever, and behind the scenes, they don't know what's going on."

Despite the ease of Trojanizing legitimate Android apps, however, such malware has yet to hit the monetization mark, despite extensive experimentation by attackers. "Only if these monetization schemes succeed do we expect attackers to continue to invest in the creation of Android malware," said Chien. Of course, that's good news for Android users, especially since according to a SANS study conducted last year, only 15% of smartphone users employ add-on security tools.

Experimentally speaking, so far criminals have been testing the many techniques that pay handsome dividends when used for PC attacks, including fake AV campaigns, which trick users into thinking that their device is infected with malware, and then sell fake software that magically removes the (nonexistent) infection.

Meanwhile, pay per install--in wide use for exploiting PCs and using them en masse to launch distributed denial-of-service attacks or serve as spam relays--is likewise being used to distribute Android malware. Other techniques include installing spyware--which can record phone calls, if the device has first been rooted--as well as search engine poisoning and pay-per-click attacks, which use exploited Android smartphones to artificially inflate website hit rates, thus generating increased advertising revenue for the website owner. Meanwhile, other Android malware has served adware or stolen people's banking transaction identification numbers.

But attackers apparently haven't yet found the magic mobile malware monetization combination. "For each attack we have seen on Android, none were repeated. It is possible that the attackers did not generate enough revenue, and thus did not repeat the effort," said Chien. "So while we will continue to see malicious Android applications, additional advances in the mobile technology space that allow greater monetization are likely [to be] required before malicious Android applications reach parity with Windows."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Apprentice
10/11/2011 | 11:03:05 PM
re: Android Mobile Malware Fails To Make Money
True. Some of this will change too I think as more people use mobile phones for banking in certain countries and point-of-sale systems go mobile.
Brian Prince, InformationWeek contributor
jrapoza
50%
50%
jrapoza,
User Rank: Apprentice
10/11/2011 | 8:05:27 PM
re: Android Mobile Malware Fails To Make Money
I think part of the issue is that, while Android malware to date provides the bad guys access to data, they don't own the device to same extent that they own a compromised PC. Once they have that kind of total control of the device then Android malware will become more pervasive.

Jim Rapoza is an InformationWeek Contributing Editor
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.