At the Virus Bulletin Conference last month in Dallas, Grayson Milbourne and Armando Orozco presented a talk entitled XXX Malware Exposed: An in-depth look at the evolution of XXX Malware. I have renamed it in this blog post to mobile malware because the techniques that malware writers are doing are not unique to any one platform. They could be applied to any mobile environment with a few changes (I have x’ed out a certain smartphone to underscore this even though its name is given in clear text in the actual presentation).
Mobile malware started two years back:
- It began with a trojan SMS installer.
- They then evolved to a Trojan in the Chinese marketplaces which were delivered by pirated applications.
- The next iteration was a mobile trojan called “xxx Dream” that infected the legitimate marketplace; it rooted the device and had bot capabilities that could act as a Command-and-Control center. It also installed a payload.
Mobile malware is now delivered in multiple ways: through social engineering, through rogue marketplaces, through infected applications, through SMS phishing, man-in-the-middle attacks, and drive-by infections. Furthermore, they have started using the same techniques to evade detection as the desktop world: polymorphic distribution (minor changes in every downloads including hashbuster to evade signatures), payload encryption, security app removal, and payloads in embedded files.
Gee, you might think they’ve done this before.
How has the malicious action changed over time? Early versions did not use encryption and send premium SMS messages. Now, they root the device and add it to a bot network that installs payload for its applications.
How can this happen?
Part of the problem is that there is no easy mechanism to update the smartphone OS to the latest version. Many users are running OS’es 2.x versions ago. Manufacturers don’t have easy ways to update (there’s no Windows Update for your phone… yet).
Malware authors know this; if hundreds of millions of people are using an insecure OS, malware authors will exploit it. They do things like:
- Data loss – Malware that sits on the smartphone and collects contacts info, then sends the data to a remote server without the user’s consent. It uses the collected contact data to spam SMS contacts
- Malicious apps – There is some phishing SMS stuff, too
What are some security tips?
- Use smart device policy – Download your apps from a trusted source, not something like a rogue market place or through torrents.
- Device access – Use passwords, not swipe lock screens.
- Encrypt confidential data – This way, even if you lose your phone, the data is protected.
- Remote location and/or wipe – Similar to above, if you lose your phone, you can minimize the damage.
- Mobile device management – This is relevant for BYOD. Companies need an access story around allowing 3rd party devices into their network.
- Device backup – Keep your data backed up. You don’t want to lose your phone and your data. Easier to replace your phone.
- Get help – This stuff is hard. Get help when you need it.
And that’s my summary of the evolution of mobile malware. It looks a lot like the evolution of PC malware, and the security tips for increasing your security are very similar.