An explosion in mobile malware during the last six months has more than doubled the chance that a user’s Android smartphone will become infected, a security researcher said today.
According to Lookout Security, which develops anti-malware software for Android but not for Apple’s iPhone, the likelihood of an Android owner encountering malware has jumped by two-and-a-half times since January.
By June, between one per cent and five per cent of Android users — the number varies by country — had been infected by mobile malware, said Kevin Mahaffey, co-founder and CTO of San Francisco-based Lookout.
Mahaffey blamed a dramatic spike in malware targeting Android for improving hackers’ odds. “In January, we saw only 80 unique pieces of Android malware, but by the end of June we tracked over 400,” said Mahaffey.
Lookout used its Mobile Threat Network, which analyzes apps acquired from both official and independent markets, and the malware-detection results from its security software, to come up with its statistics.
The Android malware problem shot into public view in early March, when Google yanked more than 50 apps infected with the “DroidDream” malware from the Android Marketplace, then continued with several more clusters found on Google’s official download site and on third-party markets — particularly those in China.
The rogue app model — where attackers pirate a legitimate program, add malicious code and then re-release the app into the wild — will continue to be the biggest mobile malware threat to Android users. “Repackaging [legitimate] apps will remain popular, simply because it’s very effective,” Mahaffey said.
But malware makers are getting more innovative, added Mahaffey, who declined to use the word “clever” to describe attackers’ evolving tactics.
A new distribution channel, dubbed the “upgrade attack” by Mahaffey, has been used by at least one malware family to increase the pool of potential victims. An upgrade attack sidesteps the problem that hackers face when they release an infected app: The relatively small window of opportunity before their work is discovered and the app pulled from the Android Market or other download site.
“We’ve started to see [attackers] publish a clean app, then wait for a while before offering an update that’s infected,” said Mahaffey. “Because most people automatically update their apps, there’s less time that the malware is on the market before it’s installed by a lot of people.”
Hackers are experimenting with different distribution models and various ways to monetize their work, Mahaffey observed.
“How do they get onto the device, and then how do they make money … both are important,” he said. “Mobile malware is now in the experimental stage, where attackers try innovative techniques to distribute their malware, and are engaging in experimental monetization.”
Lookout has seen several forms of profit-making by smartphone malware, ranging from charging users hidden fees to sending waves of text messages to premium numbers. “The ability to monetize will be what cracks the market,” Mahaffey predicted. “When the bad guys are able to figure that out, watch out.”
Although Android owners have faced the brunt of the mobile malware threat, iPhone users aren’t immune.
“There has not really been any malware on the [Apple] App Store, but iOS is affected by application vulnerabilities and Web-based threats,” said Mahaffey, talking about phishing attacks that rely on malicious websites to fool users into divulging personal information.
Based on the prevalence of Web-based threats in June, Lookout projects that three out of 10 smartphone owners will encounter an unsafe link this year.
It was the release last month of a new iPhone “jailbreak” — a hack that lets an owner install software not approved by Apple — that sparked Mahaffey’s interest in iOS threats.
“Although the jailbreak was not malicious, it woke up a lot of IT administrators,” he said.
The jailbreak relied on a pair of then-unpatched vulnerabilities in iOS that could be exploited simply by steering an iPhone, iPad or iPod Touch to a special site, essentially mimicking a “drive-by” attack. If criminals possessed similar vulnerabilities, they could hijack an iPhone if they convinced its owner to browse to a malicious site.
Even with the threats climbing, Mahaffey remained cautiously optimistic.
“We’re in the startup phase of the mobile malware market, with innovation in distribution and monetization, but I think the threat is manageable,” said Mahaffey. “We can have our cake and eat it, too. Yes, there are threats out there, but if people remember that their smartphone is essentially a PC and to be as careful [when using their smartphone] as they are when using a PC, they can be safe.”
Lookout’s mobile threat report can be viewed on or downloaded as a PDF from company’s website.