Lookout Mobile Threat Report 2011


Published on

Android Security Report

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Lookout Mobile Threat Report 2011

  1. 1. Lookout Mobile Threat Report August 2011
  2. 2. Table of ContentsHighlights 3Research Methodology 3Why Mobile Security is Important 3Mobile OS Security Model Comparison 4Platform Vulnerabilities and Patch Management 5Mobile Threats 7Mobile Malware Trends 9What’s Next? 23Tips To Stay Safe 25About Lookout 25 2
  3. 3. HIGHLIGHTS In June 2011, o Both web-based and app-based threats are increasing in prevalence and for the first sophistication. time ever o Android users are two and a half times as likely to encounter malware today than people on 6 months ago and three out of ten Android owners are likely to encounter a web- based threat on their device each year. average spent o An estimated half million to one million people were affected by Android malware more time in the first half of 2011; Android apps infected with malware went from 80 apps in using mobile January to over 400 apps cumulative in June 2011. applications o Attackers are deploying a variety of increasingly sophisticated techniques to take control of the phone, personal data, and money. Additionally, malware writers are (81 minutes) using new distribution techniques, such as malvertising and upgrade attacks. than browsing the mobileRESEARCH METHODOLOGY web (74The findings in this report are based on data collected and analyzed by Lookout minutes).through our Mobile Threat Network, which includes the world’s largest database ofapplications and aggregates detection results from mobile devices throughout theworld. The Lookout Mobile Threat Network gathers application data from a variety ofsources including official application markets, such as the Android Market and AppleApp Store, as well as alternative markets in which apps are distributed.WHY IS MOBILE SECURITY IMPORTANTMobile devices are the fastest growing consumer technology, with worldwide unitsales expected to increase from 300 million in 2010, to 650 million in 2012.1 Mobileapplications are likewise booming. In June 2011, for the first time ever people onaverage spent more time using mobile applications (81 minutes) than browsing themobile web (74 minutes).2While once limited to simple voice communication, the mobile device now enables us 1 Roberta Cozza, “Forecast: Mobile Com-to also send text messages, access email, browse the Web, and even perform financial munications Devices by Open Operatingtransactions. Even more significant, apps are turning the mobile device into a general- System, Worldwide, 2008-2015,” Gartner, April 5, 2011purpose computing platform. In just three short years since introducing the iPhone SDK 2 Flurry (June 2011), Mobile Apps Put thein 2008, Apple boasts over 425,000 apps available for iOS devices. Seeing similarly Web in Their Rear-view Mirror: http://blog. flurry.com/bid/63907/Mobile-Apps-Put-explosive growth, the Android Market now contains over 200,000 apps after only a the-Web-in-Their-Rear-view-Mirrorshort period of time.3 3 Erica Ogg, “HP: Number of mobile apps doesn’t matter,” CNET News, June 29, 2011 3
  4. 4. As mobile devices grow in popularity, so do the incentives for attackers. Mobilemalware, for example, is clearly on the rise, as attackers experiment with new business Every daymodels by targeting mobile phones. Recently over 250,000 Android users werecompromised in an unprecedented mobile attack when they downloaded malicious hundredssoftware disguised as legitimate applications from the Android Market4. of apps areThe emergence of mobile payments is another key driver of mobile threats. The value added toof mobile payment transactions is projected to reach almost $630 billion by 2014, upfrom $170 billion in 2010.5 Vendors, retailers, merchants, content providers, mobile the Androidoperators, and banks are all actively establishing new payment services. Mobile Market andpayments create an attractive target for attackers, as they allow direct monetization ofattacks. Apple AppIn addition to financial information, mobile devices store tremendous amounts of Store.personal and commercial data that may attract both targeted and mass-scale attacks.MOBILE OS SECURITY MODELCOMPARISONAlthough history has repeatedly demonstrated that it is virtually impossible to createa perfectly secure system, mobile operating system developers have learned fromsecurity mistakes of the PC world. Android and iOS have each taken an innovativeapproach to securing both the operating system and application distribution process.iOSOn the device itself, Apple’s iOS security model runs each third-party application inan isolated environment so that the application may only access its own data andpermitted system resources. All third-party applications are granted access to thesame data and capabilities on the device with the exception of a few, such as locationdata and push notifications, which require a user to opt in for each application.In terms of app distribution, Apple’s App Store for iOS utilizes a curated app reviewmodel in which all apps submitted by developers go through a manual review processwith restrictions based on policies regarding issues such as data collection, API usage,content appropriateness, and user interface guideline compliance. This model isdesigned with the assumption that apps will only be downloaded from Apple’s AppStore, as some security restrictions are enforced during the review process but not 4 Lookout Mobile Security Blog (March 2011), Update: Security Alert: DroidDreamnecessarily enforced on the device itself. The assumption generally holds, as iOS Malware Found in Official Android Market:devices prevent users from loading applications from sources other than Apple’s App http://blog.mylookout.com/2011/03/ security-alert-malware-found-in-official-Store unless the device has been “jailbroken.” Jailbreaking is a process whereby the android-market-droiddream/user can alter the phone’s operating system to gain full access (or root access) to the 5 Howard Wilcox, “Mobile Payments Mar- kets: Strategies & Forecasts 2010-2014,”operating system and allow applications not officially vetted by Apple, many of which Juniper Research, May 2010 4
  5. 5. take advantage of operating system capabilities otherwise restricted by Apple’s reviewpolicies. DroidDream malware thatAndroid emerged inAndroid has an operating system security model that supports its open applicationdistribution model. In the Android OS security model, an application’s capabilities are the Androidgated by “permissions” that the application declares when it is installed and cannot bechanged at a later time. When installing an application, users are presented with the list Market in theof permissions requested by the application and can determine whether the permissionsare appropriate for the functionality of the app. Permissions allow applications to first quarter ofaccess specific data and capabilities on a device, including location, contacts, SMS 2011 utilizedmessaging, identity information, and the ability to access the Internet. If an application’spermissions seem overreaching, a user may choose not to install the app or may identify two exploits toit as suspicious. While the Android permissions model enables developers to provide abroad range of functionality in their apps, it does rely on end users’ ability to evaluate vulnerabilities,permissions requested by an app at the time of installation. Exploid andIn terms of app distribution, the Android operating system utilizes an open application Rage-Against-distribution model that allows users to download applications from variety of sources,including Google’s Android Market, Amazon’s Appstore for Android, carrier markets The-Cage.such as Verizon’s V CAST network, and other alternative app markets. Android alsohas a setting, often referred to as sideloading, which enables or disables the capabilityto download applications from other sources outside of the Android Market. Androidenables multiple application distribution methods. For example, Amazon’s Appstore forAndroid and Verizon’s V CAST apps utilize a curated model with a manual review processsimilar to Apple’s, while Google’s Android Market is based on a community-enforcedmodel where some security checks are performed when applications are submitted to themarket, but it is expected that the community as a whole will participate in identifyingmalicious or otherwise undesirable applications. This allows Android developers toupdate their applications much more quickly than with the curated model.PLATFORM VULNERABILITIES ANDPATCH MANAGEMENTIn any complex software system, there are bound to be flaws and security vulnerabilities.Mobile device operating systems are no exception. Security vulnerabilities in mobileoperating systems and applications are regularly identified and must be fixed to preventattackers from using them to compromise systems. In fact, a number of vulnerabilitieshave been exploited on both Android and iOS devices. For example, the DroidDreammalware that emerged in the Android Market in the first quarter of 2011 utilized twoexploits, Exploid6 and RageAgainstTheCage7,to break out of the Android security 6 C-Skills (July23, 2010) http://c-skills. blogspot.com/search?q=exploid 7 C-Skills (July 15, 2010): http://c-skills. blogspot.com/ 5
  6. 6. sandbox, gain root control of the operating system, and install applications withoutuser intervention8. Similarly, JailbreakMe 3.0 for iOS devices is a non-malicious web According topage that exploits two vulnerabilities to jailbreak a device9. one report,As with PCs, software patches are used to fix vulnerabilities on mobile devices. In the as many asPC world, common processes like patch management are relatively simple. Softwarevendors deliver online updates to licensed users on a regular schedule or as needed. 50 percentOn mobile devices, depending on the nature of the vulnerability, a patch may beas simple as updating a single application or as complex as a firmware update that of iPhoneinvolves both the device manufacturer and the carrier. Critical vulnerabilities on mobile users do notdevices, such as kernel or web browser issues, often require a firmware update ifthey occur in software that is highly integrated into the operating system. Given the regularly syncdifferences in the mobile ecosystems, patch management processes vary by OS. with iTunesIn the case of Android, Google regularly produces updates to fix security vulnerabilities and thuson the Android OS within days of discovery and pushes the fixes into the Android OpenSource Project (AOSP). Next, it is up to device manufacturers to produce a device- are unlikelyspecific firmware update incorporating the vulnerability fix, which can take a significantamount of time if there are proprietary modifications to the device’s software. Device to receivemanufacturers typically pull the patch from the AOSP repository, merge in their critical securitymodifications, and produce a new firmware update. This process is complicated by thefact that a single device model may have a large number of updates to support carrier- updates.specific customizations. Once a manufacturer produces a firmware update, it is up toeach carrier to test it and deploy the update to users. For users, the process to installan update is rather simple—they typically receive the update over-the-air (OTA) andconfirm its installation.On iOS, security updates typically require Apple to produce a new firmware build, anoperator to test the firmware build, and a user to sync with iTunes to install the patch.Because there are fewer parties in the iOS ecosystem—Apple, operators, and users—firmware updates are typically made available more quickly to a broad base of usersthan with Android. To apply an iOS firmware update, users must sync with iTunes.Unfortunately, many users simply plug their iOS devices into an outlet to charge themand rarely sync. According to one report, as many as 50 percent of iPhone users donot regularly sync with iTunes and thus are unlikely to receive critical security updates10. 8 Lookout Mobile Security Blog (MarchThis failure to sync means that many users do not apply updates, even though they may 2011) Android Malware DroidDream How it Works: http://blog.mylookout.be available. com/2011/03/android-malware-droid- dream-how-it-works 9 http://esec-lab.sogeti.com/post/Analy-Both Google and Apple are taking steps to improve the state of patching on their sis-of-the-jailbreakme-v3-font-exploitrespective platforms. The Android team has made an announcement that it intends 10 http://onefps.net/post/6496478249/50-to enforce an 18-month minimum support cycle for all Android devices to ensure that percent-of-iphone-owners-dont-backup 11 http://www.engadget.com/2011/05/10/devices receive software updates throughout their expected lifetime.11 Apple has google-clarifies-18-month-android-up-announced that its upcoming iOS 5 will support firmware updates downloaded over grade-program-details-far-fthe air and will not require syncing with a computer to apply them.12 12 http://www.apple.com/pr/ library/2011/06/06New-Version-of-iOS- Includes-Notification-Center-iMessage- Newsstand-Twitter-Integration-Among- 200-New-Features.html 6
  7. 7. Conflict of Interest in Vulnerability Disclosure This conflictMany mobile devices do not offer users full control over their device hardware or of interestoperating system. To gain complete control, people will “root” or “jailbreak” theirdevice. The process of rooting or jailbreaking takes advantage of operating system betweenvulnerabilities to bypass security protections on a device. vulnerabilitySoftware vendors want to fix vulnerabilities as quickly as possible, before they can disclosure andbe exploited and used maliciously, so well-intentioned researchers typically disclosevulnerabilities they find to the software vendor. On mobile devices, however, there is the ability fora conflict of interest. Because vulnerabilities are often the only way to root or jailbreakdevices, many researchers do not want vulnerabilities to get fixed so they can maintain people to fullyfull control over their devices. The desire to gain full control over devices creates a control theirdisincentive for researchers to disclosure vulnerabilities. own deviceThis conflict of interest between vulnerability disclosure and the ability for people to fullycontrol their own device poses a great security issue. Once a vulnerability being used poses a greatto root or jailbreak devices becomes public knowledge it may also be used by malicious security issue.attackers, like DroidDream. Until all mobile devices allow users to gain full controlwithout resorting to exploits, this conflict of interest between control and safety is likelyto continue.MOBILE THREATSAs with PCs, there are a variety of security threats that can affect mobile devices. Wesplit mobile threats into several categories: application-based threats, web-basedthreats, network-based threats and physical threats. For the sake of brevity, this listis intended to be a general overview of the most important mobile threats, not anexhaustive treatment of all possible threats.Application-based ThreatsDownloadable applications present many security issues on mobile devices, includingboth software specifically designed to be malicious as well as software that can beexploited for malicious purposes. Application-based threats generally fit into one ormore of the following categories:MALWARE is software that is designed to engage in malicious behavior on a device.For example, malware can commonly perform actions without a user’s knowledge, suchas making charges to the user’s phone bill, sending unsolicited messages to the user’scontact list, or giving an attacker remote control over the device. Malware can also beused to steal personal information from a mobile device that could result in identity theftor financial fraud. 7
  8. 8. SPYWARE is designed to collect or use data without a user’s knowledge or approval.Data commonly targeted by spyware includes phone call history, text messages, location,browser history, contact list, email, and camera pictures. Spyware generally fits into twocategories: it can be targeted, designed for surveillance over a particular person ororganization, or untargeted, designed to gather data about a large group of people.Depending on how it is used, targeted spyware may or may not be considered malicious,such as in the case of a parent using a text messaging or location monitoring applicationon a child’s phone.PRIVACY THREATS may be caused by applications that are not necessarily malicious(though they may be), but gather or use more sensitive information (e.g., location, contactlists, personally identifiable information) than is necessary to perform their function orthan a user is comfortable with.VULNERABLE APPLICATIONS contain software vulnerabilities that can be exploitedfor malicious purposes. Such vulnerabilities can often allow an attacker to access sensitiveinformation, perform undesirable actions, stop a service from functioning correctly,automatically download additional apps, or otherwise engage in undesirable behavior.Vulnerable applications are typically fixed by an update from the developer.Web-based ThreatsBecause mobile devices are often constantly connected to the Internet and used toaccess web-based services, web-based threats that have historically been a problem forPCs also pose issues for mobile devices:PHISHING SCAMS use web pages or other user interfaces designed to trick a user intoproviding information such as account login information to a malicious party posing asa legitimate service. Attackers often use email, text messages, Facebook, and Twitter tosend links to phishing sites.DRIVE-BY-DOWNLOADS automatically begin downloading an application when a uservisits a web page. In some cases, the user must take action to open the downloadedapplication, while in other cases the application can start automatically.BROWSER EXPLOITS are designed to take advantage of vulnerabilities in a webbrowser or software that can be launched via a web browser such as a Flash player, PDFreader, or image viewer. Simply by visiting a web page, an unsuspecting user can triggera browser exploit that can install malware or perform other actions on a device.Network ThreatsMobile devices typically support cellular networks as well as local wireless networks.There are a number of threats that can affect these networks: 8
  9. 9. NETWORK EXPLOITS take advantage of software flaws in the mobile operating systemor other software that operates on local (e.g., Bluetooth, Wi-Fi) or cellular (e.g., SMS, According toMMS) networks. Network exploits often do not require any user intervention, makingthem especially dangerous when used to automatically propagate malware. our data, in June of 2011WI-FI SNIFFING can compromise data being sent to or from a device by takingadvantage of the fact that many applications and web pages do not use proper security Android usersmeasures, sending their data in the clear (not encrypted) so that it may be easilyintercepted by anyone listening across an unsecured local wireless network. were two and half timesPhysical Threats more likelySince mobile devices are portable and designed for use throughout our daily lives, their to encounterphysical security is an important consideration. malware thanLOST OR STOLEN DEVICES are one of the most prevalent mobile threats. Themobile device is valuable not only because the hardware itself can be re-sold on the just six monthsblack market, but more importantly because of the sensitive personal and organization ago.information it may contain.TRENDSMobile security issues are present on all major mobile platforms, though threats affecteach platform differently. In this report, we specifically focus on iOS and Android.Application-based threats affect both iOS and Android. Currently, malware and spywarehave primarily targeted Android devices, though there are commercial spywareapplications available for jailbroken iOS devices. According to our data, in June of 2011Android users were two and a half times more likely to encounter malware than just sixmonths ago. While malware has increased at a faster rate then spyware, Android usersare still slightly more likely to encounter spyware than malware. Privacy issues affect bothplatforms.Web-based threats that carry over from the PC such as phishing generally do notdiscriminate by platform. iOS has been more notably affected by browser exploitationalthough only in a non-malicious way to jailbreak devices13), Android has begun to seedrive-by-downloads in the wild14. Based on the incidence of web-based threats in June2011, approximately three out of ten people are likely to click on an unsafe link each year. 13 http://www.jailbreakme.com 14 http://blog.mylookout.com/2011/06/ security-alert-android-trojan-ggtracker-DIAGRAM 1 charges-victims-premium-rate-sms-3 in 10 people are likely to encounter an unsafe link this year messages 9
  10. 10. APPLICATION-BASED THREATSIn this section we explore some of the prevalent and emerging trends related toapplication-based threats, including distribution and functionality trends in malware andspyware, privacy issues, and application vulnerabilities.Malware and SpywareMalware and spyware are primarily targeting Android currently, though there are notablepieces of commercial spyware targeting iOS devices as well. In 2010, spyware (targetedand untargeted) was far more prevalent than malware across the Android user base,but the trend has shifted, as malware has made significant gains against spyware. Ofthe threats Lookout detected in the wild during June 2011, 48% were malware vs. 52%spyware. Jan 2011 June 2011 34% Malware 48% 66% 52% Malware Spyware SpywareDIAGRAM 2Application-based Threats BreakdownJan 2011 vs. June 2011Not only has malware grown more rapidly than spyware, there has also been a steadygrowth in the number of applications infected with malware, increasing from 80 to400 unique applications in the first six months of 2011. Worldwide, the likelihood ofencountering malware varies from less than 1% to more than 4% depending on country. 10
  11. 11. Estimated Annual Mobile Malware Infection Rate 2011 App types most frequently repackagedLikelihood Per Year <1% with malware1-2%2-3% include games,3-4% utilities and 4%+ porn apps.DIAGRAM 3Estimated Annual Mobile Malware Infection Rate 2011 Malware Infected Apps 400 NUMBER OF INFECTED APPS 350 300 250 200 150 100 50 Jan 2011 Feb 2011 March 2011 April 2011 May 2011 June 2011 July 2011 DATEDIAGRAM 4In the next section, we examine malware and spyware trends in three important aspects:how attackers entice users to download; distribution methods; and capabilities.Social Engineering: How Attackers Entice People toDownload Malware and SpywarePeople, obviously, do not purposefully download malware or spyware to their devices, soattackers must use techniques to mislead users into downloading it unknowingly. Once anattacker convinces someone to download a malicious app, then the technical hacking canbegin. 11
  12. 12. REPACKAGING is a very common tactic in which a malware writer takes a legitimateapplication, modifies it to include malicious code, then republishes it to an app market Repackagedor download site. The repackaging technique is highly effective because it is often appsdifficult for users to tell the difference between a legitimate app and its repackageddoppelganger. In fact, repackaging was the most prevalent type of social engineering containingattack used by Android malware writers in the first two quarters of 2011. The types ofapplications most frequently repackaged with malware include games, utilities, and porn malware createapps. For example, DroidDreamLight was originally found in 20 utility, 9 porn and 5 gameapps in the Android Market.15 a crisis of trust.In Diagram 5, apps there are several example of apps repackaged with malware:Gaming Apps BubbleBuster, repackaged Chess, repackaged with DroidDream Light with DroidDream Spiderman, repackaged with DroidDreamUtility Apps Battery Saver app, repackaged Scientific Calculator app, repackaged with GGTracker with DroidDreamLightPorn Apps Porn app, repackaged with GGTrackerDIAGRAM 5Repackaged apps containing malware create a crisis of trust. To the naked eye, alegitimate app and a repackaged version often look the same with the exception oftheir permissions. Apps repackaged with malware typically, though not always, require agreater set of permissions than the original app. In some cases, malware writers will piratepaid applications and make them available for free, injecting malware into the piratedversion. The illustration in Diagram 6 details an example of the process used by malwarewriters to take legitimate apps from the Android Market, repackage them with malware,and introduce the repackaged versions into third party app stores. 15 http://blog.mylookout.com/2011/05/se- curity-alert-droiddreamlight-new-malware- from-the-developers-of-droiddream/ 12
  13. 13. Developer creates Legitimate 1 a games called Monkey Jump. Developer 3rd Party App Store Developer uploads 2 game to Android Market. 5 User downloads game with malware. Malicious Developer Android 4 uploads game to 3rd party app store. Market Malicious Developer takes End User 3 legitimate game and repackages it with malware Send location Send contact info Send and read SMS messages place phone calls Silently download files Malicious Developer Launch web browser And more... Malicious Developer can control 6 the phone remotely and access users’ private information.DIAGRAM 6How an App is RepackagedMISLEADING DISCLOSURE. Just as PCs have had to contend with spyware andadware that walks the line between being malicious and simply being undesirable, sodo mobile devices. Misleading apps may not necessarily violate an application market’sacceptable user agreement, or even their own terms of service, which makes themdifficult to block or remove despite their being clearly undesirable.One way misleading apps walk the line is to disclose their functionality in a way thata user would technically agree to, but is unlikely to actually notice, by burying theinformation in fine print on the app or in an app’s terms of use. One example, discoveredin June 2011, is Plankton which had invasive tracking built into the app, but disclosedthe functionality in its EULA (End -Uuser License Agreement). Because of this disclosure,Plankton may not be classified as malicious, but it’s something people probably do notwant installed. 13
  14. 14. The makers of DroidDream published over 80 unique applications with user agrees by pressing Okay to sign up for premium sms ringtone subscription service for 9.99 per month. DroidDream and User may cancel subscription at anytime by replying to ringtone shortcode STOP. if user quits within 24 hours user will not be billed $9.99. User understands that tic-tac-toe app will message users friends when a game initiated by end user. DroidDream- Light malware variations under a variety of developerDIAGRAM 7 DIAGRAM 8In another example (See Diagram 7), a version of GGTracker disclosed in fine print on a names.user interface dialog that charges would be made to the user’s phone bill every monthin the form of a premium SMS ringtone service in order to get access to the app, eventhough such services are likely entirely unrelated to the app’s functionality.UPDATE ATTACKS. Recently malware writers have begun using application updatesas an attack method in the Android Market. A malware writer first releases a legitimateapplication containing no malware. Once they have a large enough user base, themalware writer updates the application with a malicious version. Because many usershave their devices set to automatically update applications or will manually updatewhenever a new version is available, the update attack technique minimizes the amountof time malware is in the market before it is installed on a large number of devices. Wefirst observed this technique being used in the wild by the creators of Legacy (a.k.a.DroidKungFu), an example of this can be seen in Diagram 8.Distribution: How Attackers Make Malware AvailableIn order to get in front of users, malware writers use a variety of techniques. In thissection we cover some of the most notable distribution trends we’ve seen thus far in2011.SHOTGUN DISTRIBUTIONMalware writers target both the official Android Market as well as alternative, 14
  15. 15. geographically targeted markets. In many cases, attackers will publish a large number ofapps across multiple developer accounts and multiple markets in order to maximize the In the case ofnumber of users they infect. For example, the makers of DroidDream published over 80 malvertising,unique applications with DroidDream and DroidDreamLight malware variations under avariety of developer names, while Legacy has been published in over 60 apps primarily a malwaredistributed outside the Android Market. writer buys in-app ads, DroidDream Infected Apps directing users to download NUMBER OF INFECTED APPS 100 80 malware. 60 40 20 0 March 2011 April 2011 May 2011 June 2011 July 2011 DATEDIAGRAM 9MALVERTISING or How Malvertising Works“malicious advertising”is another tactic usedby attackers to lurepeople into downloadingmalware. Becauselegitimate developerscommonly use in-app Malicious Website Imitatingadvertisements to gain the Android Market Upon visiting site, a download of amore users, people are bad application automatically beginsused to downloadingapps via advertisements.In the case ofmalvertising, a malwarewriter buys mobileads, directing users todownload malware on Malicious Adthe Android Market or Clicking on ad directs user to malicious web pagefrom a fake site designed DIAGRAM 10to imitate the Android Market. How Malvertising Works 15
  16. 16. GGTracker used malvertising to successfully encourage many people to downloadmalware. In Diagram 10, the makers of GGTracker created an extremely vague ad, “Game MalwareRequest,” that looks like a notification and directs a user to a malicious website that has evenimitates the Android Market and automatically starts a drive-by-download. been able toDRIVE-BY-DOWNLOADS are a class of technique where a web page automaticallystarts downloading an application when a user visits it. Drive-by-downloads can be dynamicallycombined with clever social engineering tactics (e.g. GGTracker) to appear as if they arelegitimate. On Android, because the browser does not automatically install downloaded supportapplications, a malicious website also needs to encourage users to open the download to multipleactually infect the device with malware. As shown in Diagram 11, the GGTracker drive-by-download site also encouraged users to click on the app download notification, claiming premium-ratethat the app is a “trusted download.” Drive-by-downloads are significant becausemalicious apps are hosted outside of app markets where they might otherwise be more SMS services.easily detected.DIAGRAM 11Malware CapabilitiesIn addition, trends of how malware and spyware get on to mobile devices, there are alsoemerging trends in what such applications do once they are installed.PREMIUM-RATE TEXT MESSAGES (SMS MESSAGES) are an important way forpeople to charge purchases to their phone bills. Because of its ease-of-use as a phonepayment mechanism, SMS billing is used by many legitimate services; however, malwarecan also use premium-rate SMS messages to steal money. Previous instances of malwaretargeted users in Russia and China, but malware using premium-rate SMS messages 16
  17. 17. began targeting U.S. users in early June with the emergence of GGTracker. Premium-rate SMS malware will also typically intercept any SMS messages from the SMS service Malware usingto prevent a user from becoming aware of the charge. This type of malware has evenbeen able to dynamically support multiple premium-rate SMS services. For example, premium-rateGGTracker utilized over 15 different apps and 21 different SMS shortcodes. SMS messagesBOTS arean emerging trend in mobile malware that, like their PC counterparts, begancommunicate with and receive instructions from one or more command-and-control(C&C) servers, giving the malware writer remote control over all infected devices. targeting U.S.Malware in the wild has supported a wide range of commands, including the ability to: users in early o send SMS messages June. o copy SMS messages stored on the device to a server o copy the contact list stored on the device to a server o install an application o remove an application o dial a phone number o open a web page o change the list of C&C servers to connect toMalware writers will typically obfuscate their code and use encryption to hide criticaldata such as the list of C&C server names. Bots also typically obfuscate or encrypt theirnetwork traffic to avoid being easily detectable. Typically, installing additional appsonto the device requires the user to click “yes” to the installation pop-up, though incases where the malware exploits vulnerabilities (e.g. DroidDream, jSMSHider), a bot caninstall additional apps without any user knowledge or intervention.PRIVILEGE-ESCALATION EXPLOITS are pieces of software that take advantageof vulnerabilities to gain full access to a device. Under normal circumstances, mobileapplications run in a security sandbox so they cannot cause too much harm; however,if malware is successful in escalating its privileges, it is able to perform actionsnot normally allowed to apps. DroidDream contained two exploits, “Exploid” and“RageAgainstTheCage,” that it used to gain root access and install a secondary app thatallowed the malware to install additional apps without the user knowing. Another pieceof malware, jSMSHider, was signed with a compromised key that also allowed it to installapplications without user intervention on any mobile device firmware builds that werealso signed with that key.TARGETED SPYWARE (SURVEILLANCE) APPLICATIONS. Because mobile devicesoften carry a wealth of personal information, there’s a strong incentive for people to usetools to track or monitor mobile users. Unlike malware and untargeted spyware, targetedspyware apps are typically installed by somebody who has physical access to a victim’smobile device. Commercial surveillance apps promoted for use in monitoring spouses, 17
  18. 18. children, and other targets can cost anywhere from a few to hundreds of dollars. Thefunctionality in surveillance apps often includes the ability to gather phone call history, DroidDreamlisten to actual phone calls, view browser history, track location, gather SMS message is malwarehistory, and more. Notably, many surveillance applications support Android as well asjailbroken iOS devices. These apps often have very legitimate use cases and are not that becamealways used maliciously. available viaApp Threat Profiles the AndroidDroidDream is malware that became available via the Android Market in Q1 2011 and has Market in Q1affected an estimated 250,000 mobile users to date. 2011 and has affected an DroidDream estimated 300 250,000 mobile 250 200 users to date. 150 100 INCIDENTS PER 1MM USERS 50 0 March 2011 April 2011 May 2011 June 2011 July 2011 DroidDreamlight 140 120 100 80 60 40 20 0 March 2011 April 2011 May 2011 June 2011 July 2011 DATEDIAGRAM 12DroidDream Variant PrevalenceDiscovered in early March 2011, DroidDream is an example of malware that acts asa bot and uses two exploit payloads in its attempts to gain root access to infected 16 http://blog.mylookout.com/2011/05/se-devices. Once the malware exploits a device, it attempts to contact a remote server curity-alert-droiddreamlight-new-malware-and accept commands. Since the initial discovery of DroidDream we’ve seen a variant, from-the-developers-of-droiddream 18
  19. 19. Third, it is DroidDream Infected Apps one of the NUMBER OF INFECTED APPS first known 100 80 60 instances 40 of Android 20 malware 0 specifically March 2011 April 2011 May 2011 June 2011 July 2011 targeting DATE U.S. users byDIAGRAM 13 silently chargesDroidDreamLight, emerge in late May 2011 that also acts as a bot but does not contain money toexploit code.16 The makers of the DroidDream malware family have continued to publishnew infected applications and we’ve seen over 80 unique instances to date (See Diagram users’ phone12). bills when itGGTRACKER is a notable step in the trend of malware writers building more is installed,sophisticated, end-to-end attacks. First, it is one on the first pieces of Android malwarewe’ve seen to-date that engages in malvertising to trick users into visiting a malicious charging $10web site. Second, the malicious website convinces people into installing malware byconvincingly imitating the Android Market and beginning a drive-by-download. Third, it per service.is one of the first known instances of Android malware specifically targeting U.S. users bysilently charges money to users’ phone bills when it is installed, charging $10 per service. GGTracker Prevalence 700 INCIDENTS PER 1MM USERS 600 500 400 300 200 100 0 June 18, 2011 June 27, 2011 July 5, 2011 July 14, 2011 July 21, 2011 DATEDIAGRAM 14 19
  20. 20. Previously, we had only seen this type of malware on Android target China and Russia.Finally, it’s worth noting that GGTracker continues to employ a variety of distribution On iPhonetechniques to seed the market. The first apps infected with GGTracker used malvertising 33.9% of freeto direct users to the fake Android Market, but another wave of infected apps, appearingin early July (see Diagram 12), were found in the Android Market. applications had the capability to GGTracker Infected Apps 16 access location 14 and 11.2% had NUMBER OF INFECTED APPS the capability 12 10 8 to access contacts. 6 4 2 0 June 15, 2011 June 22, 2011 June 30, 2011 July 7, 2011 July 15, 2011 DATEDIAGRAM 15Privacy issuesMobile devices now hold a rich set of personal information including location, browsinghistory, call history, text messages, contact lists, email, Facebook messages, the device’sphone number, and unique identifiers that can be used for tracking. Apps can accesspersonal data on the device, although the data available to apps differs between iOS andAndroid. Legitimate apps can use personal information to provide powerful features andbenefits; however, the opportunity to misuse that information exists as well. Because theyhave the potential to access so much data on devices, many apps gather data withoutusers being aware of its collection.In some cases, when a developer uses third-party advertising or analytics libraries, theyare unaware of all the personal information accessed. Advertising and analytics librariesroutinely gather sensitive data and developers don’t always pay close attention to thedata collected by the ad or analytics libraries they incorporate into their applications.Several ad networks do a good job informing developers what choices they can make asit relates to data collection to serve ads. On the other hand, a number of ad networks useIMEIs and other sensitive identifiers as a way to uniquely track devices even though, mostof the time, this tracking goal can be accomplished without transmitting sensitive data toa server. 17 https://www.mylookout.com/appge- nome/ 20
  21. 21. In the Lookout App Genome Project17 report published in February 2011, we estimatedthat on iPhone 33.9% of free applications had the capability to access location and 11.2% Currentlyhad the capability to access contacts. On Android, we found that 28.2% of free apps in people have athe Android Market had the capability to access location and 7.5% had the capability toaccess contacts. 30% likelihoodApp Vulnerabilities of clicking on an unsafe linkSmartphone operating systems enforce strict security sandboxes to limit what applicationscan do, though even in the sandbox, applications can contain exploitable vulnerabilities. per year onBecause mobile platforms are new, often introducing new APIs and security models,even skilled developers aren’t always aware of best security practices. While a number their mobileof security issues have come to light affecting both Android and iOS applications (e.g. device basedleaking sensitive information to system logs, storing credentials in an insecure manner,improperly validating externally supplied data), one of the most prevalent issues is simple on detectionand is not unique to mobile at all: transmitting sensitive data without proper encryption. rates fromINSECURE DATA TRANSMISSION Lookout users.Many apps don’t encrypt the data they transmit and receive over the network, makingit easy for the data to be intercepted. For example, if an application is transmittingdata over an unencrypted Wi-Fi network using HTTP (rather than HTTPS), the data canbe easily sniffed using freely-available software. In one particularly notable example,a number of Google services on certain versions of Android, including Contacts Sync,Calendar Sync, and Picasa Photo Sync transmitted their account credentials in plain text,making it possible for an attacker to gain access to other peoples’ accounts.18Web Based ThreatsWeb-based threats have emerged asa significant threat for mobile users.Currently people have a 30% likelihood 19%of clicking on an unsafe link per year on Compromisedtheir mobile device based on detectionrates from Lookout users. This number 21%is likely so high because users onmobile devices often encounter threats 60% Phishing Malicioustargeting PCs—people read email,Facebook messages, text messages,and tweets on their phones just as theydo on their PCs. Some web-basedthreats such as phishing attacks do notdiscriminate based on platform—they 18 http://www.uni-ulm.de/en/in/mi/staff/ DIAGRAM 16 koenings/catching-authtokens.htmlaffect Android, iOS, and PCs in the Unsafe Links 19 http://www.trusteer.com/blog/mobile-same way. Other web-based threats Category Breakdown users-three-times-more-vulnerable-phish- ing-attacks 21
  22. 22. such as websites containing browser exploitsare OS targeted, which means that users Approximatelyviewing a PC threat from a mobile devicewill not be affected, though we expect 1 in 20 usersmore mobile targeted attacks in the future. will click on aAccording to one study, mobile device usersare three times more likely to succumb to phishing linka web-based phishing attack than desktopusers.19 every year on AndroidPHISHING attacks are designed to trickusers into divulging account or personal devices basedinformation to web pages that appear to bereputable sites such as financial institutions, on currentbut are actually fake. Approximately 1 in 20 rates.users will click on a phishing link every yearon Android devices based on current rates.While users are trained to look at browseraddress bars on the desktop to determineif the site they are visiting is really the site it DIAGRAM 17claims to be, mobile browsers generally clipthe URL or don’t display it at all making itunlikely that users will engage their positive PC habits when browsing on a mobile device.DRIVE-BY-DOWNLOADS may use spam or malvertising to bring users to a site that, inturn, delivers malware by automatically starting a download. Such attacks are a significantconcern on devices where applications can be downloaded outside of official marketsbecause malware distributed through web sites can evade the greater scrutiny thatmarkets provide. See the discussion of drive-by-downloads above for more information.DIRECT EXPLOITATION is a significant threat to mobile browsers, as there are anumber of large code bases on mobile devices that malicious web pages can target,including the browser itself, image viewers, Flash, PDF readers, and more. WebKit,the popular rendering engine, is a systematic risk because the default browsers onAndroid, Blackberry, and iOS all use it, creating a homogenous ecosystem where a singlevulnerability can potentially affect the majority of mobile devices. Browser exploits arealso very difficult to fix because mobile browsers and their associated libraries are oftenrevisioned with firmware, which can be extremely slow to update, as we’ve describedabove.In the past year, iOS has seen multiple web-based exploits in the wild that allow anattacker to run code as root if a user simply visits a web page. These exploits first takeadvantage of a browser vulnerability to run code as the browser process, then takeadvantage of a local privilege escalation vulnerability to run code as root. Thankfully, wehaven’t seen evidence of these exploits being used maliciously: they were primarily usedto allow users to jailbreak their devices. 22
  23. 23. Physical/Network Threats LookoutWhile web and application based threats has been on the rise for mobile devices, physical locates athreats remain some of the most prevalent and the barrier to entry for network threatscontinues to decrease. missingLOST AND STOLEN MOBILE DEVICES are so common that Lookout locates a missing device every 5device every 5 seconds. seconds.WI-FI SNIFFING is a technique where nearby attackers can get access to datatransmitted to or received from a mobile device. Barriers to entry for Wi-Fi sniffingcontinue to drop as easy-to-use tools emerge. While these tools facilitate targeted ratherthan broad-based attacks, the increased use of free Wi-Fi in airports, cafes, and otherpublic places has increased the likelihood that Wi-Fi traffic, including account information,can be intercepted.Firesheep20 is a desktop browser plugin that monitors unencrypted Wi-Fi networksfor nearby computers and mobile devices accessing popular web sites (e.g. Twitter,Facebook, GMail) in an insecure way and allows an attacker to trivially hijack useraccounts accessing those sites. Similarly, Faceniff is an Android-based tool that alsoallows someone to hijack user accounts accessing popular sites on nearby PCs and mobiledevices in an insecure way by redirecting local network traffic through the phone (using atechnique called ARP spoofing). While none of the techniques implemented by Firesheepor Faceniff are new, the ability for even a novice user to engage in point-and-click networkhacking makes it more important than ever that popular sites stop using insecure networkprotocols.WHAT’S NEXT?Mobile threats are evolving quickly—sophistication that took decades to reach on thePC is taking just a few years on mobile. To predict where they are moving, it’s importantanalyze what dynamics are affecting their growth and understand what will run the samecourse as PC threats and what will be different.Application-based threats are likely to continue to follow their existing platformdistribution trends unless platforms significantly change their security or distributionmodels. Privacy issues and application vulnerabilities are affecting both iOS and Androidplatforms, however malware and spyware predominately target Android.MalwareThe mobile malware “industry” is currently in its startup phase, with attackersexperimenting with different distribution and revenue models. As the industry matures,we believe that there will be successful distribution and monetization patterns that 20 http://codebutler.com/firesheepemerge. The growth in malware prevalence will likely follow the malware industry’s 21 http://faceniff.ponury.net/ 23
  24. 24. successful discovery and exploitation of these patterns. Emerging patterns include: o Malware that acts as a botnet, exposing an array of remotely controlled device capabilities. o Abuse of premium-rate text messages o Targeted attacks aimed at gathering sensitive data for commercial or political purposes o Financial fraud as more mobile finance and payment apps emergeIn order to combat scrutiny in app stores—both in the curated and open models—weexpect malware will engage in techniques to gain distribution while evading detectionfor as long as possible. Specifically, we expect to see a growth in upgrade attacks wherea seemingly-legitimate app is upgraded with malware and multi-stage attacks where aseemingly-legitimate app’s behavior changes at runtime based on code or configurationdownloaded from a server dynamically.VulnerabilitiesBecause vulnerabilities on mobile devices typically take a long period of time to patch,we predict a growth in malware using browser exploits to infect both Android and iOSdevices as well as an increased use of local privilege escalation exploits by Androidmalware to break out of the default security sandbox. Since the android security modeldoes not typically allow legitimate applications to act as root, if malware is able to gainroot on a device, it can be very difficult to remove. Regaining control of the device in suchcases can require a full firmware re-flash or leveraging an equivalent vulnerability to gainequivalent privileges.Identified application vulnerabilities will likely rise, and as more high value applicationssuch as payment and banking tools come into wide use, we expect exploitation of thesevulnerabilities to become more prevalent.PhishingApplication-based phishing attacks (e.g. fake login/sign up screens) are very difficult forusers to detect as mobile devices tend not to have a secure location indicator for nativeapplications that can be used to differentiate between a legitimate application dialog andan illegitimate one. As more people access sensitive accounts and services from theirmobile devices, we expect to see an increase in phishing attacks launched from malwareon devices.We expect web-based phishing attacks to remain prevalent in the future as more usersmove towards their mobile devices as a primary means of reading email and browsing 24
  25. 25. the web. Just as many web sites have both mobile and desktop views, we expect anincreasing number of phishing attacks to create both desktop and mobile views tomaximize their effectiveness in convincing mobile users to enter information.TIPS TO STAY SAFEAs the frequency of mobile threats increase, people can take measures to stay safe whileusing their smartphones: o Only download apps from trusted sources, such as reputable app stores and download sites. Remember to look at the developer name, reviews, and star ratings. o After clicking on a web link, pay close attention to the address to make sure it matches the website it claims to be if you are asked to enter account or login information. o Set a password on your mobile device so that if it is lost or stolen, your data is difficult to access. o Download a mobile security tool that scans every app you download for malware and spyware and can help you locate a lost or stolen device. For extra protection, make sure your security app can also protect from unsafe websites. o Be alert for unusual behaviors on your phone, which could be a sign that it is infected. These behaviors may include unusual text messages, strange charges to the phone bill, and suddenly decreased battery life. o Make sure to download firmware updates as soon as they are available for your device.ABOUT LOOKOUTLookout is a mobile security company dedicated to making the mobile experience safefor everyone. Lookout delivers award-winning protection from the growing threats facingmobile users today including malware and spyware, phishing scams, data loss, and deviceloss. Lookout is cross-platform, cloud-connected and designed from the ground up toprovide advanced protection for smartphones while remaining lightweight and efficienton the phone. With users across 400 mobile networks in 170 countries, Lookout is a worldleader in smartphone security. Headquartered in San Francisco, Lookout is funded byAccel Partners, Index Ventures, Khosla Ventures and Trilogy Equity Partners. For moreinformation and to download the application, please visit www.mylookout.com. 25