MOBILE THREATS, MADE TO MEASURE
THE SPECIALIZATION OF MOBILE THREATS
AROUND THE WORLD
What global trends and patterns defined mobile security threats in 2013? To answer this
question, Lookout analyzed the threats encountered by more than 50 million Lookout users
around the world. We categorized mobile threats into three distinct app-based threat categories:
adware, chargeware, and malware.
2013 stood out as the year when mobile threat campaigns became increasingly targeted by
region as the criminals adapted their practices to maximize profit and minimize detectability. In
regions where regulation is stringent, attackers favored alternate ways to operate, often dropping
traditional monetization strategies like premium rate SMS fraud in favor of “grey area” tactics like
deceptive, if legal, in-app billing practices.
We also examined how user behavior impacts their exposure to mobile threats. If a mobile user
has rooted their phone, for example, how might that affect their chance of encountering a trojan
in the future? In short, this report contains a comprehensive overview of the current, global state
of app-based threats. We hope the security insights presented in this report may serve to help
educate individuals and businesses on how to better protect their mobile devices from threats in
a highly networked, globalized age.
The diversification of app-based threats by region is readily apparent. Regulation varies by country
and a criminal enterprise that might be highly profitable and difficult to prosecute in one part of the
world is often explicitly forbidden and easy to prosecute in another. This regulatory variation
produces a state of natural selection in which criminals evolve to exhibit attack strategies that are
best suited for their environment.
When it comes to malware, people who use trusted, mainstream app stores (as the bulk of users in
the US and Western Europe do) are less likely to encounter malware. By contrast, users in Eastern
Europe, Russia and Asia face a risk of encountering malware that is as much as 20 times higher due
to the widespread use of high-risk third-party stores. This increased risk is also driven in part by more
robust malware development activities in these regions as evidenced by Lookout’s 2013 Dragon
Lady investigation, which uncovered organized groups of Android malware developers in Russia who
operated like startups, with real organizational structures and affiliate programs.
Chargeware too is a highly country specific threat because it relies on mobile charging practices,
which can vary on a per country (or even per carrier) basis. In 2013 chargeware emerged as the
most lucrative method of monetizing in Western Europe for this reason, where country encounter
rates (13% - France, 20% - UK, 23% - Spain) are two to four times higher than those seen in North
America and up to twenty times higher than those seen in Asia. Most of these chargeware threats
are pornographic in nature, as was the case with SMSCapers in the UK and PlusTV in France (the
two most prolific instances of chargeware in each country).
Adware went largely unchecked for the first half of 2013 and encounter rates were high, ranging from
20-30% globally. In Q3 2013 companies such as Lookout and Google implemented detection policies
that flagged the presence of adware to developers and adware encounter rates began to fall. These
policy changes forced apps to remove adware and forced adware developers to modify their
advertising SDKs to bring their practices in line.
Risky mobile behavior begets risky behavior - a rather self-evident, but nonetheless sobering
observation when you consider that risky activities like downloading malware once increases your
likelihood of encountering another piece of malware by seven times.
Moving into 2014 we expect criminals and shady actors to continue to take advantage of the “Grey
area” and use people (and their devices) as a means to an end to pull off their schemes. New
monetization methods may appear, but as long as premium rate SMS fraud continues to be a
successful business model in certain regions around the world, we don’t expect it to go away.
As BYOD becomes more common in the workplace, rather than attacking traditional, heavily
monitored network services, we expect criminals to evolve once again and turn to mobile devices as
an easier way to get into the enterprise and access valuable data. With the recent news of both ad
SDKs and mobile apps leaking device data, businesses are more aware than ever of the need to
implement solutions that minimize mobile data leakage and loss.
The strongest defence against app-based threats comes from a three part strategy of (1) only
downloading apps from trusted marketplaces, (2) exercising common sense and avoiding risky
behavior (like rooting a mobile device), and (3) downloading a mobile security application like
Lookout that can flag and protect against these threats in real time.
Adware is an SDK whose primary purpose is to serve obtrusive or unexpected ads on compromised
Chargeware is an app where the user is charged for a service without clear notification and the
opportunity to provide informed consent.
Encounter rates in this report measure how many devices encounter a given mobile threat during a
specific time period, as a percentage of all devices that have connected to Lookout during that
With this calculation we are measuring how many devices encounter a threat and it should be noted
that encounter rates are not additive since devices may be counted multiple times. Additionally,
encounter rates do not necessarily mean that that percentage of users were actually infected or
would be infected without Lookout.
For the purposes of this report malware includes viruses, trojans, worms, and spyware and excludes
Mobile threats in this report describe the composite threat of malware, chargeware, and adware.