Skip the navigation

Spike in mobile malware doubles Android users' chances of infection

'Startup phase of mobile malware' shows experimentation by attackers, says expert

August 3, 2011 06:47 AM ET

Computerworld - An explosion in mobile malware during the last six months has more than doubled the chance that a user's Android smartphone will become infected, a security researcher said today.

According to Lookout Security, which develops anti-malware software for Android but not for Apple's iPhone, the likelihood of an Android owner encountering malware has jumped by two-and-a-half times since January.

By June, between 1% and 5% of Android users -- the number varies by country -- had been infected by mobile malware, said Kevin Mahaffey, co-founder and CTO of San Francisco-based Lookout.

Mahaffey blamed a dramatic spike in malware targeting Android for improving hackers' odds. "In January, we saw only 80 unique pieces of Android malware, but by the end of June we tracked over 400," said Mahaffey.

Lookout used its Mobile Threat Network, which analyzes apps acquired from both official and independent markets, and the malware-detection results from its security software, to come up with its statistics.

The Android malware problem shot into public view in early March, when Google yanked more than 50 apps infected with the "DroidDream" malware from the Android Marketplace, then continued with several more clusters found on Google's official download site and on third-party markets -- particularly those in China.

The rogue app model -- where attackers pirate a legitimate program, add malicious code and then re-release the app into the wild -- will continue to be the biggest mobile malware threat to Android users. "Repackaging [legitimate] apps will remain popular, simply because it's very effective," Mahaffey said.

But malware makers are getting more innovative, added Mahaffey, who declined to use the word "clever" to describe attackers' evolving tactics.

A new distribution channel, dubbed the "upgrade attack" by Mahaffey, has been used by at least one malware family to increase the pool of potential victims. An upgrade attack sidesteps the problem that hackers face when they release an infected app: The relatively small window of opportunity before their work is discovered and the app pulled from the Android Market or other download site.

"We've started to see [attackers] publish a clean app, then wait for a while before offering an update that's infected," said Mahaffey. "Because most people automatically update their apps, there's less time that the malware is on the market before it's installed by a lot of people."

Hackers are experimenting with different distribution models and various ways to monetize their work, Mahaffey observed.

"How do they get onto the device, and then how do they make money ... both are important," he said. "Mobile malware is now in the experimental stage, where attackers try innovative techniques to distribute their malware, and are engaging in experimental monetization."

Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!