Malware Targeting Android Devices Increases Sharply

Thursday, May 17, 2012



Security provider F-Secure warns of a dramatic increase in malware targeting Android devices.

The analysis was presented in the company's most recent Mobile Threat Report release.

"In Q1 2011, 10 new families and variants were discovered. A year later, this number has nearly quadrupled with 37 new families and variants discovered in Q1 2012 alone," the report states.

F-Secure attributes the rapid growth not only to the popularity of Android devices and the operating systems open source architecture, but also to the increasing number of variants designed to evade antivirus protections by utilizing a greater number of signatures.

"A comparison between the number of malicious Android application package files (APKs) received in Q1 2011 and in Q1 2012 reveals a more staggering find — an increase from 139 to 3063 counts. This growth in number can be attributed to malware authors crafting their infected or trojanized applications to defeat anti-virus signature detection, distributing their malware in different application names, and trojanizing widely popular applications," the report notes.

The company reports having success in detecting previously unidentified signatures using a cloud-based heuristics detection methodology, including the detection of a new family of malware.

"A significant finding this quarter is the discovery of FakeToken.A, a Trojan that pretends to be a token generator for a mobile banking application. It was originally detected as a variant of FakeInst, but turns out to be a new but related family," F-Secure said.

The analysis also indicates malware designers are implementing ever more sophisticated evasion and obfuscation techniques, including advanced cryptography and steganography - the hiding of data within an image.

"In Q1 2012, malware authors are focusing on improving their malware’s techniques in evading detection, as well as exploring new infection methods. Existing malware families such as DroidKungFu, GinMaster, and the Fakeinst umbrella family (which consists of Boxer, JiFake, SMSTado, FakeNotify, and OpFake) are adopting encryption and randomization techniques in order to evade detections. At the same time, some malware are also figuring out how to hide their data in an image file, as shown by FakeRegSMS," the report states.

Other advanced malware recently discovered include:

  • Trojan-Downloader:Android/RootSmart.A
  • Trojan:Android/DroidKungFu.H
  • Trojan:Android/Stiniter.A

"The three malware (RootSmart.A, DroidKungFu.H, and Stiniter.A) mentioned above suggest that Android malware are focusing on utilizing the native component, and only downloading a root exploit when needed. Even then, the root exploit would be quickly deleted to prevent the malware from being profiled or detected as malicious by anti-virus products since the native component has yet to exist in their packages," the report explains.

While the designs involved in the most recently discovered malicious code have evolved, the report notes that the application payloads continue to operate in much the same manner as previous malware incarnations.

"Over the year, Android threats have continued to improve their techniques in evading detection and their methods of infection, yet, nothing much has changed in their operation in collecting profit. The majority of malware discovered in Android markets are SMS-sending malware that reap profit from sending messages to premium numbers."


Possibly Related Articles:
Viruses & Malware
Trojans malware Mobile Devices Attacks Headlines Android Steganography Malicious Code F-Secure Mobile Threat Report
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.