Windows Malware Techniques Spread to Android

Because its use is so widespread, Windows is an extremely popular target for malware writers. They hone and tune attack techniques and work hard to innovate new sorts of attacks. Android's growing popularity is making it a similar target. The latest Mobile Threat Report from Finnish security giant F-Secure notes a number of changes in the Android threat landscape that stem from introduction of techniques already well-known in Windows.

Windows Malware Techniques Spread to Android

For quite some time, trojanized apps were practically the only kind of malware on Android. It's ridiculously simple to decompile an app, tweak its permissions, slip in a malicious module, and create a new version of the app that does everything the old one did plus something new and nasty, like sending texts to premium numbers. Yes, the official Android app stores do their best to detect and reject these Trojans, but there are plenty of non-official app download sites. In some countries those are the only places to get apps. While trojanized apps still dominate, F-Secure's researchers are now seeing more and different types of in-the-wild Android malware.

Profit Motive

The report states that over 75 percent of current Android threats exist to make money for their creators. I asked Sean Sullivan, Security Advisor at F-Secure Labs, what motivates the rest. "Spying, tracking, info-stealers and the like," responded Sullivan. "Also, collecting contact information for SMS spam purposes (big in China)." In that case, he explained, the contact information would be sold, but the malware writer "does not directly profit."

A relatively new Android Trojan called Stels relies on spam emails for distribution. It ties in with the Cutwail botnet, a huge source of spam worldwide. Posing as an email from the IRS, it serves up a malicious link that redirects Android users to a page reporting a need to update Flash Player. Installing the alleged update actually gives the Trojan permission to make phone calls; while you're asleep it makes money for its creator by calling premium numbers.

The report refers to this Trojan phoning "long-lined (a.k.a. short-stopped) calls." Neither of those phrases rang a bell for me. Sullivan explained that particularly in developing countries some billing services use VOIP for the shorter domestic portion of a call and traditional telephony for the "long" call. "This otherwise legitimate type of billing service can be abused by malware," said Sullivan. "It’s rather difficult to tell whom a long-lined number belongs to when reviewing a bill."

Zitmo for Sale

Banking Trojans such as Zeus steal your online banking credentials or piggyback on your online banking sessions to make their own transactions. When banks added two-factor authentication using mobile devices, the bad guys invented Zeus-in-the-mobile. Called Zitmo for short, this technique lets the Trojan subvert two-factor authentication. According to the report, Zitmo use is no longer limited to "high-end Zeus operators," as a new component called Perkele is now available in the "crimeware marketplace."

The report notes that "Now anybody running a Zeus botnet can find affordable options for Zitmo." Researchers have found this Trojan targeting banks in Italy, Thailand, and Australia, with each instance customized to resemble the branding of the target bank.

What's Next?

The report points out several other malware tactics that are now showing up in the Android arena. Targeted attacks have been used against Tibetan activists. A threat that F-Secure calls SmSilence steals personal information specifically from phones with a South Korean area code. Fake job offer scams get victims to apply, charge a process fee, and then deliver nothing.

Thinking about the ongoing "feature creep" of malware techniques from Windows to Android, I asked Sullivan what he expects to see next. "I’m already somewhat surprised," he said, "that we haven’t already seen any data/photo-scraping apps targeting teenagers (girls) which is then used in an attempt to blackmail/extort more materials from the victim." Talk about feature creeps!

Naturally the full report goes into much more detail. You can view it on the F-Secure Labs website.