The Android threat landscape is growing in both size and complexity with cybercriminals adopting new distribution methods and building Android-focused malware services, according to a report from Finnish security vendor F-Secure.
The number of mobile threats has increased by nearly 50 percent during the first three months of 2013, from 100 to 149 families and variants, F-Secure said in its Mobile Threat Report for Q1 2013 that was released on Tuesday. Over 91 percent of those threats target the Android platform and the rest target Symbian.
“While the raw amount of Android malware continues to rise significantly, it is the increased commoditization of those malware that is the more worrying trend,” the F-Secure researchers said in the report. “The Android malware ecosystem is beginning to resemble that which surrounds Windows, where highly specialized suppliers provide commoditized malware services.”
One example of this is an Android Trojan program dubbed Stels that was distributed through fake Internal Revenue Service emails sent by the Cutwail spam botnet during the first quarter of 2013.
Those spam emails contained links that directed recipients to a website asking them to download and update their Flash Player software. This “fake update” social engineering technique has been used in the past to distribute Windows or Mac malware.
“By installing the so-called ‘Flash Player,’ the victim unknowingly grants the trojan the permission to make phone calls,” the F-Secure researchers said. “Stels will capitalize on this permission to reap profit by placing long-lined (a.k.a. short-stopped) calls while the device owner is asleep.”
Traditionally, Android malware writers have tricked mobile users into installing malicious applications on their devices by passing them off as legitimate apps on Google Play or third-party app stores. According to the F-Secure researchers, the new email-based distribution method now extends the risk of malware infection to Android users who are not actively searching for new apps, but are regularly checking email from their phones and tablets.
However, not only financially motivated cybercriminals have started using email to distribute Android malware—hacker groups behind targeted attacks do it too.
Back in April, security researchers from antivirus vendor Kaspersky Lab uncovered an email attack targeting Uyghur activists that distributed an Android Trojan program as an attachment. The attackers expected that some of their targets would check their email from their Android phones and designed the malware to steal contact details, call logs, text messages and other information from the infected devices.
An Android Trojan program called Perkele that’s designed to be used in conjunction with Windows online banking malware like Zeus to bypass SMS-based two-factor authentication schemes, is another example of an Android malware being offered as a service on the underground market.
Android Trojan apps like Perkele have been used as part of online banking fraud attacks in the past, but they have been generally available only to more sophisticated cybercriminal gangs. However, the creator of Perkele started selling his creation to smaller and less resourceful fraudsters for affordable prices.
“This signals the shift to malware as a service—Zeus-in-the-mobile (Zitmo) for the masses,” the F-Secure researchers said in the report. “Now anybody running a Zeus botnet can find affordable options for Zitmo.”
“In a way, Android is experiencing the same fate as Windows where its huge market share works in both good and bad ways,” the F-Secure researchers said. “Malware authors see plenty of opportunities yet to be explored on the relatively new and growing platform and they are drawing inspiration from Windows malware’s approaches, which is why we are now seeing trends such as commoditization of malware services, targeted attacks and 419 scams popping up in the mobile threat scene.”