2014 MOBILE THREAT REPORT

Transcription

1 0 MOBILE THREAT REPORT Introduction In 0 the notable trend in mobile security was the geographic diversification of mobile threats, such as the prevalence of chargeware in Western Europe, where the popularity of premium-rate SMS billing made this path to monetization more viable than in geographies where this billing mechanism is largely prohibited, such as the United States. In 0 this pattern of regional adaptation continued, but the new and noteworthy mobile security trend this year has been the emergence of new mobile threat tactics (such as ransomware) and an increase in threat sophistication. This is a reaction, no doubt, to mobile operators stepping up their threat countermeasures around the world and a general crackdown on premium-rate SMS abuse. For example, in 0 Lookout observed a handful of mobile threats, such as DeathRing and a new variant of Mouabad, that suggested the compromise of mobile supply chains and the pre-loading of malware on factory-shipped devices. In addition, a new variant of the threat NotCompatible, a sophisticated mobile threat with layers of complex self-defense mechanisms that evade detection and countermeasures, gained considerable traction in the U.S. and Western Europe. Methodology To prepare this report Lookout analyzed security detections from its dataset of more than 60 million global users. The encounter rate measurement used in this report reflects the percentage of unique Android devices that encountered a given threat or threat type during the year. Please note, encounter rates are weighted calculations that account for varying user lifecycles and moreover these rates cannot be added since a unique device could be counted multiple times in such calculations. Lastly, at the highest level Lookout classifies app-based threats using three categories (defined at the beginning of this report): malware, chargeware, and adware. 0 MOBILE THREAT REPORT

2 KEY HIGHLIGHTS Mobile threat highlights from 0 include: Malware grew substantially in the U.S. - 0 saw an astounding 7 increase in Android mobile malware encounter rates in the United States compared to 0 (a vs. 7 encounter rate), an increase driven largely by prolific mobile threats that hold victims mobile devices hostage in exchange for payment, using a variety of coercion schemes. 6 Device-for-ransom malware schemes surged globally - Ransomware, a type of malware that locks users out of their mobile devices in a pay-to-unlock-your-device ploy, grew by leaps and bounds as a threat category in 0, with ransomware such as ScareMeNot and ScarePakage finishing in the top five most-prevalent mobile threats in countries such as the U.S., U.K., and Germany. Mobile threat sophistication and experimentation is on the rise - As mobile operators and platforms have continued to crack down on mobile attackers and their monetization methods, the attackers strategies have shifted. In 0 Lookout observed, for example, one of the first instances of attackers attempting to use compromised mobile devices for cryptocurrency mining -- a novel, if ultimately unprofitable scheme. 7 Adware prevalence fell dramatically in 0 and risks losing its crown as the most prevalent mobile threat - Adware encounters fell dramatically in 0, evidence that Google s crackdown 8 on adware in the latter half of 0 and its continued policing of the Play Store has substantially reduced the prevalence of abusive mobile advertising practices in Android applications. In some countries, such as the U.K., adware encounter rates are now surpassed by other threats like chargeware! Chargeware prevalence fell in the U.K. and France, but exploded in Germany - In 0 chargeware continued to be a regional phenomenon, with encounter rates in Western Europe (9 in France, in the U.K.) averaging much higher than those in countries like the U.S. (). Notably, chargeware encounter rates did fall in the U.K. and France in 0, a sign, perhaps, that the efforts of regulatory bodies such as PhonepayPlus have become more effective at curbing premium-rate service abuse. Premium-rate service abuse has historically been a popular monetization method for both chargeware and malware threats globally. Germany, however, experienced a 0 surge in chargeware encounter rates in 0 ( vs. 7 encounter rate) due to the prolific success of the SMSCapers threat. Mobile Threat Definitions Apps that steal user data, commit financial fraud, and/or negatively impact device performance. Malware includes threats such as viruses, trojans, worms, spyware, and ransomware. Apps that charge users for content or services without clear notification or the opportunity to provide informed consent. Apps that serve obtrusive ads that interfere with standard mobile operating experiences and/or collect excessive personal data that exceeds standard advertising practices. 0 MOBILE THREAT REPORT

3 NOTABLE NEW DETECTED BY LOOKOUT IN 0 FRANCE UNITED STATES ScarePakage RANSOMWARE CoinKrypt TROJAN SOUTH KOREA ShrewdCKSpy SPYWARE VIETNAM, INDONESIA, INDIA, NIGERIA, TAIWAN, AND CHINA DeathRing TROJAN ScarePackage RANSOMWARE ScarePakage masquerades as an Adobe Flash update or a variety of anti-virus apps, and is distributed as a drive-by-download. When downloaded, it pretends to scan victims phones and then locks the device after falsely reporting that its scan found illicit content. ScarePakage then displays a fake message from the FBI and attempts to coerce victims into paying them to avoid criminal charges and regain control of their device. 9 DeathRing TROJAN DeathRing poses as a ringtone app and then surreptitiously downloads fake SMS content to infected devices, in a possible attempt to capture victim login credentials by impersonating trusted entities like banks via SMS. Notably, DeathRing appears to come pre-installed on certain devices, suggesting its authors were able to infiltrate the device supply chain and inject their malware into factory-shipped devices. 0 CoinKrypt TROJAN CoinKrypt infects phones and harnesses their processing power to mine cryptocurrency. This activity can drain a device s battery and its monthly data allotment. While this is one of the first examples of malware using smartphone computing power for digital currency mining, Lookout estimates that these activities yield minimal profits given the immense processing power required to mine cryptocurrencies. ShrewdCKSpy SPYWARE ShrewdCKSpy pretends to be an app marketplace, but the market icon disappears on first launch and the malware starts to run in the background, intercepting and recording victims SMS and phone calls and uploading them to a remote server. ShrewdCKSpy also has the ability to auto-accept and record calls, which means attackers could possibly turn a victim s phone into a de facto bugging device by auto-accepting their own call.

4 United States 7 0 In the U.S. ransomware such as ScarePakage, ScareMeNot, ColdBrother, and Koler dominated the mobile threat list in 0 and largely drove the 7 increase in malware encounter rates. Millions of U.S. mobile users were targeted by ransomware attacks, resulting in an untold number of victims paying hundreds of dollars each to unlock their devices and avoid fraudulent criminal charges. In the non-ransomware category, the trojan NotCompatible emerged as the top mobile threat in the U.S. in 0, enabling its operators to harness a considerable mobile botnet to do their bidding. In one instance, Lookout observed attackers using NotCompatible-infected mobile devices to purchase tickets en masse to circumvent anti-fraud measures on ticketing websites. 0 TOP THREATS NotCompatible NotCompatible is a trojan that surreptitiously acts as a network proxy, allowing attackers to send and receive traffic through a victim s mobile device onto connected networks for fraudulent purposes. Koler Koler is a trojan disguised as a media app that then locks a victim s device after falsely reporting the discovery of illegal activity. Koler attempts to coerce victims into paying them to avoid criminal charges and regain control of their device. ScareMeNot ScareMeNot is a trojan that pretends to scan victims phones for security issues and then locks their device after falsely reporting that its scan found illicit content. It attempts to coerce victims into paying them to avoid criminal charges and regain control of their device. ColdBrother ColdBrother is a trojan that pretends to scan victims phones for security issues, but then locks their device after falsely reporting that its scan found illicit content. It can also take a front-facing camera photo and attempts to coerce victims into paying them to avoid criminal charges and regain control of their device. ScarePackage ScarePakage is a trojan that pretends to scan victims phones for security issues and then locks their device after falsely reporting that its scan found illicit content. ScarePakage attempts to coerce victims into paying them to avoid criminal charges and regain control of their device.

5 United Kingdom 0 9 While malware and chargeware rates fell in the U.K. they remained significant: of all Lookout users in the U.K. encountered malware this year and more than in 0 encountered chargeware threats. Just as in 0, chargeware, and more specifically the threat SMSCapers, emerged as the top threat in the U.K. this year. SMS premium-rate billing is a common billing practice in the U.K. and attackers have leveraged this capability as an effective monetization technique in the past, although a year-over-year decline in chargeware and malware encounter rates in the U.K. suggests this may be a decreasingly effective monetization path given countermeasures by regulatory bodies like PhonepayPlus. In 0 the U.K. was also hit with ransomware attacks much like the U.S., with ransomware threat ScareMeNot emerging as the second most prevalent threat to U.K. users. 0 TOP THREATS SMSCapers SMSCapers is a pornographic app for viewing pictures or videos that charges users without providing clear notification and offering users the opportunity to provide informed consent for the charges. ScareMeNot ScareMeNot pretends to scan victims phones and then locks their device after falsely reporting that its scan found illicit content. ScareMeNot attempts to coerce victims into paying them to avoid criminal charges and regain control of their device. ActSpat ActSpat is a trojan that commits premium-rate SMS fraud and may push obtrusive ads to the notification bar, create pop-up ads, place shortcuts on the device s home screen and download large files without asking. Tornika Tornika is a trojan disguised as a media player that sends personal information from compromised devices to third parties and may attempt to charge victims money. It can also enable third parties to display ads without a way to opt out. NotCompatible NotCompatible is a trojan that surreptitiously acts as a network proxy, allowing attackers to send and receive traffic through a victim s mobile device onto connected networks for fraudulent purposes.

6 France In 0 France experienced an overall decline in mobile threat encounter rates, though of French Lookout users still encountered malware this year and almost in 0 encountered a chargeware threat. Chargeware, and its reliance on premium-rate abuse for monetization, still remains among the more prevalent mobile threat types, with threats such as SMSCapers and SMSYou emerging in the top five mobile threats in France this year. Like in the U.K., a decline in malware and chargeware encounter rates in France may be a sign of increased regulatory pressure. In August of 0, for example, PhonepayPlus fined a French app company for abuse of premium-rate phone services. 0 TOP THREATS Tornika Tornika is a trojan disguised as a media player that sends personal information from compromised devices to third parties and may attempt to charge victims money. It can also enable third parties to display ads without a way to opt out. ActSpat ActSpat is a trojan that commits premium-rate SMS fraud and may push obtrusive ads to the notification bar, create pop-up ads, place shortcuts on the device s home screen and download large files without asking. SMSCapers SMSCapers is a pornographic app that charges users without providing clear notification and the opportunity to provide informed consent for the charges. SmsYou SMSYou is a pornographic app that charges users without providing clear notification and the opportunity to provide informed consent for the charges. Spytic Spytic is a form of surveillanceware that enables remote monitoring of the activity and information on compromised devices by third parties. 6

7 Germany In 0 malware encounter rates held steady in Germany at, but the country saw an absolute explosion in chargeware this year (0 increase), due largely to the successful proliferation of SMSCapers, which emerged at the top of the list of mobile threats encountered by German users this year. Germany also saw ransomware encounters grow - as they did in the U.S. and elsewhere in Western Europe - with ScareMeNot emerging at the number two spot for top mobile threats in Germany. 0 TOP THREATS SMSCapers SMSCapers is a pornographic app that charges users without providing clear notification and the opportunity to provide informed consent for the charges. ScareMeNot ScareMeNot is a trojan that pretends to scan victims phones for security issues and then locks their device after falsely reporting that its scan found illicit content. It attempts to coerce victims into paying them to avoid criminal charges and regain control of their device. ActSpat ActSpat is a trojan that commits premium-rate SMS fraud and may push obtrusive ads to the notification bar, create pop-up ads, place shortcuts on the device s home screen and download large files without asking. ScarePackage ScarePakage is a trojan that pretends to scan victims phones for security issues and then locks their device after falsely reporting that its scan found illicit content. ScarePakage attempts to coerce victims into paying them to avoid criminal charges and regain control of their device. NotCompatible NotCompatible is a trojan that surreptitiously acts as a network proxy, allowing attackers to send and receive traffic through a victim s mobile device onto connected networks for fraudulent purposes. 7

8 Japan 0 9 < < In 0 Japan continued to enjoy one of the most favorable threat encounter rates in the world, with approximately of Japanese Lookout users encountering malware this year and less than encountering chargeware threats. While in 0 adware lost its title in some countries as the most prevalent mobile threat, but adware continues to be the top threat in Japan with a encounter rate. 0 TOP THREATS ActSpat ActSpat is a trojan that commits premium rate SMS fraud and may push obtrusive ads to the notification bar, create pop-up ads, place shortcuts on the device s home screen and download large files without asking. Ackposts Ackposts is a trojan that steals device contacts and sends them to a third party server, showing an error message claiming device incompatibility to disguise its activity. OneClickFraud OneClickFraud is a trojan that visits web pages while a victim s device screen is turned off in an attempt to defraud third parties with fake pageviews. CreepyBanner CreepyBanner is a trojan disguised as an Adobe Flash player that attempts to install another application which serves obtrusive ads. ConeSMS ConeSMS is a trojan that advertises itself as pornographic app, but actually commits premium rate SMS fraud in the background. 8

9 CONCLUSION In 0 the new and noteworthy mobile security trend was a surge in new mobile threat tactics like ransomware and an increase in threat sophistication and experimentation. This is likely a reaction to mobile operators increasing their threat countermeasures and a general crackdown on premium-rate SMS abuse, which has historically been the primary monetization path for malware and chargeware threats. Premium-rate SMS was low-hanging fruit that attackers could easily exploit and they did so with great success in 0. Fortunately, premium-rate SMS abuse is also low-hanging fruit for countermeasures, since sending text messages to a premium rate number is a rather obvious behavior that can be flagged and blocked by security vendors, mobile operators, and platforms. The apparent success of these threat countermeasures in 0 is a double-edged sword: while it seems to have lowered threat encounter rates in certain geographies, it also seems to have driven attackers toward developing more insidious threats like ransomware. The individual impact of premium-rate SMS abuse is a handful of nominal charges to a victim s monthly bill. The individual impact of a ransomware threat like ScarePakage, however, is the complete loss of device functionality and potential mental anguish from false criminal accusations, as well as substantial financial loss if a victim elects to pay the ransom. The success of ransomware in the United States (where it largely drove a 7 year-over-year increase in malware) and Western Europe indicates that when thwarted, mobile attackers will innovate and pivot to maintain an edge. The discovery of threats injected in mobile supply chains (e.g. DeathRing) and the rise of technically sophisticated threats (e.g. NotCompatible.C) reveals that attackers are upping their threat construction and deployment game. In the face of more sophisticated adversaries, consumers can stay one step ahead by remaining vigilant, installing apps from trusted app marketplaces, and installing advanced mobile security solutions like Lookout on their devices. ENDNOTES 0 Lookout Mobile Threat Report: Mobile Threats, Made to Measure. Lookout DeathRing: Pre-loaded malware hits smartphones for the second time in 0. Lookout. December 0. MouaBad: When your phone comes pre-loaded with malware. Lookout. April 0. The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Lookout. November 0. NotCompatible.C: A Sophisticated Mobile Threat that Puts Protected Networks at Risk. Lookout. November Android Phones Hit by Ransomware. New York Times. August Sorry, mobile mining likely isn t going to be profitable unless you re criminal. Lookout. July The war against mobile adware isn t over yet, warns Lookout. The Guardian. February U.S. targeted by coercive mobile ransomware impersonating the FBI. Lookout. July DeathRing: Pre-loaded malware hits smartphones for the second time in 0. Lookout. December 0. CoinKrypt: How criminals use your phone to mine digital currency. Lookout. March 0. ShrewdCKSpy: Mobile Spyware With A Hidden Agenda, Lookout. March ,000 fines issued to UK companies over mobile malware and WAP opt-in. PhonepayPlus. Premium-rate voice changer service fined 60,000 for children s apps ads. August MOBILE THREAT REPORT 9