The security technology company McAfee, a wholly owned subsidiary of Intel Corporation, unveiled in their recent Threats Report that Q1 2011 was the most active first quarter in malware history and confirms that mobile malware is the new frontier of cybercrime.
“The Q1 Threats Report indicates that it’s been a busy start to 2011 for cybercriminals,” said Vincent Weafer, Senior Vice President of McAfee Labs. “Even though this past quarter once again showed that spam has slowed, it doesn’t mean that cybercriminals aren’t actively pursuing alternate avenues. We’re seeing a lot of emerging threats, such as Android malware and new botnets attempting to take over where Rustock left off, that will have a significant impact on the activity we see quarter after quarter.”
Busiest Quarter in Malware History
With more than six million unique malware samples in Q1, this period far exceeds any first quarter in malware history. February 2011 saw the most new malware samples of the quarter, at approximately 2.75 million. Fake anti-virus software had a very active quarter as well, reaching its highest levels in more than a year, totaling 350,000 unique fake-alert samples in March 2011.
Symbian and Android Most Popular Mobile Malware Environments
Malware no longer affects just PCs, but smartphones as well. As Android devices have grown in popularity, the platform solidified its spot as the second most popular environment for mobile malware behind Symbian OS during the first three months of the year.
A McAfee Labs mobile application security whitepaper, released in conjunction with the report, discusses how most Android devices allow the “side-loading’ of apps – instead of a centralized app store, as they must with Apple. There is indeed no centralized place where Google can check all apps for suspicious behavior other than on the phone itself.
In the case of the widely publicized Geinimi, found on Android devices in China, the malware bound itself to popular apps to steal personal information from devices. This type of attack would be difficult for Google to detect, if the apps were distributed in the internet outside of the Android Market, as Google’s ability to secure the device is limited to on-device scanning.
Apple, on the other hand, analyzes apps when they are submitted to the store, with one notable exception that’s discussed below. Security-conscious users in the United States have also discovered malware-infected apps.
The researcher Lompolo recently found a series of Android applications carrying backdoor Trojans in the Android Market. The applications were discovered because Lompolo noticed that some of the Android apps in question appeared to have been republished by the wrong publisher - in other words, that they had been pirated and then repackaged.
This is not the usual case of piracy, in which someone attempts to use software without paying for it. Here, the malware author repackaged software from another publisher, presumably without permission or distribution rights.
While reverse engineering one of the pirated apps, Lompolo noticed the app used the “rageagainstthecage” Android sandbox escape exploit, as well as stored information in a local SQLite database, communicated with a suspect web server by IP address, and posted the device’s IMEI and IMSI codes (which could identify the device) to the remote server.
Google was quick to remove offending applications from the Android Market and has also since released a tool to help affected users recover from the effects of this attack. It’s likely that the incident will cause Google to revisit its position of allowing applications to be posted to the Android Market in such an unrestricted fashion.
In Q1 2011, McAfee Labs found that the most prominent types of Android mobile malware were Android/DrdDream, Android/Drad, Adnroid/StemySCR.A and AndroidBgyoulu, which affected everything from games to apps to SMS data.
The cybercriminals behind the Zeus crimeware toolkit have also directed attacks toward the mobile platform by creating new versions of Zitmo mobile malware for both Symbian and Windows Mobile systems to steal user bank-account information.