The Mobile Malware Hype –Exaggerated or Justified

The Mobile Malware Hype –Exaggerated or Justified

While the usage of mobile devices has been growing swiftly in recent years, users have been constantly overwhelmed with warnings about the increasing mobile threats as well.

That’s no wonder – the wide mobile usage has unveiled great niches for cyber criminals to reach their victims through mobile devices and steal sensitive information and money. That trend, however, could be nothing more than media sensationalism. Or, could it not? To what extend should we be alert when using mobile apps?

The Mobile Malware Infections – Overhyped

According to Damballa, a company dealing with advanced threat detection and containment, “Research conducted on 50% of US mobile traffic finds you are 1.3 times more likely to get struck by lightning than have mobile malware communicating on your device.”

On April 22nd, the company presented its findings at the RSA Conference in Atlanta, GA, and San Francisco, CA. According to Damballa’s findings:

  • The company monitored 50% of the US Mobile Data Traffic in Q4 2014, and just 9,688 out of 151M mobile devices actually contacted mobile black list domains (.0064%)
  • Only 1.3% (35,522) of “mobile” hosts were not in the set of hosts contained by historical non-cellular pDNS data.” In other words, most wired hosts overlap with mobile ones, meaning mobile and desktop applications use the same infrastructure. Therefore, the PC threats and infections are quite similar to the mobile ones.

Charles Lever, senior scientific researcher at Damballa, explained, “This research shows that mobile malware in the Unites States is very much like Ebola – harmful, but greatly over exaggerated, and contained to a limited percentage of the population that are engaging in behavior that puts them at risk for infection.” He added, “Ask yourself, ‘How many of you have been infected by mobile malware? How many of you know someone infected by mobile malware?”

And, he might be right. After all, mobile operators have invested a huge chunk of resources to research and prevent malicious components to infect mobile devices. Lever also said that in North America, for example, iOS developers must submit an application for approval before their app is available on iTunes. And Google has developed “Bouncer,” a system that scans submitted apps for evidence of malware. So for a majority of the population, by simply staying within the authorized app stores for their respective devices, they will drastically reduce the risk of being infected with mobile malware.”

Still, however, is all that buzz about mobile malware infections really for nothing?

The Mobile Malware Infections – Justified

According to McAfee Labs Threats Report, released February 2015, mobile app usage is clearly on the rise and, as a result, “millions of mobile app users are still exposed to SSL vulnerabilities.”

In fact, a 2014 Nielsen research of 5,000 smartphone users showed that a typical person used 27 apps on average in 2013 compared to 23 in 2011. In addition, the time spent using mobile apps also increased by 65% – in 2011 the average user spent 18 hours per month while in 2013 the time increased to 30 hours. Naturally, users have become more dependent on their mobile devices and apps.

Since the increased use of mobile apps is an excellent opportunity for mobile app developers (as well as marketers and consumers), many of them perform a sloppy job creating apps in order to do more of them – faster. As a result, they overlook the security and privacy side of the apps, thus exposing more users to threats through their mobile devices.

It comes to no surprise that 82% of mobile apps detect when the device is turned on, its location and when Wi-Fi data is used. More importantly, users have deliberately agreed to share that information when they first installed the apps.

According to SecureList.com, for Q3 2014 Kasperski Lab mobile security products reported:

461,757 installation packages; 74,489 new malicious mobile programs; 7,010 mobile banking Trojans.”

The malicious programs detected were 14.4% more than in Q2 while the number of banking Trojans increased 3.4 times.

In the McAfee Labs Threats Report, Vincent Weafer, Senior Vice President at McAfee Labs, states:

  • “We have already seen techniques that exploit vulnerabilities and escape application sandboxes. It’s only a matter of time before those techniques are offered to cybercriminals on the black market. We believe that will happen in 2015.”
  • “There are many untrusted app stores and direct app download websites whose apps frequently contain malware. Traffic to these malevolent app stores and sites is often driven by “malvertising,” which has grown quickly on mobile platforms. In 2015, we will continue to see rapid growth in malvertising that targets mobile users, perpetuating the growth in mobile malware.”

The report explains in detail that the security problem with the mobile apps is not in the apps themselves, “but rather the cryptographic process used by mobile apps to establish secure connections with Internet websites.”

In addition, McAfee Labs recently examined the most frequently downloaded mobile apps to see whether they still have one of the most basic SSL vulnerabilities, which is the improper digital certificate chain validation.

“Specifically, we dynamically tested the top 25 downloaded mobile apps that had been identified as vulnerable by CERT in September to ensure that usernames and passwords are no longer visible as a result of improper verification of SSL certificates. To our surprise, even though CERT notified the developers months ago, 18 of the 25 most downloaded vulnerable apps that send credentials via insecure connections are still vulnerable to MITM attacks.”

It was also quite disturbing to read that some of the most popular apps such as mobile photo editors, weather apps, file-management apps and what not, are indeed exposed to vulnerabilities and thus predispose cyber criminals to attack such mobile devices.

The Aftermath

Apparently, every action has its opposite reaction. It’s clear that with the increased use of mobile devices increase the number of threats, but also – the anti-malware tools which are constantly being improved to serve better its users. According to Weafer,

“In September, Intel Security joined three other security vendors to form the Cyber Threat Alliance. The purpose of the alliance is to drive more effective industry-level collaboration on the analysis and eradication of cybersecurity threats, and to deliver stronger protection to individuals and organizations across all industries. We are happy to report that more than 100 security vendors have expressed an interest in joining the alliance. As these vendors join, we think the network effect of the alliance will significantly benefit all customers.”

In short, the mobile malware hype is justified but it’s not a reason to get paranoid when downloading and using mobile apps. After all, danger always exists in the cyber space: whether you are on your mobile device or your computer. Simply be alert when and where you share your login information; download apps only from trusted sources, and be alert what websites and emails you open from your mobile device.