A number of schemes designed to defraud users of Google Android smartphones exist, but until attackers find a way to carry them out on a massive scale, the threat
The desktop is still far greater an attractive target for these attackers than the mobile space at this point.
Vikram Thakur, principle security response manager, Symantec Corp.
The Symantec Corp. report, “Motivations of Recent Android Malware,” outlines several ways attackers have made money by targeting users of Android smartphones. Premium rate number billing schemes, spyware and pay-per-click monetization schemes have been carried out against a small subset of users, but until attackers can maximize profits, the potential threat to most users remains low, said Vikram Thakur, Symantec's principle security response manager.
“There’s no better motivation than money,” Thakur said in an interview with SearchSecurity.com. “The desktop is still far greater an attractive target for these attackers than the mobile space at this point.”
The Mountain View, Calif.-based security vendor said an increase in mobile malware is dependent on three factors: an open platform, a ubiquitous platform and attacker motivation. So far, Google Android is gaining traction, surpassing Apple iOS in users, according to market share estimates. Remaining unclear is how Microsoft’s late entry into the mobile market takes away from the Android or iPhone user base. Also standing in the way of cybercriminals is the fragmented mobile phone market. Thousands of mobile network operators and different handset models often result in different versions of the Android operating system on phones.
Smartphone platforms are built differently than desktop operating systems. Sandboxing technology used in Android and iOS helps isolate attacks to specific applications, making it more difficult for attackers to tap into the critical processes needed to gain complete control of the smartphone.
Symantec outlined a premium rate number billing scheme in which an application taps into the smartphones SMS application to send text messages to premium rate numbers. Mobile network operators charge up to $50 per text message. The attacker receives 30-70% of the premium rate charge depending on the carrier, amount charged per message, and number of messages received, Symantec said.
Thakur said its very likely in the next several years that attacks designed for the desktop, from search engine poisoning to rogue antivirus schemes, can be applied to mobile platforms. Most smartphones rely on cloud-based services and the browser to tap into data, increasing the potential for Web-based attacks.
“There is a lot more real estate that the desktop malware authors have at their disposal, so the desktop will remain the most lucrative for years to come,” Thakur said. “Even though we’ve seen a surge in the number of financial transactions being performed on the phone, mobile users are still falling way short of similar transactions performed on the desktop.”
However, mobile platforms are rapidly becoming more attractive targets. Attackers are also busy designing malicious applications that can track and monitor all communications sent and received by a victim’s smartphone. Current spyware applications typically require physical access to the phone. Several malicious applications can be purchased on the black market for as much as $400. The threat potential exists for more sophisticated malware that can be installed remotely and is designed to steal sensitive data, Thakur said.
The mobile technology landscape is rapidly evolving. Near-field communication (NFC), a communications protocol that would enable a person to use the smartphone to pay for goods and services, could increase the threat potential, according to Symantec. While adoption of the technology could be up to two years away, once highly sensitive data, such as credit card data, is stored on the device, attackers could pounce, Thakur said.
“Consumers might be quick to adapt to new features on their phone, but vendors need to adapt to technology as well, and that’s going to take a long time,” Thakur said. “A smartphone may soon have the ability to make a payment at a gas station, but the gas station must support the technology; it takes far longer to achieve that on a large scale.”