Android malware, which has seen a precipitous increase over the last year, is being hosted mainly on third-party Android markets, according to Finland-based antivirus company F-Secure Corp., which issued an analysis of 19 new mobile malware families.
The F-Secure Mobile Threat Report (.pdf) reviews the mobile threat landscape for the second quarter of 2012, finding SMS Trojans offer the best return for financially motivated cybercriminals. The report documented a steady increase in what it calls "profit-motivated attacks," far outnumbering attacks that disrupt or attempt to brick a device.
The new malware strains are trending upward, designed to continue SMS-based attacks and other attack techniques used with previous versions of the malware, F-Secure said. The company's researchers found FakeInst and OpFake, two closely related malware families, are tied to the bulk of the mobile malware being detected.
"In general, the new variants retain the same malicious behavior as found in the previous ones, only improving on the method used in defeating antivirus technology in order to avoid detection," F-Secure said.
Security experts have been warning of the steady increase in attacks targeting mobile devices. While the desktop remains the platform of choice for cybercriminals, new banking and payment technologies, including Near Field Communications (NFC), could make mobile devices a bigger target, experts say. Android has seen the most cybercriminal activity, but Apple iOS, Windows Phone and other mobile platforms could be targeted if cybercriminals can justify a business case for their attacks.
F-Secure received 5,033 malicious Android application package files, a 64% increase over the previous quarter. Android malware families ranked the highest, followed by malware families targeting Symbian devices and devices supporting Java 2 Platform, Micro Edition.
F-Secure said 81% of mobile malware can be classified as Trojans, followed by monitoring tools (10.1%) and malicious applications (5.1%). Trojans are designed to install hidden objects on mobile devices. They can alter and steal data or account credentials. Monitoring tools sometimes pose as antitheft or remote control programs. They also often must be manually installed on the targeted device.
The second quarter of 2012 saw the first instance of a drive-by attack targeting Android devices, F-Secure said. Malicious code embedded on a website would automatically download an application onto a user's device. The attack is limited, because the cybercriminal must then convince the device owner to install the malicious app using social engineering tactics.
F-Secure researchers also documented the use of Twitter as a bot mechanism in an SMS message scam targeting Android devices. The social network was used to communicate with the remote server address, where the malware would forward the victim's phone number, Android ID and device International Mobile Equipment Identity number (IMEI) number.
F-Secure said it is also keeping an eye on regional-based attacks targeting mobile banking transactions. In Spain, the security firm said it detected cybercriminals using a malicious SMS message prompting mobile banking users to download a phony security application.