News Stay informed about the latest enterprise technology news and product updates.

FortiGuard Labs sees fast rise of mobile malware in 2013

FortiGuard Labs reports a 30% increase in mobile malware so far in 2013, and cautions ransomware is also making an appearance on mobile devices.

During the past six months, FortiGuard Labs has seen a 30% uptick in mobile malware and is now tracking more than 300 unique Android malware families and at least 250,000 unique malicious Android samples.

New to mobile phones this year: ransomware. Ransomware is a favorite scam of fraudsters because it's proven to be a huge financial success for them.

In a new report, FortiGuard pointed out that while bring your own device is a fast-growing trend, the obvious downside is that when mobile malware infects an employee's device, it can wind up infecting an enterprise's network.

Even a few years ago, "mobile malware wasn't much of a concern for users or businesses," said Axelle Apvrille, senior mobile antivirus researcher for Fortinet's FortiGuard Labs. "Most malware at the time targeting smartphones and tablets was nothing more than annoyware like the Cabir virus or scam software used to commit SMS fraud or replace icons."

Back in 2009, the majority of mobile malware came from programmers in Russia and China targeting Nokia's Symbian OS because it commanded a large percentage of the user base. Now, the mobile threat landscape is expanding at a rapid rate, and FortiGuard Labs emphasized that Google's Android devices are becoming an attractive target for attackers.

Mobile ransomware

New to mobile phones this year: ransomware. Ransomware is a favorite scam of fraudsters because it's proven to be a huge financial success for them.

Richard Henderson, security strategist for FortiGuard Labs, isn't surprised to see them turn their attention to Android devices. "The Fakedefender malware for Android has the same method of operation as PC fake antivirus software -- it pretends to be altruistic but is really waiting to launch its true form. This malware then locks the victim's phone and demands payment before unlocking the device. Once the phone is locked, the victim can either pay the ransom or completely erase their device," he said.

Malware delivery

Which weaknesses do attackers love to exploit to serve up malware? They show a special affinity for targeting old holes after new patches are released for Ruby on Rails, Java, Adobe Acrobat and Apache, according to FortiGuard Labs.

Ruby on Rails

Earlier this year, for example, it was made public that a critical vulnerability in the Ruby on Rails framework could enable attackers to execute code on the underlying Web server. A Metasploit module was also made available to scan for the vulnerability, making it extremely easy to find a Web server to exploit.

In this case, the "exploit involved a flaw in the XML processor deserialization routine, which is used to create Ruby objects on the fly," Henderson noted. "Ruby on Rails was patched to correct this flaw, but four months later, it was discovered an attacker was searching for and exploiting unpatched Web servers to infect them with malware."


With Java, a zero-day exploit earlier this year enabled attackers to bypass the sandbox and run arbitrary Java code -- providing full access to the vulnerable computer. A Metasploit module was also created for this vulnerability to make it easy to find victims, FortiGuard Labs' report pointed out.

"This exploit involved a flaw in the Java management extensions component that allowed the malicious applet to elevate its privileges and run any Java code it wished," Henderson said.

Acrobat/Acrobat Reader

A fake PDF travel visa form from Turkey was used earlier this year to exploit Adobe's Reader software, according to FortiGuard Labs, which works with all recent versions of Adobe Reader (9.5.X, 10.1.X, and 11.0.X) and on most versions of Microsoft Windows and most Mac OS X systems.

Fraudsters used this exploit to install malware on their targets' computers, and the exploit continues to be used as a malware delivery method -- long after Adobe released a patch for the Reader flaws.


The Apache Web server was attacked in late April with CDorked, malware that compromises Web servers and redirects visitor traffic to other servers that deliver malware using the BlackHole exploit kit.

"CDorked had a built-in quota," Henderson explained. "In other words, CDorked didn't attempt to redirect every visitor to a BlackHole site. It also hid from users attempting to access administrative pages on the compromised Web server in an attempt to keep users who may have been more likely to notice a redirect to a crimeware delivery site from discovering the compromise."

CDorked isn't alone in its stealth, he added, because other malicious types of malware have built-in intelligence to watch for malware analysts and other white-hat hackers.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.