In the fast-moving smartphone industry, it took mobile phone manufacturers a little more than 10 years to transform brick-like mobile creations into the current state-of-the-art pieces. On the other side of the fence, the bad guys are ramping up production of mobile malware to squeeze as much as possible from the rapidly growing segment.
The following breakdown is based on a three-month analysis of Android e-threats identified in the Bitdefender antimalware labs and covers the most important five security risks for Android OS users.
The distribution chart of the top Android theats in November 2011:
Although attacks on smartphones have intensified and diversified, the dialers – one of the first threats to target the mobile world – rank highest in the Android infections top, with a total of 36.59%. Also known as premium-rate SMS senders, these dialers are a combination of computer malware and traditional phone con. As a rule, the malicious code takes the guise of legitimate applications or a pirated version of a popular legitimate one to trick the users into downloading and installing them on their smartphones. They mainly end up sending SMSs to premium rate numbers, mostly in Russia.
Another widespread approach is the â€œprivate information stealerâ€. With this spy tool, crooks retrieve details from usersâ€™ smartphones about both the phones and their users, including GPS coordinates, contact lists, e-mail addresses, uploaded data etc. The malicious code becomes more complex and the perpetratorsâ€™ interest shifts from pranks and â€œsnooping on the girlfriend appsâ€ to proper spying tools with wider repercussions. This could end in, say, theft of companyâ€™s a sensitive data through an employee.
And now letâ€™s look at the first five Android malware hits individually:
Android.Trojan.FakeInst â€“ 36.59 %
Pretending to be an installer of applications such as browsers, antiviruses or instant messengers for mobiles, Android.Trojan.FakeInst shakes good money out of the user. Once the user downloads and installs the app, the Trojan starts sending several SMSs to premium-rate numbers. Some samples need confirmation from the user whereas others donâ€™t. Noteworthy is that this Trojan changes its icon regularly to prevent users from spotting down, while carrying the same configuration file with a link toward the app to be installed. And to further trick users into believing they deal with different applications, Android.Trojan.FakeInst inserts an image several times to modify the file size.
Android.Adware.Mobsqueeze â€“ 5.66%
Posing as a power-saving patch, with catchy names such as Battery Doctor or Battery Upgrade, Android.Adware.Mobsqueezeis a piece of adware with spy capabilities. It employs the same tactics as the ill-fated Rogue AV on PCs, namely, it advertises a method of boosting battery life to trick people into downloading it. It turns out to be a spying tool that calls the advertising server and siphons out information about the device and its owner.
Android.Spyware.SMSReplicator â€“ 1.75%
This application secretly forwards to a predetermined phone number all SMS messages on the victimâ€™s phone. It has no icon, which makes it difficult to detect and the applicationâ€™s window only pops up as soon as the attacker sends the compromised phone an SMS with a special password as text. The same SMS trick with a password as message body is used for its activation and configuration, which outlines the backdoor component in this app.
Android.Trojan.FakePlayer â€“ 1.65%
Android.Trojan.FakePlayer passes itself off as a video player application. However, once installed, it silently sends premium-rate SMS messages worth $5 to Russian phone numbers without requiring confirmation or interaction from the smartphone owner. During installation, the rogue app lays the ground by asking for permission to change or delete the memory card, send SMS or access data about the device or phone owner which will come in handy once it starts the malicious work.
Android.Trojan.Walkinwat â€“ 1.00%
Android.Trojan.Walkinwat claims to be a pirated version of a known application, whereas it acts as a spy sending IMEI, additional phone data, contact names and the associated phone numbers to a remote server. Â According to Android.Trojan.Walkinwat specifications, the Trojan could also initiate calls without using the phoneâ€™s interface, to turn the phone on and off, or to open network sockets to access the Internet. Meanwhile, it sends SMSs to all contacts in the phone.
This article is based on the technical information provided courtesy of Vlad Constantin ILIE, BitDefender Malware Researcher.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.