Lookout Mobile Threat Report

August 2011

Table of Contents

Highlights Research Methodology Why Mobile Security is Important Mobile OS Security Model Comparison Platform Vulnerabilities and Patch Management Mobile Threats Mobile Malware Trends Whats Next? Tips To Stay Safe About Lookout

3 3 3 4 5 7 9 23 25 25

HIGHLIGHTS
o Both web-based and app-based threats are increasing in prevalence and sophistication. Android users are two and a half times as likely to encounter malware today than 6 months ago and three out of ten Android owners are likely to encounter a webbased threat on their device each year. An estimated half million to one million people were affected by Android malware in the first half of 2011; Android apps infected with malware went from 80 apps in January to over 400 apps cumulative in June 2011. Attackers are deploying a variety of increasingly sophisticated techniques to take control of the phone, personal data, and money. Additionally, malware writers are using new distribution techniques, such as malvertising and upgrade attacks.

RESEARCH METHODOLOGY
The findings in this report are based on data collected and analyzed by Lookout through our Mobile Threat Network, which includes the worlds largest database of applications and aggregates detection results from mobile devices throughout the world. The Lookout Mobile Threat Network gathers application data from a variety of sources including official application markets, such as the Android Market and Apple App Store, as well as alternative markets in which apps are distributed.

In June 2011, for the first time ever people on average spent more time using mobile applications (81 minutes) than browsing the mobile web (74 minutes).

WHY IS MOBILE SECURITY IMPORTANT

Mobile devices are the fastest growing consumer technology, with worldwide unit sales expected to increase from 300 million in 2010, to 650 million in 2012.1 Mobile applications are likewise booming. In June 2011, for the first time ever people on average spent more time using mobile applications (81 minutes) than browsing the mobile web (74 minutes).2 While once limited to simple voice communication, the mobile device now enables us to also send text messages, access email, browse the Web, and even perform financial transactions. Even more significant, apps are turning the mobile device into a generalpurpose computing platform. In just three short years since introducing the iPhone SDK in 2008, Apple boasts over 425,000 apps available for iOS devices. Seeing similarly explosive growth, the Android Market now contains over 200,000 apps after only a short period of time.3

1 Roberta Cozza, Forecast: Mobile Communications Devices by Open Operating System, Worldwide, 2008-2015, Gartner, April 5, 2011 2 Flurry (June 2011), Mobile Apps Put the Web in Their Rear-view Mirror: http://blog. flurry.com/bid/63907/Mobile-Apps-Putthe-Web-in-Their-Rear-view-Mirror 3 Erica Ogg, HP: Number of mobile apps doesnt matter, CNET News, June 29, 2011

As mobile devices grow in popularity, so do the incentives for attackers. Mobile malware, for example, is clearly on the rise, as attackers experiment with new business models by targeting mobile phones. Recently over 250,000 Android users were compromised in an unprecedented mobile attack when they downloaded malicious software disguised as legitimate applications from the Android Market4. The emergence of mobile payments is another key driver of mobile threats. The value of mobile payment transactions is projected to reach almost $630 billion by 2014, up from $170 billion in 2010.5 Vendors, retailers, merchants, content providers, mobile operators, and banks are all actively establishing new payment services. Mobile payments create an attractive target for attackers, as they allow direct monetization of attacks. In addition to financial information, mobile devices store tremendous amounts of personal and commercial data that may attract both targeted and mass-scale attacks.

Every day hundreds of apps are added to the Android Market and Apple App Store.

MOBILE OS SECURITY MODEL COMPARISON

Although history has repeatedly demonstrated that it is virtually impossible to create a perfectly secure system, mobile operating system developers have learned from security mistakes of the PC world. Android and iOS have each taken an innovative approach to securing both the operating system and application distribution process.

iOS
On the device itself, Apples iOS security model runs each third-party application in an isolated environment so that the application may only access its own data and permitted system resources. All third-party applications are granted access to the same data and capabilities on the device with the exception of a few, such as location data and push notifications, which require a user to opt in for each application. In terms of app distribution, Apples App Store for iOS utilizes a curated app review model in which all apps submitted by developers go through a manual review process with restrictions based on policies regarding issues such as data collection, API usage, content appropriateness, and user interface guideline compliance. This model is designed with the assumption that apps will only be downloaded from Apples App Store, as some security restrictions are enforced during the review process but not necessarily enforced on the device itself. The assumption generally holds, as iOS devices prevent users from loading applications from sources other than Apples App Store unless the device has been jailbroken. Jailbreaking is a process whereby the user can alter the phones operating system to gain full access (or root access) to the operating system and allow applications not officially vetted by Apple, many of which

4 Lookout Mobile Security Blog (March 2011), Update: Security Alert: DroidDream Malware Found in Official Android Market: http://blog.mylookout.com/2011/03/ security-alert-malware-found-in-officialandroid-market-droiddream/ 5 Howard Wilcox, Mobile Payments Markets: Strategies & Forecasts 2010-2014, Juniper Research, May 2010

take advantage of operating system capabilities otherwise restricted by Apples review policies.

Android
Android has an operating system security model that supports its open application distribution model. In the Android OS security model, an applications capabilities are gated by permissions that the application declares when it is installed and cannot be changed at a later time. When installing an application, users are presented with the list of permissions requested by the application and can determine whether the permissions are appropriate for the functionality of the app. Permissions allow applications to access specific data and capabilities on a device, including location, contacts, SMS messaging, identity information, and the ability to access the Internet. If an applications permissions seem overreaching, a user may choose not to install the app or may identify it as suspicious. While the Android permissions model enables developers to provide a broad range of functionality in their apps, it does rely on end users ability to evaluate permissions requested by an app at the time of installation. In terms of app distribution, the Android operating system utilizes an open application distribution model that allows users to download applications from variety of sources, including Googles Android Market, Amazons Appstore for Android, carrier markets such as Verizons V CAST network, and other alternative app markets. Android also has a setting, often referred to as sideloading, which enables or disables the capability to download applications from other sources outside of the Android Market. Android enables multiple application distribution methods. For example, Amazons Appstore for Android and Verizons V CAST apps utilize a curated model with a manual review process similar to Apples, while Googles Android Market is based on a community-enforced model where some security checks are performed when applications are submitted to the market, but it is expected that the community as a whole will participate in identifying malicious or otherwise undesirable applications. This allows Android developers to update their applications much more quickly than with the curated model.

DroidDream malware that emerged in the Android Market in the first quarter of 2011 utilized two exploits to vulnerabilities, Exploid and Rage-AgainstThe-Cage.

PLATFORM VULNERABILITIES AND PATCH MANAGEMENT

In any complex software system, there are bound to be flaws and security vulnerabilities. Mobile device operating systems are no exception. Security vulnerabilities in mobile operating systems and applications are regularly identified and must be fixed to prevent attackers from using them to compromise systems. In fact, a number of vulnerabilities have been exploited on both Android and iOS devices. For example, the DroidDream malware that emerged in the Android Market in the first quarter of 2011 utilized two exploits, Exploid6 and RageAgainstTheCage7,to break out of the Android security

6 C-Skills (July23, 2010) http://c-skills. blogspot.com/search?q=exploid 7 C-Skills (July 15, 2010): http://c-skills. blogspot.com/

sandbox, gain root control of the operating system, and install applications without user intervention8. Similarly, JailbreakMe 3.0 for iOS devices is a non-malicious web page that exploits two vulnerabilities to jailbreak a device9. As with PCs, software patches are used to fix vulnerabilities on mobile devices. In the PC world, common processes like patch management are relatively simple. Software vendors deliver online updates to licensed users on a regular schedule or as needed. On mobile devices, depending on the nature of the vulnerability, a patch may be as simple as updating a single application or as complex as a firmware update that involves both the device manufacturer and the carrier. Critical vulnerabilities on mobile devices, such as kernel or web browser issues, often require a firmware update if they occur in software that is highly integrated into the operating system. Given the differences in the mobile ecosystems, patch management processes vary by OS. In the case of Android, Google regularly produces updates to fix security vulnerabilities on the Android OS within days of discovery and pushes the fixes into the Android Open Source Project (AOSP). Next, it is up to device manufacturers to produce a devicespecific firmware update incorporating the vulnerability fix, which can take a significant amount of time if there are proprietary modifications to the devices software. Device manufacturers typically pull the patch from the AOSP repository, merge in their modifications, and produce a new firmware update. This process is complicated by the fact that a single device model may have a large number of updates to support carrierspecific customizations. Once a manufacturer produces a firmware update, it is up to each carrier to test it and deploy the update to users. For users, the process to install an update is rather simplethey typically receive the update over-the-air (OTA) and confirm its installation. On iOS, security updates typically require Apple to produce a new firmware build, an operator to test the firmware build, and a user to sync with iTunes to install the patch. Because there are fewer parties in the iOS ecosystemApple, operators, and users firmware updates are typically made available more quickly to a broad base of users than with Android. To apply an iOS firmware update, users must sync with iTunes. Unfortunately, many users simply plug their iOS devices into an outlet to charge them and rarely sync. According to one report, as many as 50 percent of iPhone users do not regularly sync with iTunes and thus are unlikely to receive critical security updates10. This failure to sync means that many users do not apply updates, even though they may be available. Both Google and Apple are taking steps to improve the state of patching on their respective platforms. The Android team has made an announcement that it intends to enforce an 18-month minimum support cycle for all Android devices to ensure that devices receive software updates throughout their expected lifetime.11 Apple has announced that its upcoming iOS 5 will support firmware updates downloaded over the air and will not require syncing with a computer to apply them.12

According to one report, as many as 50 percent of iPhone users do not regularly sync with iTunes and thus are unlikely to receive critical security updates.

8 Lookout Mobile Security Blog (March 2011) Android Malware DroidDream How it Works: http://blog.mylookout. com/2011/03/android-malware-droiddream-how-it-works 9 http://esec-lab.sogeti.com/post/Analysis-of-the-jailbreakme-v3-font-exploit 10 http://onefps.net/post/6496478249/50percent-of-iphone-owners-dont-backup 11 http://www.engadget.com/2011/05/10/ google-clarifies-18-month-android-upgrade-program-details-far-f 12 http://www.apple.com/pr/ library/2011/06/06New-Version-of-iOSIncludes-Notification-Center-iMessageNewsstand-Twitter-Integration-Among200-New-Features.html

Conflict of Interest in Vulnerability Disclosure

Many mobile devices do not offer users full control over their device hardware or operating system. To gain complete control, people will root or jailbreak their device. The process of rooting or jailbreaking takes advantage of operating system vulnerabilities to bypass security protections on a device. Software vendors want to fix vulnerabilities as quickly as possible, before they can be exploited and used maliciously, so well-intentioned researchers typically disclose vulnerabilities they find to the software vendor. On mobile devices, however, there is a conflict of interest. Because vulnerabilities are often the only way to root or jailbreak devices, many researchers do not want vulnerabilities to get fixed so they can maintain full control over their devices. The desire to gain full control over devices creates a disincentive for researchers to disclosure vulnerabilities. This conflict of interest between vulnerability disclosure and the ability for people to fully control their own device poses a great security issue. Once a vulnerability being used to root or jailbreak devices becomes public knowledge it may also be used by malicious attackers, like DroidDream. Until all mobile devices allow users to gain full control without resorting to exploits, this conflict of interest between control and safety is likely to continue.

This conflict of interest between vulnerability disclosure and the ability for people to fully control their own device poses a great security issue.

MOBILE THREATS
As with PCs, there are a variety of security threats that can affect mobile devices. We split mobile threats into several categories: application-based threats, web-based threats, network-based threats and physical threats. For the sake of brevity, this list is intended to be a general overview of the most important mobile threats, not an exhaustive treatment of all possible threats.

Application-based Threats
Downloadable applications present many security issues on mobile devices, including both software specifically designed to be malicious as well as software that can be exploited for malicious purposes. Application-based threats generally fit into one or more of the following categories:

MALWARE is software that is designed to engage in malicious behavior on a device.

For example, malware can commonly perform actions without a users knowledge, such as making charges to the users phone bill, sending unsolicited messages to the users contact list, or giving an attacker remote control over the device. Malware can also be used to steal personal information from a mobile device that could result in identity theft or financial fraud.

SPYWARE is designed to collect or use data without a users knowledge or approval.

Data commonly targeted by spyware includes phone call history, text messages, location, browser history, contact list, email, and camera pictures. Spyware generally fits into two categories: it can be targeted, designed for surveillance over a particular person or organization, or untargeted, designed to gather data about a large group of people. Depending on how it is used, targeted spyware may or may not be considered malicious, such as in the case of a parent using a text messaging or location monitoring application on a childs phone.

PRIVACY THREATS may be caused by applications that are not necessarily malicious
(though they may be), but gather or use more sensitive information (e.g., location, contact lists, personally identifiable information) than is necessary to perform their function or than a user is comfortable with.

VULNERABLE APPLICATIONS contain software vulnerabilities that can be exploited

for malicious purposes. Such vulnerabilities can often allow an attacker to access sensitive information, perform undesirable actions, stop a service from functioning correctly, automatically download additional apps, or otherwise engage in undesirable behavior. Vulnerable applications are typically fixed by an update from the developer.

Web-based Threats
Because mobile devices are often constantly connected to the Internet and used to access web-based services, web-based threats that have historically been a problem for PCs also pose issues for mobile devices:

PHISHING SCAMS use web pages or other user interfaces designed to trick a user into
providing information such as account login information to a malicious party posing as a legitimate service. Attackers often use email, text messages, Facebook, and Twitter to send links to phishing sites.

DRIVE-BY-DOWNLOADS automatically begin downloading an application when a user

visits a web page. In some cases, the user must take action to open the downloaded application, while in other cases the application can start automatically.

BROWSER EXPLOITS are designed to take advantage of vulnerabilities in a web

browser or software that can be launched via a web browser such as a Flash player, PDF reader, or image viewer. Simply by visiting a web page, an unsuspecting user can trigger a browser exploit that can install malware or perform other actions on a device.

Network Threats
Mobile devices typically support cellular networks as well as local wireless networks. There are a number of threats that can affect these networks:

NETWORK EXPLOITS take advantage of software flaws in the mobile operating system
or other software that operates on local (e.g., Bluetooth, Wi-Fi) or cellular (e.g., SMS, MMS) networks. Network exploits often do not require any user intervention, making them especially dangerous when used to automatically propagate malware.

WI-FI SNIFFING can compromise data being sent to or from a device by taking
advantage of the fact that many applications and web pages do not use proper security measures, sending their data in the clear (not encrypted) so that it may be easily intercepted by anyone listening across an unsecured local wireless network.

Physical Threats
Since mobile devices are portable and designed for use throughout our daily lives, their physical security is an important consideration.

LOST OR STOLEN DEVICES are one of the most prevalent mobile threats. The
mobile device is valuable not only because the hardware itself can be re-sold on the black market, but more importantly because of the sensitive personal and organization information it may contain.

According to our data, in June of 2011 Android users were two and half times more likely to encounter malware than just six months ago.

TRENDS
Mobile security issues are present on all major mobile platforms, though threats affect each platform differently. In this report, we specifically focus on iOS and Android. Application-based threats affect both iOS and Android. Currently, malware and spyware have primarily targeted Android devices, though there are commercial spyware applications available for jailbroken iOS devices. According to our data, in June of 2011 Android users were two and a half times more likely to encounter malware than just six months ago. While malware has increased at a faster rate then spyware, Android users are still slightly more likely to encounter spyware than malware. Privacy issues affect both platforms. Web-based threats that carry over from the PC such as phishing generally do not discriminate by platform. iOS has been more notably affected by browser exploitation although only in a non-malicious way to jailbreak devices13), Android has begun to see drive-by-downloads in the wild14. Based on the incidence of web-based threats in June 2011, approximately three out of ten people are likely to click on an unsafe link each year.

13 http://www.jailbreakme.com 14 http://blog.mylookout.com/2011/06/ security-alert-android-trojan-ggtrackercharges-victims-premium-rate-smsmessages

DIAGRAM 1

3 in 10 people are likely to encounter an unsafe link this year

APPLICATION-BASED THREATS
In this section we explore some of the prevalent and emerging trends related to application-based threats, including distribution and functionality trends in malware and spyware, privacy issues, and application vulnerabilities.

Malware and Spyware

Malware and spyware are primarily targeting Android currently, though there are notable pieces of commercial spyware targeting iOS devices as well. In 2010, spyware (targeted and untargeted) was far more prevalent than malware across the Android user base, but the trend has shifted, as malware has made significant gains against spyware. Of the threats Lookout detected in the wild during June 2011, 48% were malware vs. 52% spyware.

Jan 2011

June 2011

34% Malware 66% Spyware

52% Spyware

48% Malware

DIAGRAM 2

Application-based Threats Breakdown

Jan 2011 vs. June 2011

Not only has malware grown more rapidly than spyware, there has also been a steady growth in the number of applications infected with malware, increasing from 80 to 400 unique applications in the first six months of 2011. Worldwide, the likelihood of encountering malware varies from less than 1% to more than 4% depending on country.

10

Estimated Annual Mobile Malware Infection Rate 2011

Likelihood Per Year

<1% 1-2% 2-3% 3-4% 4%+

App types most frequently repackaged with malware include games, utilities and porn apps.

DIAGRAM 3

Estimated Annual Mobile Malware Infection Rate 2011

Malware Infected Apps

NUMBER OF INFECTED APPS
400 350 300 250 200 150 100 50
Jan 2011 Feb 2011 March 2011 April 2011 May 2011 June 2011 July 2011

DATE
DIAGRAM 4

In the next section, we examine malware and spyware trends in three important aspects: how attackers entice users to download; distribution methods; and capabilities.

Social Engineering: How Attackers Entice People to Download Malware and Spyware
People, obviously, do not purposefully download malware or spyware to their devices, so attackers must use techniques to mislead users into downloading it unknowingly. Once an attacker convinces someone to download a malicious app, then the technical hacking can begin.

11

REPACKAGING is a very common tactic in which a malware writer takes a legitimate

application, modifies it to include malicious code, then republishes it to an app market or download site. The repackaging technique is highly effective because it is often difficult for users to tell the difference between a legitimate app and its repackaged doppelganger. In fact, repackaging was the most prevalent type of social engineering attack used by Android malware writers in the first two quarters of 2011. The types of applications most frequently repackaged with malware include games, utilities, and porn apps. For example, DroidDreamLight was originally found in 20 utility, 9 porn and 5 game apps in the Android Market.15 In Diagram 5, apps there are several example of apps repackaged with malware:

Repackaged apps containing malware create a crisis of trust.

Gaming Apps
BubbleBuster, repackaged with DroidDream Light Chess, repackaged with DroidDream

Spiderman, repackaged with DroidDream

Utility Apps
Battery Saver app, repackaged with GGTracker Scientific Calculator app, repackaged with DroidDreamLight

Porn Apps
Porn app, repackaged with GGTracker

DIAGRAM 5

Repackaged apps containing malware create a crisis of trust. To the naked eye, a legitimate app and a repackaged version often look the same with the exception of their permissions. Apps repackaged with malware typically, though not always, require a greater set of permissions than the original app. In some cases, malware writers will pirate paid applications and make them available for free, injecting malware into the pirated version. The illustration in Diagram 6 details an example of the process used by malware writers to take legitimate apps from the Android Market, repackage them with malware, and introduce the repackaged versions into third party app stores.

15 http://blog.mylookout.com/2011/05/security-alert-droiddreamlight-new-malwarefrom-the-developers-of-droiddream/

12

Legitimate Developer

Developer creates a games called Monkey Jump.

3rd Party App Store

Developer uploads game to Android Market.

5
Android Market

User downloads game with malware.

Malicious Developer uploads game to 3rd party app store.

Malicious Developer takes legitimate game and repackages it with malware

End User

Malicious Developer

Send location Send contact info Send and read SMS messages place phone calls Silently download files Launch web browser And more...

6
DIAGRAM 6

Malicious Developer can control the phone remotely and access users private information.

How an App is Repackaged

MISLEADING DISCLOSURE. Just as PCs have had to contend with spyware and
adware that walks the line between being malicious and simply being undesirable, so do mobile devices. Misleading apps may not necessarily violate an application markets acceptable user agreement, or even their own terms of service, which makes them difficult to block or remove despite their being clearly undesirable. One way misleading apps walk the line is to disclose their functionality in a way that a user would technically agree to, but is unlikely to actually notice, by burying the information in fine print on the app or in an apps terms of use. One example, discovered in June 2011, is Plankton which had invasive tracking built into the app, but disclosed the functionality in its EULA (End -Uuser License Agreement). Because of this disclosure, Plankton may not be classified as malicious, but its something people probably do not want installed.

13

user agrees by pressing Okay to sign up for premium sms ringtone subscription service for 9.99 per month. User may cancel subscription at anytime by replying to ringtone shortcode STOP. if user quits within 24 hours user will not be billed $9.99. User understands that tic-tac-toe app will message users friends when a game initiated by end user.

DIAGRAM 7

DIAGRAM 8

In another example (See Diagram 7), a version of GGTracker disclosed in fine print on a user interface dialog that charges would be made to the users phone bill every month in the form of a premium SMS ringtone service in order to get access to the app, even though such services are likely entirely unrelated to the apps functionality.

The makers of DroidDream published over 80 unique applications with DroidDream and DroidDreamLight malware variations under a variety of developer names.

UPDATE ATTACKS. Recently malware writers have begun using application updates
as an attack method in the Android Market. A malware writer first releases a legitimate application containing no malware. Once they have a large enough user base, the malware writer updates the application with a malicious version. Because many users have their devices set to automatically update applications or will manually update whenever a new version is available, the update attack technique minimizes the amount of time malware is in the market before it is installed on a large number of devices. We first observed this technique being used in the wild by the creators of Legacy (a.k.a. DroidKungFu), an example of this can be seen in Diagram 8.

Distribution: How Attackers Make Malware Available

In order to get in front of users, malware writers use a variety of techniques. In this section we cover some of the most notable distribution trends weve seen thus far in 2011.

SHOTGUN DISTRIBUTION
Malware writers target both the official Android Market as well as alternative,

14

geographically targeted markets. In many cases, attackers will publish a large number of apps across multiple developer accounts and multiple markets in order to maximize the number of users they infect. For example, the makers of DroidDream published over 80 unique applications with DroidDream and DroidDreamLight malware variations under a variety of developer names, while Legacy has been published in over 60 apps primarily distributed outside the Android Market.

DroidDream Infected Apps

NUMBER OF INFECTED APPS
100 80 60 40 20 0
March 2011 April 2011 May 2011 June 2011 July 2011

In the case of malvertising, a malware writer buys in-app ads, directing users to download malware.

DATE
DIAGRAM 9

MALVERTISING or
malicious advertising is another tactic used by attackers to lure people into downloading malware. Because legitimate developers commonly use in-app advertisements to gain more users, people are used to downloading apps via advertisements. In the case of malvertising, a malware writer buys mobile ads, directing users to download malware on the Android Market or from a fake site designed to imitate the Android Market.

How Malvertising Works

Malicious Website Imitating the Android Market

Upon visiting site, a download of a bad application automatically begins

Malicious Ad
Clicking on ad directs user to malicious web page

DIAGRAM 10

How Malvertising Works

15

GGTracker used malvertising to successfully encourage many people to download malware. In Diagram 10, the makers of GGTracker created an extremely vague ad, Game Request, that looks like a notification and directs a user to a malicious website that imitates the Android Market and automatically starts a drive-by-download.

DRIVE-BY-DOWNLOADS are a class of technique where a web page automatically

starts downloading an application when a user visits it. Drive-by-downloads can be combined with clever social engineering tactics (e.g. GGTracker) to appear as if they are legitimate. On Android, because the browser does not automatically install downloaded applications, a malicious website also needs to encourage users to open the download to actually infect the device with malware. As shown in Diagram 11, the GGTracker drive-bydownload site also encouraged users to click on the app download notification, claiming that the app is a trusted download. Drive-by-downloads are significant because malicious apps are hosted outside of app markets where they might otherwise be more easily detected.

Malware has even been able to dynamically support multiple premium-rate SMS services.

DIAGRAM 11

Malware Capabilities
In addition, trends of how malware and spyware get on to mobile devices, there are also emerging trends in what such applications do once they are installed.

PREMIUM-RATE TEXT MESSAGES (SMS MESSAGES) are an important way for

people to charge purchases to their phone bills. Because of its ease-of-use as a phone payment mechanism, SMS billing is used by many legitimate services; however, malware can also use premium-rate SMS messages to steal money. Previous instances of malware targeted users in Russia and China, but malware using premium-rate SMS messages

16

began targeting U.S. users in early June with the emergence of GGTracker. Premiumrate SMS malware will also typically intercept any SMS messages from the SMS service to prevent a user from becoming aware of the charge. This type of malware has even been able to dynamically support multiple premium-rate SMS services. For example, GGTracker utilized over 15 different apps and 21 different SMS shortcodes.

BOTS arean emerging trend in mobile malware that, like their PC counterparts,
communicate with and receive instructions from one or more command-and-control (C&C) servers, giving the malware writer remote control over all infected devices. Malware in the wild has supported a wide range of commands, including the ability to: o o o o o o o o send SMS messages copy SMS messages stored on the device to a server copy the contact list stored on the device to a server install an application remove an application dial a phone number open a web page change the list of C&C servers to connect to

Malware using premium-rate SMS messages began targeting U.S. users in early June.

Malware writers will typically obfuscate their code and use encryption to hide critical data such as the list of C&C server names. Bots also typically obfuscate or encrypt their network traffic to avoid being easily detectable. Typically, installing additional apps onto the device requires the user to click yes to the installation pop-up, though in cases where the malware exploits vulnerabilities (e.g. DroidDream, jSMSHider), a bot can install additional apps without any user knowledge or intervention.

PRIVILEGE-ESCALATION EXPLOITS are pieces of software that take advantage

of vulnerabilities to gain full access to a device. Under normal circumstances, mobile applications run in a security sandbox so they cannot cause too much harm; however, if malware is successful in escalating its privileges, it is able to perform actions not normally allowed to apps. DroidDream contained two exploits, Exploid and RageAgainstTheCage, that it used to gain root access and install a secondary app that allowed the malware to install additional apps without the user knowing. Another piece of malware, jSMSHider, was signed with a compromised key that also allowed it to install applications without user intervention on any mobile device firmware builds that were also signed with that key.

TARGETED SPYWARE (SURVEILLANCE) APPLICATIONS. Because mobile devices

often carry a wealth of personal information, theres a strong incentive for people to use tools to track or monitor mobile users. Unlike malware and untargeted spyware, targeted spyware apps are typically installed by somebody who has physical access to a victims mobile device. Commercial surveillance apps promoted for use in monitoring spouses,

17

children, and other targets can cost anywhere from a few to hundreds of dollars. The functionality in surveillance apps often includes the ability to gather phone call history, listen to actual phone calls, view browser history, track location, gather SMS message history, and more. Notably, many surveillance applications support Android as well as jailbroken iOS devices. These apps often have very legitimate use cases and are not always used maliciously.

App Threat Profiles

DroidDream is malware that became available via the Android Market in Q1 2011 and has affected an estimated 250,000 mobile users to date.

DroidDream Variant Prevalence

DroidDream
300 250 200 150

DroidDream is malware that became available via the Android Market in Q1 2011 and has affected an estimated 250,000 mobile users to date.

INCIDENTS PER 1MM USERS

100 50 0
March 2011 April 2011 May 2011 June 2011 July 2011

DroidDreamlight
140 120 100 80 60 40 20 0
March 2011 April 2011 May 2011 June 2011 July 2011

DATE
DIAGRAM 12

DroidDream Variant Prevalence

Discovered in early March 2011, DroidDream is an example of malware that acts as a bot and uses two exploit payloads in its attempts to gain root access to infected devices. Once the malware exploits a device, it attempts to contact a remote server and accept commands. Since the initial discovery of DroidDream weve seen a variant,

16 http://blog.mylookout.com/2011/05/security-alert-droiddreamlight-new-malwarefrom-the-developers-of-droiddream

18

DroidDream Infected Apps

NUMBER OF INFECTED APPS
100 80 60 40 20 0
March 2011 April 2011 May 2011 June 2011 July 2011

DATE
DIAGRAM 13

DroidDreamLight, emerge in late May 2011 that also acts as a bot but does not contain exploit code.16 The makers of the DroidDream malware family have continued to publish new infected applications and weve seen over 80 unique instances to date (See Diagram 12).

GGTRACKER is a notable step in the trend of malware writers building more

sophisticated, end-to-end attacks. First, it is one on the first pieces of Android malware weve seen to-date that engages in malvertising to trick users into visiting a malicious web site. Second, the malicious website convinces people into installing malware by convincingly imitating the Android Market and beginning a drive-by-download. Third, it is one of the first known instances of Android malware specifically targeting U.S. users by silently charges money to users phone bills when it is installed, charging $10 per service.

Third, it is one of the first known instances of Android malware specifically targeting U.S. users by silently charges money to users phone bills when it is installed, charging $10 per service.

GGTracker Prevalence
700

INCIDENTS PER 1MM USERS

600 500 400 300 200 100 0

June 18, 2011 June 27, 2011 July 5, 2011 July 14, 2011 July 21, 2011

DATE
DIAGRAM 14

19

Previously, we had only seen this type of malware on Android target China and Russia. Finally, its worth noting that GGTracker continues to employ a variety of distribution techniques to seed the market. The first apps infected with GGTracker used malvertising to direct users to the fake Android Market, but another wave of infected apps, appearing in early July (see Diagram 12), were found in the Android Market.

GGTracker Infected Apps

16

NUMBER OF INFECTED APPS

14 12 10 8 6 4 2 0
June 15, 2011 June 22, 2011 June 30, 2011 July 7, 2011 July 15, 2011

On iPhone 33.9% of free applications had the capability to access location and 11.2% had the capability to access contacts.

DATE
DIAGRAM 15

Privacy issues
Mobile devices now hold a rich set of personal information including location, browsing history, call history, text messages, contact lists, email, Facebook messages, the devices phone number, and unique identifiers that can be used for tracking. Apps can access personal data on the device, although the data available to apps differs between iOS and Android. Legitimate apps can use personal information to provide powerful features and benefits; however, the opportunity to misuse that information exists as well. Because they have the potential to access so much data on devices, many apps gather data without users being aware of its collection. In some cases, when a developer uses third-party advertising or analytics libraries, they are unaware of all the personal information accessed. Advertising and analytics libraries routinely gather sensitive data and developers dont always pay close attention to the data collected by the ad or analytics libraries they incorporate into their applications. Several ad networks do a good job informing developers what choices they can make as it relates to data collection to serve ads. On the other hand, a number of ad networks use IMEIs and other sensitive identifiers as a way to uniquely track devices even though, most of the time, this tracking goal can be accomplished without transmitting sensitive data to a server.

17 https://www.mylookout.com/appgenome/

20

In the Lookout App Genome Project17 report published in February 2011, we estimated that on iPhone 33.9% of free applications had the capability to access location and 11.2% had the capability to access contacts. On Android, we found that 28.2% of free apps in the Android Market had the capability to access location and 7.5% had the capability to access contacts.

App Vulnerabilities
Smartphone operating systems enforce strict security sandboxes to limit what applications can do, though even in the sandbox, applications can contain exploitable vulnerabilities. Because mobile platforms are new, often introducing new APIs and security models, even skilled developers arent always aware of best security practices. While a number of security issues have come to light affecting both Android and iOS applications (e.g. leaking sensitive information to system logs, storing credentials in an insecure manner, improperly validating externally supplied data), one of the most prevalent issues is simple and is not unique to mobile at all: transmitting sensitive data without proper encryption.

INSECURE DATA TRANSMISSION

Many apps dont encrypt the data they transmit and receive over the network, making it easy for the data to be intercepted. For example, if an application is transmitting data over an unencrypted Wi-Fi network using HTTP (rather than HTTPS), the data can be easily sniffed using freely-available software. In one particularly notable example, a number of Google services on certain versions of Android, including Contacts Sync, Calendar Sync, and Picasa Photo Sync transmitted their account credentials in plain text, making it possible for an attacker to gain access to other peoples accounts.18

Currently people have a 30% likelihood of clicking on an unsafe link per year on their mobile device based on detection rates from Lookout users.

Web Based Threats

Web-based threats have emerged as a significant threat for mobile users. Currently people have a 30% likelihood of clicking on an unsafe link per year on their mobile device based on detection rates from Lookout users. This number is likely so high because users on mobile devices often encounter threats targeting PCspeople read email, Facebook messages, text messages, and tweets on their phones just as they do on their PCs. Some web-based threats such as phishing attacks do not discriminate based on platformthey affect Android, iOS, and PCs in the same way. Other web-based threats

19%
Compromised

21%
Malicious

60%

Phishing

DIAGRAM 16

18 http://www.uni-ulm.de/en/in/mi/staff/ koenings/catching-authtokens.html 19 http://www.trusteer.com/blog/mobileusers-three-times-more-vulnerable-phishing-attacks

Unsafe Links

Category Breakdown

21

such as websites containing browser exploits are OS targeted, which means that users viewing a PC threat from a mobile device will not be affected, though we expect more mobile targeted attacks in the future. According to one study, mobile device users are three times more likely to succumb to a web-based phishing attack than desktop users.19

PHISHING attacks are designed to trick

users into divulging account or personal information to web pages that appear to be reputable sites such as financial institutions, but are actually fake. Approximately 1 in 20 users will click on a phishing link every year on Android devices based on current rates. While users are trained to look at browser address bars on the desktop to determine DIAGRAM 17 if the site they are visiting is really the site it claims to be, mobile browsers generally clip the URL or dont display it at all making it unlikely that users will engage their positive PC habits when browsing on a mobile device.

Approximately 1 in 20 users will click on a phishing link every year on Android devices based on current rates.

DRIVE-BY-DOWNLOADS may use spam or malvertising to bring users to a site that, in

turn, delivers malware by automatically starting a download. Such attacks are a significant concern on devices where applications can be downloaded outside of official markets because malware distributed through web sites can evade the greater scrutiny that markets provide. See the discussion of drive-by-downloads above for more information.

DIRECT EXPLOITATION is a significant threat to mobile browsers, as there are a

number of large code bases on mobile devices that malicious web pages can target, including the browser itself, image viewers, Flash, PDF readers, and more. WebKit, the popular rendering engine, is a systematic risk because the default browsers on Android, Blackberry, and iOS all use it, creating a homogenous ecosystem where a single vulnerability can potentially affect the majority of mobile devices. Browser exploits are also very difficult to fix because mobile browsers and their associated libraries are often revisioned with firmware, which can be extremely slow to update, as weve described above. In the past year, iOS has seen multiple web-based exploits in the wild that allow an attacker to run code as root if a user simply visits a web page. These exploits first take advantage of a browser vulnerability to run code as the browser process, then take advantage of a local privilege escalation vulnerability to run code as root. Thankfully, we havent seen evidence of these exploits being used maliciously: they were primarily used to allow users to jailbreak their devices.

22

Physical/Network Threats
While web and application based threats has been on the rise for mobile devices, physical threats remain some of the most prevalent and the barrier to entry for network threats continues to decrease.

LOST AND STOLEN MOBILE DEVICES are so common that Lookout locates a missing
device every 5 seconds.

Lookout locates a missing device every 5 seconds.

WI-FI SNIFFING is a technique where nearby attackers can get access to data
transmitted to or received from a mobile device. Barriers to entry for Wi-Fi sniffing continue to drop as easy-to-use tools emerge. While these tools facilitate targeted rather than broad-based attacks, the increased use of free Wi-Fi in airports, cafes, and other public places has increased the likelihood that Wi-Fi traffic, including account information, can be intercepted. Firesheep20 is a desktop browser plugin that monitors unencrypted Wi-Fi networks for nearby computers and mobile devices accessing popular web sites (e.g. Twitter, Facebook, GMail) in an insecure way and allows an attacker to trivially hijack user accounts accessing those sites. Similarly, Faceniff is an Android-based tool that also allows someone to hijack user accounts accessing popular sites on nearby PCs and mobile devices in an insecure way by redirecting local network traffic through the phone (using a technique called ARP spoofing). While none of the techniques implemented by Firesheep or Faceniff are new, the ability for even a novice user to engage in point-and-click network hacking makes it more important than ever that popular sites stop using insecure network protocols.

WHATS NEXT?
Mobile threats are evolving quicklysophistication that took decades to reach on the PC is taking just a few years on mobile. To predict where they are moving, its important analyze what dynamics are affecting their growth and understand what will run the same course as PC threats and what will be different. Application-based threats are likely to continue to follow their existing platform distribution trends unless platforms significantly change their security or distribution models. Privacy issues and application vulnerabilities are affecting both iOS and Android platforms, however malware and spyware predominately target Android.

Malware
The mobile malware industry is currently in its startup phase, with attackers experimenting with different distribution and revenue models. As the industry matures, we believe that there will be successful distribution and monetization patterns that emerge. The growth in malware prevalence will likely follow the malware industrys

20 http://codebutler.com/firesheep 21 http://faceniff.ponury.net/

23

successful discovery and exploitation of these patterns. Emerging patterns include: o o o o Malware that acts as a botnet, exposing an array of remotely controlled device capabilities. Abuse of premium-rate text messages Targeted attacks aimed at gathering sensitive data for commercial or political purposes Financial fraud as more mobile finance and payment apps emerge

In order to combat scrutiny in app storesboth in the curated and open modelswe expect malware will engage in techniques to gain distribution while evading detection for as long as possible. Specifically, we expect to see a growth in upgrade attacks where a seemingly-legitimate app is upgraded with malware and multi-stage attacks where a seemingly-legitimate apps behavior changes at runtime based on code or configuration downloaded from a server dynamically.

Vulnerabilities
Because vulnerabilities on mobile devices typically take a long period of time to patch, we predict a growth in malware using browser exploits to infect both Android and iOS devices as well as an increased use of local privilege escalation exploits by Android malware to break out of the default security sandbox. Since the android security model does not typically allow legitimate applications to act as root, if malware is able to gain root on a device, it can be very difficult to remove. Regaining control of the device in such cases can require a full firmware re-flash or leveraging an equivalent vulnerability to gain equivalent privileges. Identified application vulnerabilities will likely rise, and as more high value applications such as payment and banking tools come into wide use, we expect exploitation of these vulnerabilities to become more prevalent.

Phishing
Application-based phishing attacks (e.g. fake login/sign up screens) are very difficult for users to detect as mobile devices tend not to have a secure location indicator for native applications that can be used to differentiate between a legitimate application dialog and an illegitimate one. As more people access sensitive accounts and services from their mobile devices, we expect to see an increase in phishing attacks launched from malware on devices. We expect web-based phishing attacks to remain prevalent in the future as more users move towards their mobile devices as a primary means of reading email and browsing

24

the web. Just as many web sites have both mobile and desktop views, we expect an increasing number of phishing attacks to create both desktop and mobile views to maximize their effectiveness in convincing mobile users to enter information.

TIPS TO STAY SAFE

As the frequency of mobile threats increase, people can take measures to stay safe while using their smartphones: o o Only download apps from trusted sources, such as reputable app stores and download sites. Remember to look at the developer name, reviews, and star ratings. After clicking on a web link, pay close attention to the address to make sure it matches the website it claims to be if you are asked to enter account or login information. Set a password on your mobile device so that if it is lost or stolen, your data is difficult to access. Download a mobile security tool that scans every app you download for malware and spyware and can help you locate a lost or stolen device. For extra protection, make sure your security app can also protect from unsafe websites. Be alert for unusual behaviors on your phone, which could be a sign that it is infected. These behaviors may include unusual text messages, strange charges to the phone bill, and suddenly decreased battery life. Make sure to download firmware updates as soon as they are available for your device.

o o

ABOUT LOOKOUT
Lookout is a mobile security company dedicated to making the mobile experience safe for everyone. Lookout delivers award-winning protection from the growing threats facing mobile users today including malware and spyware, phishing scams, data loss, and device loss. Lookout is cross-platform, cloud-connected and designed from the ground up to provide advanced protection for smartphones while remaining lightweight and efficient on the phone. With users across 400 mobile networks in 170 countries, Lookout is a world leader in smartphone security. Headquartered in San Francisco, Lookout is funded by Accel Partners, Index Ventures, Khosla Ventures and Trilogy Equity Partners. For more information and to download the application, please visit www.mylookout.com.

25