2014 MOBILE THREAT REPORT
2014 MOBILE THREAT REPORT
In 2014 this pattern of regional adaptation continued, but the new and noteworthy mobile security trend this year has been the emergence of new mobile threat tactics (such as ransomware) and an increase in threat sophistication. This is a reaction, no doubt, to mobile operators stepping up their threat countermeasures around the world and a general crackdown on premium-rate SMS abuse. For example, in 2014 Lookout observed a handful of mobile threats, such as DeathRing2 and a new variant of Mouabad,3 that suggested the compromise of mobile supply chains and the pre-loading of malware on factory-shipped devices. In addition, a new variant of the threat NotCompatible,4 a sophisticated mobile threat with layers of complex self-defense mechanisms that evade detection and countermeasures,5 gained considerable traction in the U.S. and Western Europe.
Methodology
To prepare this report Lookout analyzed security detections from its dataset of more than 60 million global users.
The encounter rate measurement used in this report reflects the percentage of unique Android devices that encountered a given threat or threat type during the year. Please note, encounter rates are weighted calculations that account for varying user lifecycles and moreover these rates cannot be added since a unique device could be counted multiple times in such calculations. Lastly, at the highest level Lookout classifies app-based threats using three categories (defined at the
beginning of this report): malware, chargeware, and adware.
Introduction
In 2013 the notable trend in mobile security was the geographic diversification of mobile threats,1 such as the prevalence of chargeware in Western Europe, where the popularity of premium-rate SMS billing made this path to monetization more viable than in geographies where this billing mechanism is largely prohibited, such as the United States.
2014 MOBILE THREAT REPORT 2
KEY HIGHLIGHTS
Mobile Threat Definitions
Apps that steal user data, commit financial fraud, and/or negatively impact device performance. Malware includes threats such as viruses, trojans, worms, spyware, and ransomware.
MALWARE
Malware grew substantially in the U.S. - 2014 saw an astounding 75% increase in Android mobile malware encounter rates in the United States compared to 2013 (a 4% vs. 7% encounter rate), an increase driven largely by prolific mobile threats that hold victims’ mobile devices hostage in exchange for payment, using a variety of coercion schemes.6 Device-for-ransom malware schemes surged globally - “Ransomware”, a type of malware that locks users out of their mobile devices in a pay-to-unlock-your-device ploy, grew by leaps and bounds as a threat category in 2014, with ransomware such as ScareMeNot and ScarePakage finishing in the top five most-prevalent mobile threats in countries such as the U.S., U.K., and Germany.
Mobile threat sophistication and experimentation is on the rise - As mobile operators and platforms have continued to crack down on mobile attackers and their monetization methods, the attackers’ strategies have shifted. In 2014 Lookout observed, for example, one of the first instances of attackers attempting to use compromised mobile devices for cryptocurrency mining -- a novel, if ultimately unprofitable scheme.7
Adware prevalence fell dramatically in 2014 and risks losing its crown as the most prevalent mobile threat - Adware encounters fell dramatically in 2014, evidence that Google’s crackdown8 on adware in the latter half of 2013 and its continued policing of the Play Store has substantially reduced the prevalence of abusive mobile advertising practices in Android applications. In some countries, such as the U.K., adware encounter rates are now surpassed by other threats like chargeware! Chargeware prevalence fell in the U.K. and France, but exploded in Germany - In 2014 chargeware continued to be a regional phenomenon, with encounter rates in Western Europe (9% in France, 11% in the U.K.) averaging much higher than those in countries like the U.S. (4%). Notably, charge-ware encounter rates did fall in the U.K. and France in 2014, a sign, perhaps, that the efforts of regulatory bodies such as PhonepayPlus have become more effective at curbing premium-rate service abuse. Premium-rate service abuse has historically been a popular monetization method for both chargeware and malware threats globally. Germany, however, experienced a 250% surge in chargeware encounter rates in 2014 (2% vs. 7% encounter rate) due to the prolific success of the SMSCapers threat.
Mobile threat highlights from 2014 include:
Apps that charge users for content or services without clear notification or the opportunity to provide informed consent.
ADWARE
Apps that serve obtrusive ads that interfere with standard mobile operating experiences and/or collect excessive personal data that exceeds standard advertising practices. CHARGEWARE 1 2 3 4 5
3
NOTABLE NEW MALWARE DETECTED BY LOOKOUT IN 2014
ScarePakage masquerades as an Adobe Flash update or a variety of anti-virus apps, and is distributed as a drive-by-download. When downloaded, it pretends to scan victims’ phones and then locks the device after falsely reporting that its scan found illicit content. ScarePakage then displays a fake message from the FBI and attempts to coerce victims into paying them to avoid criminal charges and regain control of their device.9
ScarePackage
|
RANSOMWAREDeathRing poses as a ringtone app and then surreptitiously downloads fake SMS content to infected devices, in a possible attempt to capture victim login credentials by impersonating trusted entities like banks via SMS. Notably, DeathRing appears to come pre-installed on certain devices, suggesting its authors were able to infiltrate the device supply chain and inject their malware into factory-shipped devices.10
DeathRing
|
TROJANCoinKrypt infects phones and harnesses their processing power to mine cryptocurrency. This activity can drain a device’s battery and its monthly data allotment. While this is one of the first examples of malware using smartphone computing power for digital currency mining, Lookout estimates that these activities yield minimal profits given the immense processing power required to mine cryptocurrencies.11
CoinKrypt
|
TROJANShrewdCKSpy pretends to be an app marketplace, but the market icon disappears on first launch and the malware starts to run in the background, intercepting and recording victims’ SMS and phone calls and uploading them to a remote server. ShrewdCKSpy also has the ability to auto-accept and record calls, which means attackers could possibly turn a victim’s phone into a de facto bugging device by auto-accepting their own call. 12
ShrewdCKSpy
|
SPYWARE UNITED STATESVIETNAM, INDONESIA, INDIA, NIGERIA, TAIWAN, AND CHINA
SOUTH KOREA FRANCE
ScarePakage
RANSOMWARE DeathRing TROJAN SPYWARE ShrewdCKSpy TROJAN CoinKryptCOUNTRY TRENDS
In the U.S. ransomware such as ScarePakage, ScareMeNot, ColdBrother, and Koler dominated the mobile threat list in 2014 and largely drove the 75% increase in malware encounter rates. Millions of U.S. mobile users were targeted by ransomware attacks, resulting in an untold number of victims paying hundreds of dollars each to unlock their devices and “avoid” fraudulent criminal charges. In the non-ransomware category, the trojan NotCompatible emerged as the top mobile threat in the U.S. in 2014, enabling its operators to harness a considerable mobile botnet to do their bidding. In one instance, Lookout observed attackers using NotCompatible-infected mobile devices to purchase tickets en masse to circumvent anti-fraud measures on ticketing websites.
United States
NotCompatible is a trojan that surreptitiously acts as a network proxy, allowing attackers to send and receive traffic through a victim’s mobile device onto connected networks for fraudulent purposes.
NotCompatible
|
MALWAREKoler is a trojan disguised as a media app that then locks a victim’s device after falsely reporting the discovery of illegal activity. Koler attempts to coerce victims into paying them to avoid criminal charges and regain control of their device.
Koler
|
MALWAREScareMeNot is a trojan that pretends to scan victims’ phones for security issues and then locks their device after falsely reporting that its scan found illicit content. It attempts to coerce victims into paying them to avoid criminal charges and regain control of their device.
ScareMeNot
|
MALWAREColdBrother is a trojan that pretends to scan victims’ phones for security issues, but then locks their device after falsely reporting that its scan found illicit content. It can also take a front-facing camera photo and attempts to coerce victims into paying them to avoid criminal charges and regain control of their device.
ColdBrother
|
MALWAREScarePakage is a trojan that pretends to scan victims’ phones for security issues and then locks their device after falsely reporting that its scan found illicit content. ScarePakage attempts to coerce victims into paying them to avoid criminal charges and regain control of their device.
ScarePackage
|
MALWARE 4% 7% 5% 25% 4% 10% % %2014 TOP THREATS
MALWARE ENCOUNTER RATE ADWARE ENCOUNTER RATE CHARGEWARE ENCOUNTER RATE % % % % % 3 4 5 1 25
While malware and chargeware rates fell in the U.K. they remained significant: 2% of all Lookout users in the U.K. encountered malware this year and more than 1 in 10 encountered chargeware threats. Just as in 2013, chargeware, and more specifically the threat SMSCapers, emerged as the top threat in the U.K. this year. SMS premium-rate billing is a common billing practice in the U.K. and attackers have leveraged this capability as an effective monetization technique in the past, although a year-over-year decline in chargeware and malware encounter rates in the U.K. suggests this may be a decreasingly effective monetization path given countermeasures by regulatory bodies like PhonepayPlus.13 In 2014 the U.K. was also hit with ransomware attacks much like the U.S., with ransomware threat ScareMeNot emerging as
the second most prevalent threat to U.K. users.
SMSCapers is a pornographic app for viewing pictures or videos that charges users without providing clear notification and offering users the opportunity to provide informed consent for the charges.
SMSCapers
|
CHARGEWAREScareMeNot pretends to scan victims’ phones and then locks their device after falsely reporting that its scan found illicit content. ScareMeNot attempts to coerce victims into paying them to avoid criminal charges and regain control of their device.
ScareMeNot
|
MALWAREActSpat is a trojan that commits premium-rate SMS fraud and may push obtrusive ads to the notification bar, create pop-up ads, place short-cuts on the device’s home screen and download large files without asking.
ActSpat
|
MALWARETornika is a trojan disguised as a media player that sends personal information from compromised devices to third parties and may attempt to charge victims money. It can also enable third parties to display ads without a way to opt out.
Tornika
|
CHARGEWARENotCompatible is a trojan that surreptitiously acts as a network proxy, allowing attackers to send and receive traffic through a victim’s mobile device onto connected networks for fraudulent purposes.
NotCompatible
|
MALWARECOUNTRY TRENDS
United Kingdom
20% 23% 11% 9% 5% 2% % % MALWARE ENCOUNTER RATE ADWARE ENCOUNTER RATE CHARGEWARE ENCOUNTER RATE % % % % %2014 TOP THREATS
1 2 3 4 5In 2014 France experienced an overall decline in mobile threat encounter rates, though 2% of French Lookout users still encountered malware this year and almost 1 in 10 encountered a chargeware threat. Chargeware, and its reliance on premium-rate abuse for monetization, still remains among the more prevalent mobile threat types, with threats such as SMSCapers and SMS4You emerging in the top five mobile threats in France this year. Like in the U.K., a decline in malware and chargeware encounter rates in France may be a sign of increased regulatory pressure. In August of 2014, for example, PhonepayPlus fined a French app company for abuse of premium-rate phone services.14
COUNTRY TRENDS
France
Tornika is a trojan disguised as a media player that sends personal information from compromised devices to third parties and may attempt to charge victims money. It can also enable third parties to display ads without a way to opt out.
Tornika
| CHARGEWARE
ActSpat is a trojan that commits premium-rate SMS fraud and may push obtrusive ads to the notification bar, create pop-up ads, place shortcuts on the device’s home screen and download large files without asking.
ActSpat
|
MALWARESMSCapers is a pornographic app that charges users without providing clear notification and the opportunity to provide informed consent for the charges.
SMSCapers
|
CHARGEWARESMS4You is a pornographic app that charges users without providing clear notification and the opportunity to provide informed consent for the charges.
Sms4You
|
CHARGEWARESpytic is a form of surveillanceware that enables remote monitoring of the activity and information on compromised devices by third parties.
Spytic
|
MALWARE 13% 31% 9% 9% 3% 2% % % MALWARE ENCOUNTER RATE ADWARE ENCOUNTER RATE CHARGEWARE ENCOUNTER RATE2014 TOP THREATS
1 5 4 3 2 30 % 10 % 20 %7
In 2014 malware encounter rates held steady in Germany at 3%, but the country saw an absolute explosion in chargeware this year (250% increase), due largely to the successful proliferation of SMSCapers, which emerged at the top of the list of mobile threats encountered by German users this year. Germany also saw ransomware encounters grow - as they did in the U.S. and elsewhere in Western Europe - with ScareMeNot emerging at the number two spot for top mobile threats in Germany.
COUNTRY TRENDS
Germany
SMSCapers is a pornographic app that charges users without providing clear notification and the opportunity to provide informed consent for the charges.
SMSCapers
|
CHARGEWAREScareMeNot is a trojan that pretends to scan victims’ phones for security issues and then locks their device after falsely reporting that its scan found illicit content. It attempts to coerce victims into paying them to avoid criminal charges and regain control of their device.
ScareMeNot
|
MALWAREActSpat is a trojan that commits premium-rate SMS fraud and may push obtrusive ads to the notification bar, create pop-up ads, place short-cuts on the device’s home screen and download large files without asking.
ActSpat
|
MALWAREScarePakage is a trojan that pretends to scan victims’ phones for security issues and then locks their device after falsely reporting that its scan found illicit content. ScarePakage attempts to coerce victims into paying them to avoid criminal charges and regain control of their device.
ScarePackage
|
MALWARENotCompatible is a trojan that surreptitiously acts as a network proxy, allowing attackers to send and receive traffic through a victim’s mobile device onto connected networks for fraudulent purposes.
NotCompatible
|
MALWARE 2% 27% 7% 8% 3% 3% % % MALWARE ENCOUNTER RATE ADWARE ENCOUNTER RATE CHARGEWARE ENCOUNTER RATE 30 % 10 % 20 %2014 TOP THREATS
1 2 3 5 4In 2014 Japan continued to enjoy one of the most favorable threat encounter rates in the world, with approximately 1% of Japanese Lookout users encountering malware this year and less than 1% encountering chargeware threats. While in 2014 adware lost its title in some countries as the most prevalent mobile threat, but adware continues to be the top threat in Japan with a 3% encounter rate.
COUNTRY TRENDS
Japan
ActSpat is a trojan that commits premium rate SMS fraud and may push obtrusive ads to the notification bar, create pop-up ads, place shortcuts on the device’s home screen and download large files without asking.
ActSpat
|
MALWAREAckposts is a trojan that steals device contacts and sends them to a third party server, showing an error message claiming device incompatibility to disguise its activity.
Ackposts
|
MALWAREOneClickFraud is a trojan that visits web pages while a victim’s device screen is turned off in an attempt to defraud third parties with fake pageviews.
OneClickFraud
|
MALWARECreepyBanner is a trojan disguised as an Adobe Flash player that attempts to install another application which serves obtrusive ads.
CreepyBanner
|
MALWAREConeSMS is a trojan that advertises itself as pornographic app, but actually commits premium rate SMS fraud in the background.
ConeSMS
|
MALWARE <1% <1% 3% 9% 1% 1% % % MALWARE ENCOUNTER RATE ADWARE ENCOUNTER RATE CHARGEWARE ENCOUNTER RATE 10 % 5 %2014 TOP THREATS
1 2 3 5 49 In 2014 the new and noteworthy mobile security trend was a surge in new mobile threat tactics like ransomware and an increase in threat sophistication and experimentation. This is likely a reaction to mobile operators increasing their threat countermeasures and a general crackdown on premium-rate SMS abuse, which has historically been the primary monetization path for malware and chargeware threats. Premium-rate SMS was low-hanging fruit that attackers could easily exploit and they did so with great success in 2013. Fortunately, premium-rate SMS abuse is also low-hanging fruit for countermeasures, since sending text messages to a premium rate number is a rather obvious behavior that can be flagged and blocked by security vendors, mobile operators, and platforms.
The apparent success of these threat countermeasures in 2014 is a double-edged sword: while it seems to have lowered threat encounter rates in certain geographies, it also seems to have driven attackers toward developing more insidious threats like ransomware. The individual impact of premium-rate SMS abuse is a handful of nominal charges to a victim’s monthly bill. The individual impact of a ransomware threat like ScarePakage, however, is the complete loss of device functionality and potential mental anguish from false criminal accusations, as well as substantial financial loss if a victim elects to pay the ransom.
The success of ransomware in the United States (where it largely drove a 75% year-over-year increase in malware) and Western Europe indicates that when thwarted, mobile attackers will innovate and pivot to maintain an edge. The discovery of threats injected in mobile supply chains (e.g. DeathRing) and the rise of technically sophisticated threats (e.g. NotCompatible.C) reveals that attackers are upping their threat construction and deployment game. In the face of more sophisticated adversaries, consumers can stay one step ahead by remaining vigilant, installing apps from trusted app marketplaces, and installing advanced mobile security solutions like Lookout on their devices.
CONCLUSION
2014 MOBILE THREAT REPORT
1 “2013 Lookout Mobile Threat Report: Mobile Threats, Made to Measure”. Lookout. 2013. https://www.lookout.com/resources/reports/mobile-threat-report-2013
2 “DeathRing: Pre-loaded malware hits smartphones for the second time in 2014.” Lookout. December 2014. https://blog.lookout.com/blog/2014/12/04/deathring/ 3 “MouaBad: When your phone comes pre-loaded with malware”. Lookout. April 2014. https://blog.lookout.com/blog/2014/04/11/mouabad/
4 “The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks”. Lookout. November 2014. https://blog.lookout.com/blog/2014/11/19/notcompatible/
5 “NotCompatible.C: A Sophisticated Mobile Threat that Puts Protected Networks at Risk”. Lookout. November 2014. https://www.lookout.com/resources/reports/notcompatible
6 “Android Phones Hit by ‘Ransomware’”. New York Times. August 2014. http://bits.blogs.nytimes.com/2014/08/22/android-phones-hit-by-ransomware/ 7 “Sorry, mobile mining likely isn’t going to be profitable — unless you’re criminal”. Lookout. July 2014. https://blog.lookout.com/blog/2014/07/10/mobile-miners/
8 “The war against mobile ‘adware’ isn’t over yet, warns Lookout”. The Guardian. February 2014. http://www.theguardian.com/technology/2014/feb/21/mobile-adware-chargeware-lookout-2013
9 “U.S. targeted by coercive mobile ransomware impersonating the FBI”. Lookout. July 2014. https://blog.lookout.com/blog/2014/07/16/scarepakage/
10 “DeathRing: Pre-loaded malware hits smartphones for the second time in 2014”. Lookout. December 2014. https://blog.lookout.com/blog/2014/12/04/deathring/
11 “CoinKrypt: How criminals use your phone to mine digital currency”. Lookout. March 2014. https://blog.lookout.com/blog/2014/03/26/coinkrypt/
12 “ShrewdCKSpy: Mobile Spyware With A Hidden Agenda”, Lookout. March 2014. https://blog.lookout.com/blog/2014/03/21/schrewdckspy/
13 “£330,000 fines issued to UK companies over mobile malware and WAP opt-in.” PhonepayPlus.
http://www.phonepayplus.org.uk/News-And-Events/News/2014/12/Fines-issued-to-UK-companies-over-mobile-malware.aspx
14 “Premium-rate ‘voice changer’ service fined £60,000 for children’s apps ads”. August 2014.
http://www.theguardian.com/technology/2014/aug/12/premium-rate-voice-changer-fined-childrens-apps-ads-acetelecom