When it comes to mobile devices, it's well known that malware writers like to target Android. But a threat report published today by security firm F-Secure puts in perspective why Android malware attacks often flop and why Android itself is no pushover.
In a look back at 2013, the bi-annual report notes that there is "hugely disproportionate attention being directed at the Android platform," with 97% of the new malware threats related to all mobile operating systems targeted at it by the end of last year. However, F-Secure says Google is fighting back with security enhancements to Android. "Each new version released by the tech giant has included a number of security-related changes that help mitigate the effects of malware."
F-Secure points out that in Android 4.3 (Jellybean), "a prompt was introduced to verify activity when the Messaging app sends a large amount of text messages in a short time," as a way to combat SMS messaging fraud. There have been other improvements, but the overall situation with Android today is that security is extremely "variable" because of the "fragmented nature of the Android ecosystem between different device vendors."
This variation in vendor implementation "makes it basically impossible to ensure a uniform security level across all users," according to F-Secure. This means Android device users have to make their own decisions about device security, deciding what kind of security software to use or what apps to run.
According to F-Secure, the good news on Android is that unlike desktop-targeted malware, there is very little Android malware that targets actual vulnerabilities in the operating system. The most notable Android flaw found early last year was the so-called "Masterkey vulnerability" and a handful of programs later found on third-party app sites included an exploit for this vulnerability.
But there have been very few apps exploiting the Android operating system because so far the Android platform had relatively few vulnerabilities. According to F-Secure, only seven vulnerabilities were publicly announced related to Android in 2013 while the Apple iOS platform saw 90 in the same time period.
F-Secure suggests that most malware authors at this point seem more inclined to simply find ways to trick the user into giving them access to the device rather than having to find and design complicated exploitation methods based on vulnerabilities. The Metasploit penetration-testing tool, for example, lists few exploits for the Android platform a hacker might use. But still, if someone wants to go to a lot of trouble, F-Secure points out they can buy attack code created by other people from sites such as Inj3ct0r.
The top three Android malware "families" are considered to be SMSSend; GinMaster; and Fakeinst. The most common types are Trojans that rely on malicious additions injected into the packages of clean, legitimate programs, especially popular gaming and casino apps, which are then distributed in various apps stores. According to F-Secure, these malicious apps often have "a new name reminiscent of the clean app." These malicious apps, typically tied into botnets, essentially represent a new twist on social engineering since they "take advantage of the user's overriding desire to install and use a popular app to gain the permissions needed to execute their malicious behavior." Most of the mobile threats seen in 2013 were financially motivated.
Sign up for Computerworld eNewsletters.