03:53 PM
Connect Directly

Toll Fraud Tops Mobile Malware Threats

Some parts of the world at higher risk of mobile attacks than others, Lookout report shows

It's not so much the spyware that's plaguing mobile devices as much now: that was so 2011. Now the majority of mobile malware executes toll fraud, and has sapped millions of dollars from its victims in Russia, the Middle East, and parts of Europe, according to new data from mobile security firm Lookout.

A prolific family of malware called "FakeInst" tops the charts in toll fraud attacks, which bill victims using premium SMS services. These types of attacks -- and malware -- have increased from 29% of all mobile malware in the third quarter of 2011 to 62% in the second quarter of 2012.

Derek Halliday, senior product manager for Lookout, says these types of malicious apps are well-designed. "They work in a way that can potentially hide" red flags from the victim, he says, including intercepting premium SMS billing messages.

"Victims don't find out until they get the bill," Halliday says. FakeInst, which poses as an installer for legit apps like Opera and WhatsApp Messenger, represented 82% of malware detections by Lookout in June of this year.

Aside from the obvious risk of downloading apps from untrusted sources, geography is a major indicator of the risk of your mobile phone getting infected and attacked by scammers. Russia, Ukraine, and China are the most malware-laden locations for mobile users. Toll fraud is lucrative and easy to do in Eastern Europe due to weak SMS regulation of those services, according to Lookout.

Mobile devices in Japan are some of the cleanest: only .04 percent likely to be infected with malware, while 41.6 percent of devices in Russia are infected. Lookout estimates that 6 million mobile users have come across malware in the past 12 months, while four out of 10 mobile users visits an unsafe URL each year.

Meanwhile, overly aggressive mobile ads are getting personal information from the devices without the users knowing. "Lookout estimates that five percent of Android applications include these aggressive ad networks and these apps have been downloaded more than 80 million times," according to the report.

Attackers also are writing mobile malware that can download apps from unsanctioned app stores without the user knowing.

"Trust is one of the most important factors influencing whether people will continue to use mobile devices to their full potential," said Kevin Mahaffey, CTO and co-founder of Lookout. "As smartphones and tablets have come to house our personal data, access financial information, and power practically all of our communications, there are more incentives for attackers to strike."

So download apps only from trusted sources and stores; review your phone bill; make sure the URL you visit matches the website; and run mobile antivirus software, Lookout recommends.

A copy of the full Lookout report is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.