Mobile

2/26/2018
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Threats from Mobile Ransomware & Banking Malware Are Growing

The number of unique mobile malware samples increased sharply in 2017 compared to a year ago, according to Trend Micro.

After years of focusing their attention largely on desktop systems, cybercriminals have, as expected, begun ramping up attacks on mobile devices.

Ransomware, banking malware, and other threats aimed at smartphones increased sharply in volume last year and will pose a growing threat to organizations and individuals in 2018 and beyond, Trend Micro said in a report released Monday.

In keeping with past trends, a vast majority of the threats affected Android devices and those downloading mobile applications from unofficial third-party stores.

But for the first time, people getting apps from Google's official Play mobile app store were affected significantly as well. According to Trend Micro, it found 30,000 more malicious applications published on Google Play last year than it did in 2016. The threats were harder to detect because they often hid in encrypted traffic and behind legitimate application functionality.

Apple's walled garden, though much harder to scale, wasn't completely impervious, either. Many applications infected with adware and other unwanted functionality found their way to the company's App Store. "Android is the predominant platform today for most malicious apps, including ransomware," says Jon Clay, director of global threat communications for Trend Micro. "But iOS appears to be a platform that threat actors are starting to target due to the number of potential victims," he adds. "Apple's walled garden makes it a more difficult platform to compromise."

Trend Micro's report comes amid growing enterprise concerns over the threat to data security posed by mobile devices. Eighty-five percent of the respondents in a recent survey by Verizon's wireless group said their organizations faced at least a moderate threat from mobile devices, with 74% saying those risks had increased over the past year. Four out of 10 see it as a "significant risk." Over a quarter of respondents said their organizations had suffered at least one security incident involving a mobile device.

In 2017, Trend Micro's Mobile App Reputation Service (MARS) analyzed more than 468,830 unique mobile ransomware samples. That number represented a 415% increase in new ransomware from 2016, according to the security vendor. Mobile ransomware detections were highest in China, which accounted for nearly one-third of all detections, followed by Indonesia, India, and Japan.

The most pervasive mobile ransomware in 2017 was SLocker, an Android file-locking malware tool that alone accounted for more than 424,000 of the unique samples that Trend Micro analyzed during the year.

The reason for SLocker's pervasiveness stemmed from the fact that its authors released the malware's source code publicly. This ensured that a lot more threat actors had access to the code and resulted in multiple versions of SLocker in the wild, each with different capabilities and ransom demands. One variant mimicked the user interface of the WannaCry crypto malware and was assembled using a do-it-yourself Android development kit, Trend Micro said.

On the (relatively) good news front, less than 1% of the mobile ransomware samples that Trend Micro spotted last year actually ended up hitting end-user devices. "When we look at the number of queries to our mobile app reputation service to see if an app is good or bad, they come back as detections around 0.27% of the time, Clay says. "In raw numbers. we had 28 billion queries and 75 million detections," he says.

A vast majority of the mobile ransomware that Trend Micro spotted last year was also not as sophisticated in capabilities as desktop versions of the malware. For instance, PC-based ransomware often uses obfuscation techniques that make it harder to detect than mobile versions, Clay says.

Ransomware was not the only mobile threat. In 2017, the number of unique mobile banking malware samples that Trend Micro spotted increased 94%, to 108,439.

With banking increasingly becoming an integral part of mobile device usage, attackers have begun building more-sophisticated capabilities into their mobile banking malware. "They blended in with legitimate processes — or masqueraded as one — to stay under the radar, steal more than just credit card data, and bypass security mechanisms," Trend Micro noted.

For example, the security vendor pointed to BankBot, malware with phishing templates for 160 banks, equipped with anti-sandbox and anti-signature capabilities and capable of communicating with command-and-control servers using Google's Firebase Cloud Messaging services. One BankBot version found its way to Google Play and was downloaded between 5,000 and 10,000 times last year alone, according to Trend Micro.

Related content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2018 | 7:00:08 PM
Two-factor
to stay under the radar, steal more than just credit card data, and bypass security mechanisms It is better to use two factor authentication and never click a link in the email to access to your bank.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2018 | 6:58:24 PM
Banking
With banking increasingly becoming an integral part of mobile device usage, attackers have begun building more-sophisticated capabilities into their mobile banking malware. This is critical to pay attention I think. When I hits bank apps it will hurt a lot of people.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2018 | 6:56:23 PM
SLocker
The most pervasive mobile ransomware in 2017 was SLocker Surprisingly I have not heard this, maybe because I am not an Android user.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2018 | 6:53:58 PM
Android
In keeping with past trends, a vast majority of the threats affected Android devices and those downloading mobile applications from unofficial third-party stores. This is one of the disadvantages of closed system. iOS has it right in a way that onky approved things could be run
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2018 | 6:51:04 PM
Ransomware
Ransomware, banking malware, and other threats aimed at smartphones increased sharply in volume last year and will pose a growing threat to organizations and individuals in 2018 and beyond I thinks this is because most of us respond a ransomware attack.
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-13435
PUBLISHED: 2018-08-16
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.0 for iOS. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method to disable passcode authentication. NOTE: the vendor indicates that this is not an attack of interest w...
CVE-2018-13446
PUBLISHED: 2018-08-16
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.1 for Android. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method's return value to true. In other words, an attacker could authenticate with an arbitrary passcode. ...
CVE-2018-14567
PUBLISHED: 2018-08-16
libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.
CVE-2018-15122
PUBLISHED: 2018-08-16
An issue found in Progress Telerik JustAssembly through 2018.1.323.2 and JustDecompile through 2018.2.605.0 makes it possible to execute code by decompiling a compiled .NET object (such as DLL or EXE) with an embedded resource file by clicking on the resource.
CVE-2018-11509
PUBLISHED: 2018-08-16
ASUSTOR ADM 3.1.0.RFQ3 uses the same default root:admin username and password as it does for the NAS itself for applications that are installed from the online repository. This may allow an attacker to login and upload a webshell.