Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

2/26/2018
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Threats from Mobile Ransomware & Banking Malware Are Growing

The number of unique mobile malware samples increased sharply in 2017 compared to a year ago, according to Trend Micro.

After years of focusing their attention largely on desktop systems, cybercriminals have, as expected, begun ramping up attacks on mobile devices.

Ransomware, banking malware, and other threats aimed at smartphones increased sharply in volume last year and will pose a growing threat to organizations and individuals in 2018 and beyond, Trend Micro said in a report released Monday.

In keeping with past trends, a vast majority of the threats affected Android devices and those downloading mobile applications from unofficial third-party stores.

But for the first time, people getting apps from Google's official Play mobile app store were affected significantly as well. According to Trend Micro, it found 30,000 more malicious applications published on Google Play last year than it did in 2016. The threats were harder to detect because they often hid in encrypted traffic and behind legitimate application functionality.

Apple's walled garden, though much harder to scale, wasn't completely impervious, either. Many applications infected with adware and other unwanted functionality found their way to the company's App Store. "Android is the predominant platform today for most malicious apps, including ransomware," says Jon Clay, director of global threat communications for Trend Micro. "But iOS appears to be a platform that threat actors are starting to target due to the number of potential victims," he adds. "Apple's walled garden makes it a more difficult platform to compromise."

Trend Micro's report comes amid growing enterprise concerns over the threat to data security posed by mobile devices. Eighty-five percent of the respondents in a recent survey by Verizon's wireless group said their organizations faced at least a moderate threat from mobile devices, with 74% saying those risks had increased over the past year. Four out of 10 see it as a "significant risk." Over a quarter of respondents said their organizations had suffered at least one security incident involving a mobile device.

In 2017, Trend Micro's Mobile App Reputation Service (MARS) analyzed more than 468,830 unique mobile ransomware samples. That number represented a 415% increase in new ransomware from 2016, according to the security vendor. Mobile ransomware detections were highest in China, which accounted for nearly one-third of all detections, followed by Indonesia, India, and Japan.

The most pervasive mobile ransomware in 2017 was SLocker, an Android file-locking malware tool that alone accounted for more than 424,000 of the unique samples that Trend Micro analyzed during the year.

The reason for SLocker's pervasiveness stemmed from the fact that its authors released the malware's source code publicly. This ensured that a lot more threat actors had access to the code and resulted in multiple versions of SLocker in the wild, each with different capabilities and ransom demands. One variant mimicked the user interface of the WannaCry crypto malware and was assembled using a do-it-yourself Android development kit, Trend Micro said.

On the (relatively) good news front, less than 1% of the mobile ransomware samples that Trend Micro spotted last year actually ended up hitting end-user devices. "When we look at the number of queries to our mobile app reputation service to see if an app is good or bad, they come back as detections around 0.27% of the time, Clay says. "In raw numbers. we had 28 billion queries and 75 million detections," he says.

A vast majority of the mobile ransomware that Trend Micro spotted last year was also not as sophisticated in capabilities as desktop versions of the malware. For instance, PC-based ransomware often uses obfuscation techniques that make it harder to detect than mobile versions, Clay says.

Ransomware was not the only mobile threat. In 2017, the number of unique mobile banking malware samples that Trend Micro spotted increased 94%, to 108,439.

With banking increasingly becoming an integral part of mobile device usage, attackers have begun building more-sophisticated capabilities into their mobile banking malware. "They blended in with legitimate processes — or masqueraded as one — to stay under the radar, steal more than just credit card data, and bypass security mechanisms," Trend Micro noted.

For example, the security vendor pointed to BankBot, malware with phishing templates for 160 banks, equipped with anti-sandbox and anti-signature capabilities and capable of communicating with command-and-control servers using Google's Firebase Cloud Messaging services. One BankBot version found its way to Google Play and was downloaded between 5,000 and 10,000 times last year alone, according to Trend Micro.

Related content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2018 | 7:00:08 PM
Two-factor
to stay under the radar, steal more than just credit card data, and bypass security mechanisms It is better to use two factor authentication and never click a link in the email to access to your bank.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2018 | 6:58:24 PM
Banking
With banking increasingly becoming an integral part of mobile device usage, attackers have begun building more-sophisticated capabilities into their mobile banking malware. This is critical to pay attention I think. When I hits bank apps it will hurt a lot of people.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2018 | 6:56:23 PM
SLocker
The most pervasive mobile ransomware in 2017 was SLocker Surprisingly I have not heard this, maybe because I am not an Android user.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2018 | 6:53:58 PM
Android
In keeping with past trends, a vast majority of the threats affected Android devices and those downloading mobile applications from unofficial third-party stores. This is one of the disadvantages of closed system. iOS has it right in a way that onky approved things could be run
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2018 | 6:51:04 PM
Ransomware
Ransomware, banking malware, and other threats aimed at smartphones increased sharply in volume last year and will pose a growing threat to organizations and individuals in 2018 and beyond I thinks this is because most of us respond a ransomware attack.
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11558
PUBLISHED: 2020-04-05
An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_m...
CVE-2020-11547
PUBLISHED: 2020-04-05
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
CVE-2020-11548
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
CVE-2020-11542
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.
CVE-2020-11533
PUBLISHED: 2020-04-04
Ivanti Workspace Control before 10.4.30.0, when SCCM integration is enabled, allows local users to obtain sensitive information (keying material).