6 Discoveries That Prove Mobile Malware's Mettle

Mobile malware hasn't yet grown to the problematic levels that once plagued Windows PCs back in the days before Trustworthy Computing. That doesn't mean mobile vulnerabilities aren't exploitable, though: Today's security researchers are not only creating and discovering proof-of-concept examples with real-world applicability, but they're finding in-the-wild samples, too.

Here's some of the most compelling evidence over the past year that shows mobile malware has bridged the gap from theoretical to practical.

1. Zitmo
One of the most successful banking Trojans of all time, Zeus, made the jump from PCs to mobile devices through the Zeus-in-the-mobile (Zitmo) spyware application. Prevalent on Android, Zitmo masquerades as a banking activation application and eavesdrops on SMS messages in search of the mobile transaction authentication numbers (mTANs) banks send via text to their users as a second form of authentication. Initially discovered in 2010, researchers last summer saw Zitmo gaining steam in the wild.

[ Are mobile banking apps safe enough to use? See Making Mobile Banking Safe. ]

2. Mobile Botnets
Since 2009, Perimeter E-Security Research Analyst Grace Zeng has been exploring the possibilities of botnets consisting entirely of mobile devices. Naysayers told her it wasn't feasible, but last month she showed how realistic the possibility is with a presentation at WiSec 2012. Zeng presented her proof-of-concept design, which showed how devices could be infected through code hidden in games or system applications, and how command-and-control (C&C) communications could be passed through SMS made to look like spam. The hackers may well be ahead of her -- researchers with NQ Mobile said last month that they discovered an Android bootkit that leverages root privileges and poses one of the first threats of mobile botnets in the wild.

3. CrowdStrike RAT Attack
Industry heavy-hitters George Kurtz and Dmitri Alperovitch made waves for their stealth start-up CrowdStrike when they wowed the crowd at the RSA Conference in February by demonstrating how the company's research team reverse-engineered a Chinese remote access tool (RAT) to spy on a user's calls, physical location, apps, and data. The "end-to-end" mobile attack is delivered through a phony SMS message with a URL ostensibly leading to information about the user's need to renew service. The attack goes to show how thoroughly attackers can spy on users through commandeered mobile devices.

4. Instastock
Many researchers have noted that the growing mobile malware problem is actually an Android malware problem. That's true to a large degree at the moment, but exploits like the one Accuvant's Charlie Miller came up with in November prove that attackers can and will find ways into Apple's walled garden. Miller's Instastock application was an exercise in vulnerability exploitation. He took advantage of a "flaw in the way Apple handles code signing" to load a stock ticker app into the App Store that phones home to the attacker's server. Apple's since fixed the exploit, but Instastock stands as proof positive that iOS is far from impregnable.

5. JiFake
Mobile marketers are loving the convenience of easy-to-scan QR codes to deliver mobile users to their websites and apps through their phones' barcode scanners. Attackers love these codes, too. Researchers are finding that the bad guys are increasingly using the obfuscation of QR codes to trick users into downloading malware -- and there are plenty of real-world samples to back up those claims. Examples like Jifake are distributed through QR code. The end game, as with many QR code Trojans, is to get the phone to send SMS messages to a premium number without the user knowing about it.

6. Android.Notcompatible
This week Symantec is warning of a new website injection campaign hat tricks users who visit infected websites to allow installation of a malware payload pretending to be security software. Like a drive-by-download attack, Android.Notcompatible pops up as a URL redirect injected into the HTML body of an infected page. But users still need to intervene to allow installations and accept permissions on the malware, which poses as a security package. Symantec says the malware routes traffic from an infected device to an external source, opening the potential to steal sensitive content, perform clickjacking, and lay the foundation for extortion rackets.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.