SlideShare ist ein Scribd-Unternehmen logo

F-Secure Labs Mobile Threat Report Q4 2012

F-Secure Corporation
F-Secure Corporation

The F-Secure Labs Mobile Threat Report discusses the mobile threat landscape as seen from the fourth quarter of 2012, includes statistics of all mobile malware the F-Secure Response Labs have seen during that period.

Technologie
1 von 34
Downloaden Sie, um offline zu lesen
MOBILE THREAT REPORT Q4 2012
Mobile Threat Report Q4 2012 F-Secure Labs At the F-Secure Response Labs in Helsinki, Finland, and Kuala Lumpur, Malaysia, security experts work around the clock to ensure our customers are protected from the latest online threats. At any given moment, F-Secure Response Labs staff is on top of the worldwide security situation, ensuring that sudden virus and malware outbreaks are dealt with promptly and effectively. Protection around the clock Response Labs work is assisted by a host of automatic systems that track worldwide threat occurences in real time, collecting and analyzing hundreds of thousands of data samples per day. Criminals who make use of virus and malware to profit from these attacks are constantly at work on new threats. This situation demands around the clock vigilance on our part to ensure that our customers are protected. 2
Mobile Threat Report Q4 2012 abstract THIS REPORT DISCUSSES THE MOBILE THREAT LANDSCAPE AS SEEN IN THE fourth QUARTER OF 2012, AND INCLUDES STATISTICS AND DETAILS OF THE MOBILE THREATS THAT F-SECURE RESPONSE LABS HAVE SEEN AND ANALYZED DURING THAT PERIOD. The data presented in this report was last updated on 31 December 2012. Contents abstract3 2012 Mobile Landscape Calendar 5 Executive Summary 6 Latest threats In the last three months 7 Figure 1: New Mobile Threat Families And Variants Received Per Quarter, Q1–Q4 2012 8 Figure 2: Threat Families And Variants By Platform,2010–2012 9 Potentially unwanted software 10 Hack-Tool:Android/Aniti.A11 Hack-Tool:Android/DroidSheep.A11 Hack-Tool:Android/EksyPox.A11 Monitoring-Tool:Android/GpsSpyTracker.A, and variant B 11 Monitoring-Tool:Android/SheriDroid.A12 Monitoring-Tool:Android/SmsSpy.A12 Monitoring-Tool:Android/SmsUploader.A12 Monitoring-Tool:Android/SpyMob.A13 Monitoring-Tool:Android/SpyPhone.A13 Monitoring-Tool:Android/TheftAware.A14 Monitoring-Tool:Android/TrackPlus.A14 Riskware:Android/AutoRegSMS.A14 Riskware:Android/SmsReg.A, and variant.B 15 Riskware:Android/SmsSpy.A16 Figure 3: Mobile Threats By Type, Q4 2012 17 Figure 4: Mobile Threats By Type, 2012 17 3
Mobile Threat Report Q4 2012 Malware 18 Backdoor:Android/FakeLook.A19 Trojan:Android/Citmo.A19 Trojan:Android/EcoBatry.A19 Trojan:Android/FakeFlash.A20 Trojan:Android/FakeGuard.A20 Trojan:Android/GeoFake.A, and variant B 20 Trojan:Android/Gmuse.A21 Trojan:Android/InfoStealer.A22 Trojan:Android/MaleBook.A22 Trojan:Android/Placsms.A23 Trojan:Android/QdPlugin.A24 Trojan:Android/SMSAgent.A24 Trojan:Android/SpamSoldier.A24 Trojan:Android/Stesec.A25 Trojan:Android/Stokx.A25 Trojan:Android/Temai.A25 Trojan:Android/Tesbo.A26 Trojan:SymbOS/Ankaq.A27 Trojan:SymbOS/Khluu.A27 Figure 5: Mobile Threats Motivated By Profit Per Year, 2006-2012 28 Figure 6: Mobile Threats Motivated By Profit Per Quarter, Q1–Q4 2012 28 Figure 7: Profit-Motivated Threats By Platform, 2012 29 New variants of already known families 30 Figure 8: Number Of Android Threats Received Per Quarter, Q1–Q4 2012 31 Figure 9: Top Android Detections, Q4 2012 31 Table 1: Top Malware and Potentially Unwanted Software On Android, Q4 2012 32 4
Mobile Threat Report Q4 2012 2012 Mobile Landscape Calendar JAN feb mar apr may jun jul aug sep oct nov dec 62 21 20 21 Google Bouncer Eurograbber attack introduced to iOS 6 and iPhone Android 4.1 on European banks Play Store 5 launched 17 (Jellybean) reported released 13 Drive-by malware 14 13 10 10 Samsung Berlin police found on Android TouchWiz exploit warned of Android Fidall found reported banking trojan on iOS 8 Samsung Exynos exploit FinSpy found on reported 4 multiple platforms 0 1 4 1 3 3 6 5 SMS-trojans 6 found on J2ME 7 Zitmo found on 8 Blackberry Nokia halts almost all Symbian 13 development Symbian Belle refresh rolls out Threat Statistics notable events New families/variants on Android Android New families/variants on Symbian Blackberry iOS J2ME Windows Mobile Symbian 5
Mobile Threat Report Q4 2012 Executive Summary Android malware has been strengthening its position in the mobile threat scene. Every quarter, malware authors bring forth new threat families and variants to lure more victims and to update on the existing ones. In the fourth quarter alone, 96 new families and variants of Android threats were discovered, which almost doubles the number recorded in the previous quarter. A large portion of this number was contributed by PremiumSMS—a family of malware that generates profit through shady SMS-sending practices—which unleashed 21 new variants. “Bank Info Security Quite a number of Android malware employ an operation similar to PremiumSMS. It reported that is a popular method for making direct monetary profit. The malware quietly sends out SMS messages to premium rate numbers or signs up the victims to an SMS-based Eurograbber managed subscription service. Any tell-tale messages or notifications from these numbers and/ to steal USD47 million or services will be intercepted and deleted; therefore, the users will be completely unaware of these activities until the charges appear on their bills. from over 30,000 retail and corporate In addition to SMS-sending malware, some malware authors or distributors may choose to make profit through banking trojans. Citmo.A (a mobile version of the Carberp accounts in Europe.” trojan) recently made its debut in Q4. Just like Zitmo (Zeus for mobile) and Spitmo (SpyEye for mobile), Citmo.A operates in the same manner—it steals the mobile Transaction Authentication Number (mTAN) that banks send via SMS to customers to validate an online banking transaction. Using this number, it can transfer money from the victims’ account and the banks will proceed with the transaction because it appears to be coming from the rightful account owner. Such is the case with Eurograbber, a variant of the Zeus trojan; Bank Info Security reported that Eurograbber managed to steal USD47 million from over 30,000 retail and corporate accounts in Europe1. It first infected the victims’ personal computers before tricking them into installing a version of it onto their mobile devices. By positioning itself on both the victims’ computers and devices, Eurograbber can impersonate the victims and carry out transactions without raising suspicions from either the victim or the banking institution. The trojan had been found to infect not only devices running on Android, but also Symbian and BlackBerry operating systems. The rise of Android malware can be largely attributed to the operating system’s increasing foothold in the mobile market. Android’s market share has risen to 68.8% in 2012, compared to 49.2% in 20112. On the threat side, its share rose to 79% in 2012 from 66.7% in 2011. Symbian on the other hand, is suffering from the opposite fate. In 2012, it only held 3.3% market share which is a huge drop from 16.5% in the year before3. Its share in the threat scene also reflected this drop, going from 29.7% in 2011 to 19% in 2012. Nokia’s decision to halt all Symbian development in February 2012 may have contributed to the huge drop in numbers. As its market share declines, so does malware authors’ interest in the platform as evidenced by the statistics seen in Q4 where only four new families and variants of Symbian malware were recorded. As for the other platforms, i.e., Blackberry, iOS, Windows Mobile, they may see some threats popping up once in a while. But most likely, the threats are intended for multiple platforms similar to the case of FinSpy4. 1 Bank Info Security; Tracy Kitten; Eurograbber: A Smart Trojan Attack; published 17 December 2012; http://www.bankinfosecurity.com/eurograbber-smart-trojan-attack-a-5359/op-1 2,3 Engadget; Jon Fingas; IDC: Android surged to 69 percent smartphone share in 2012, dipped in Q4; published 14 February 2013; http://www.engadget.com/2013/02/14/idc-android-surged-to-69-percent-smartphone-share-in-2012/ 4 F-Secure Weblog; Mikko Hyppönen; Egypt; FinFisher Intrusion Tools and Ethics; published 8 March 2011; https://www.f-secure.com/weblog/archives/00002114.html 6
Latest threats In the last three months
Mobile Threat Report Q4 2012 Figure 1: New Mobile Threat Families And Variants Received Per Quarter, Q1–Q4 2012 100 100 96 all threats 90 Android Blackberry 80 iOS 74 J2ME 70 66 Windows Mobile 60 61 Symbian 50 49 47 46 40 30 21 20 18 14 10 4 2 2 1,1 25+25+a 33+34+33a 50+50+a 25+25+a 0,0,0,0 0,0,0 0 0,0,0,0 Q1 2012 Q2 2012 Q3 2012 Q4 2012 NOTE: The threat statistics used in Figure 1 are made up of families and variants instead of unique files. For instance, if two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics. 8
Mobile Threat Report Q4 2012 Figure 2: Threat Families And Variants By Platform,2010–2012 11+3+2363x Android, 11.25% J2ME, 2.5% 2010 TOTAL = 80 Windows Mobile, families and 23.75% variants Symbian, 62.5% 66+3+130x Symbian, 29.7% 2011 TOTAL = 195 families and variants Windows Mobile, 1% Android, 66.7% J2ME, 2.6% 77+1+217x Symbian, 19% Windows Mobile, 0.3% J2ME, 0.7% iOS, 0.7% 2012 Blackberry, 0.3% TOTAL = 301 families and variants Android, 79% NOTE: The threat statistics used in Figure 2 are made up of families and variants instead of unique files. For instance, if two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics. 9
Potentially unwanted software We consider the following program as potentially unwanted software, which refers to programs that may be considered undesirable or intrusive by a user if used in a questionable manner.
Mobile Threat Report Q4 2012 Hack-Tool:Android/Aniti.A Also known as the Android Network Toolkit, Aniti.A is a penetration testing tool that allows user to perform certain tests via its automation interface. Using the tool, the user may evaluate or demonstrate a weak security point in the network by: • Performing network scanning • Generating network report • Checking the password strength • Checking for vulnerable machines in the network • Attacking a vulnerable machine • Monitoring unsecured connections • Sniffing ‘man-in-the-middle’ attacker • Performing a denial of service (DoS) attack Like most penetration testing programs, this tool is intended for use in a legitimate context. It may however also be misused by malicious parties. Hack-Tool:Android/DroidSheep.A DroidSheep.A is a tool that is capable of hijacking a logged-on session conducted over a shared wireless network. It is intended to demonstrate poor security properties in a network connection, but may be misused for malicious intent by irresponsible parties. Hack-Tool:Android/EksyPox.A EksyPox.A is a program that offers a workaround for a vulnerability found on the Exynos 4: A system-on-chip (SoC) that Exynos 4 chip. This vulnerability, if successfully exploited, could allow any application is used by some Samsung devices, e.g., Galaxy S III, Galaxy Note II, Galaxy Camera, to gain root access on devices running on the Exynos 4 chip. EksyPox.A provides a etc. way to patch the security hole, but not without exploiting the vulnerability first. NOTE: For additional reading, please refer to the article at (http://www.xda-developers. com/android/dangerous-exynos-4-security-hole-demoed-and-plugged-by-chainfire/). Monitoring-Tool:Android/GpsSpyTracker.A, and variant B GpsSpyTracker.A is a location tracking tool that performs its tracking function using a specific key and an email address assigned to a particular device. Once activated, it tracks the device’s location every 15 minutes. It displays the current location on a map and keeps the location history in a local file. 11
Mobile Threat Report Q4 2012 Monitoring-Tool:Android/SheriDroid.A SheriDroid.A is advertised as an application that allows the user to perform these activities using its monitoring and alarm setting features: • Record pre-alarm warning message • Remotely trigger a location tracker using a password • If lost or stolen, enable the device to stealthily send SMS messages related to alarm or location tracking • Set system unlock pattern However, without the user’s consent or knowledge, the application keeps track of the user’s web surfing behaviors and other activities carried out on the device. SheriDroid.A’s icon (left), and EULA (right) Monitoring-Tool:Android/SmsSpy.A Please refer to Riskware:Android/SmsSpy.A on page 16. Monitoring-Tool:Android/SmsUploader.A SMSUploader.A uploads every SMS messages’ content found on the device to a remote server. Once installed, SmsUploader.A places an icon titled ‘SMSUpload’ on the application menu. When launched, it requests that the user restart the device and informs the user that the application will be running in the background. 12
Mobile Threat Report Q4 2012 Monitoring-Tool:Android/SpyMob.A SpyMob.A is a commercial monitoring tool that collects information pertaining to SMS messages, contact list, call log and GPS location of a targeted device. These details are later uploaded to Spy2Mobile servers and can be viewed by logging in to the user’s account at Spy2Mobile.com. SpyMob.A’s icon (left), and requested permissions (right) To use this application, the user must first installs SpyMob.A onto the targeted device and register an account at SpyMobile.com. Installation and registration Monitoring-Tool:Android/SpyPhone.A SpyPhone.A is promoted as an application that lets user sneakily capture a photo or record a video/audio. However, it also keeps track of activities on the device and collects information such as a log of events, GPS locations, visited URLs, and the user ID. 13
Mobile Threat Report Q4 2012 SpyPhone.A’s icon (left), and user interface (right) Monitoring-Tool:Android/TheftAware.A TheftAware.A is a commercial monitoring tool that helps the user to locate a stolen or a missing device. It allows the user to obtain the device’s GPS location, lock it, and delete data by issuing commands through SMS messages. Monitoring-Tool:Android/TrackPlus.A TrackPlus.A is a tracking tool that can be used to locate a device. It sends out the device’s International Mobile Equipment Identity (IMEI) number to a remote server, and has a web portal to keep track of the device’s location. Once installed, TrackPlus.A does not place an icon on the application menu but appears as a transparent widget on the device. Riskware:Android/AutoRegSMS.A Upon launching, AutoRegSMS.A displays the message “Hello, Android” but in the background, it secretly activates a game application using the user’s information. It also sends out SMS messages to the user’s contact list to get an activation serial number. AutoRegSMS.A is represented by an icon titled ‘Main Activity’ which can be located on the main application menu. 14
Mobile Threat Report Q4 2012 AutoRegSMS.A’s icon (left), and the message it displays (right) Riskware:Android/SmsReg.A, and variant.B SmsReg.A is marketed under the name ‘Battery Improve,’ and claims to help maximizes a device’s battery usage. SmsReg.A as ‘Battery Improve’ Unbeknownst to the user, the application also collects the following information: • API key • Application ID • Carrier • Device manufacturer • Device model • GPS location • IMEI number • Network operator • Package name • SDK version 15
Mobile Threat Report Q4 2012 Riskware:Android/SmsSpy.A SmsSpy.A is a stealthy application that places no visible icon on the application menu; its presence is only visible from the ‘Manage applications’ option under Settings. All of its activities are carried out inconspicuously in the background. These activities include tracking the device’s GPS location, accessing and reading SMS messages received on the device, and sending out SMS messages. SmsSpy.A as seen from ‘Manage applications’ (left), and requested permissions (right) 16
Mobile Threat Report Q4 2012 Figure 3: Mobile Threats By Type, Q4 2012 Backdoor 1% 3+1+41027253v Adware 3% Hack-Tool 4% Monitoring-Tool 10% Trojan 53% Riskware 27% Spyware 2% Figure 4: Mobile Threats By Type, 2012 4+2+168125573v Trojan-Spy Application 1.0% 1.7% Adware 2.7% Backdoor Hack-Tool Trojan-Downloader 0.3% 5.6% 0.7% Monitoring-Tool 7.0% Riskware 11.2% Trojan 66.1% Spyware 3.7% NOTE: The threat statistics used in Figure 3 and Figure 4 are made up of families and variants instead of unique files. For instance, if two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics. 17
Malware Programs categorized as malware are generally considered to pose a significant security risk to the user’s system and/or information. Malicious actions carried out by these programs include (but are not limited to) installing hidden objects as well as hiding the objects from the user, creating new malicious objects, damaging or altering any data without authorization, and stealing any data or access credentials.
Mobile Threat Report Q4 2012 Backdoor:Android/FakeLook.A FakeLook.A avoids placing an icon on the application menu to hide its presence from the device owner. However, it can be seen listed as ‘Updates’ under the ‘Manage applications’ option in Settings. FakeLook.A connects to a command and control (CC) server to receive further instructions. It collects information such as the device ID and SMS messages, gets files list from the SD card, and compress files before uploading them to an FTP server using the username ‘ftpuser’ and the password ‘upload.’ Trojan:Android/Citmo.A Citmo.A is the mobile version of Carberp, a banking trojan that infects personal mTAN: Mobile Transaction Authentication computers to steal banking credentials. Citmo.A’s functions are similar to Zitmo Number. This number is used to (Zeus for mobile) and Spitmo (SpyEye for mobile)—it monitors incoming SMS authenticate an online banking transaction. messages and steals the mobile Transaction Authentication Number (mTAN) that banks send to their customers to validate an online banking transaction. NOTE: For additional reading on banking trojan, please refer to the article ‘Berlin Police: Beware Android Banking Trojans’ at (http://www.f-secure.com/weblog/ archives/00002457.html). Trojan:Android/EcoBatry.A Upon installation, EcoBatry.A requests for permissions that will allow it to access Internet, contact data, and information on the device. The malware then establishes an outgoing connection to a remote server, where it will be instructed to collect user’s contact information and upload the details to the server. EcoBatry.A’s icon (left), and requested permissions (right) 19
Mobile Threat Report Q4 2012 Trojan:Android/FakeFlash.A FakeFlash.A takes the appearance of a legitimate Flash Player application. When launched, it displays a message to the user notifying that the Flash Player application has been successfully installed, and then redirects the user to another website. FakeFlash.A’s icon (left), and the application it supposedly has installed (right) Trojan:Android/FakeGuard.A FakeGuard.A is a malware that is capable of handling incoming SMS/WAP Push. WAP Push: A specially encoded message It steals user information, and establishes a connection to a remote server. The that includes a link to a WAP address. response received from the server will be decoded using MS949 character set, while the outgoing data is encoded in EUC_KR character set. Trojan:Android/GeoFake.A, and variant B GeoFake.A is distributed as a Chinese calendar application, but requests for unnecessary permissions during the installation process. The permissions it requested are as follows: • Manage account list • Access and use the account’s authentication credentials • Read and edit SMS or MMS messages • Read system log files • Access location information 20
Mobile Threat Report Q4 2012 GeoFake.A’s icon (left), and requested permissions (right) Once successfully installed on a device, the malware sends SMS messages to premium rate numbers. It uses the Google Maps API to select which premium service should be used according to the geolocation of the device. GeoFake.A is distributed as a Chinese calendar application Trojan:Android/Gmuse.A Gmuse.A is marketed as an application that allows the user to store files and documents in a secret, password-protected location. However, without the user’s consent, it will sync the user’s file list through an SMTP server to an unknown user using the email “hbwhhouse@gmail.com” with the password “whwxhjbu.” 21
Mobile Threat Report Q4 2012 Gmuse.A’s icon (left), and user interface (right) Gmuse.A also connects to a remote server to download an updated version of the application, which is named as “lightbox.apk.” Trojan:Android/InfoStealer.A InfoStealer.A, as clearly indicated by its name, is a malware that steals contact information and uploads the details to a remote MySQL server. Stolen information include: • Device ID • Email address • Latitude and longitude • Phone number • Postal code • Region • Street • Username Trojan:Android/MaleBook.A MaleBook.A collects device information, and later forwards the details to several remote servers. The collected information include: • Application ID • Application version • Country code • Device name • Device type • Device width and height • International Mobile Equipment Identity (IMEI) number • International Mobile Subscriber Identity (IMSI) number • Language • Operation system version • SDK version 22
Mobile Threat Report Q4 2012 Additionally, the malware also attempts to download advertisements from the servers onto the infected device. MaleBook.A’s icon (left), and user interface (right) Trojan:Android/Placsms.A Placsms.A appears as ‘sp_pay’ on the application menu, and requests for permissions that will allow it to access Internet, SMS messages, SD card contents, and the device’s system during the installation process. Placsms.A’s icon (left), and requested permissions (right) The application collects information such as the device’s International Mobile Equipment Identity (IMEI) number and phone number; it later uploads the details to a remote server. NOTE: Placsms.A exhibits behavior that are similar to trojans in the PremiumSMS family (http://www.f-secure.com/v-descs/trojan_android_premiumsms.shtml). 23
Mobile Threat Report Q4 2012 Trojan:Android/QdPlugin.A QdPlugin.A is repackaged into another legitimate application before being distributed to potential victims. Once installed and activated on a device, the malware will send out device information such as IMEI number and IMSI number to remote servers. It also receives commands from the servers, which may instruct it to carry out actions such as installing and removing packages. The command and control (CC) servers’ URLs are stored and encoded with a simple byte shift algorithm within the embedded malicious APK. Trojan:Android/SMSAgent.A SMSAgent.A appears as a game application, but silently performs malicious routines in the background. It attempts to download other potentially malicious files from a remote server and sends out SMS or MMS messages that place expensive charges on the user’s bill. SMSAgent.A’s icon (left), and requested permissions (right) Additionally, SMSAgent.A displays advertisements and collects the following information which are later uploaded to the remote server: • Device ID • IMEI number • Network type • Operator Trojan:Android/SpamSoldier.A SpamSoldier.A is distributed via unsolicited SMS messages that contain a link for a free application download. Once successfully installed on a device, the malware contacts a command and control (CC) server and obtains a list of phone numbers. To these numbers, it sends out more spam messages containing a link that entices users with attractive freebies. 24
Mobile Threat Report Q4 2012 Trojan:Android/Stesec.A Once installed on the device, Stesec.A does not place any icon on the application menu to hide its presence from the user. It can only be viewed from the ‘Manage applications’ option in Settings, listed as ‘newService.’ Stesec.A sends out SMS messages containing the device information such as IMEI number, software version, and other details to a remote server. Stesec.A listed as ‘newService’ (left), and the permissions it requested (right) Trojan:Android/Stokx.A Stokx.A connects to a remote server and receives an XML file. The file contains details such as client ID, phone number that it will send SMS messages to, and URL for downloading additional APKs. The malware will forward the device’s International Mobile Equipment Identity (IMEI) number to the remote server, and sends out an SMS message with the content “SX357242043237517” to the number 13810845191. Trojan:Android/Temai.A Temai.A collects the following device information, and later forwards the details to a few remote addresses: • Application ID • Application version • Country code • IMEI number • IMSI number • Operating system version 25
Mobile Threat Report Q4 2012 Different icons used by Temai.A In addition to collecting and forwarding device information, the malware also downloads and installs potentially malicious APKs and script files onto the infected device. Users may also be exposed to other risk resulting from the various permissions granted to the malware during the installation process. Permissions requested by Temai.A during installation Trojan:Android/Tesbo.A Tesbo.A establishes connection to a couple of remote servers, to which it forwards details such as the device’s International Mobile Subscriber Identity (IMSI) number and application package name. Furthermore, the malware will also send out SMS messages with the content “[IMSI]@[random from 1-10]” to the number 10658422. 26
Mobile Threat Report Q4 2012 Trojan:SymbOS/Ankaq.A Ankaq.A is a program that sends out SMS messages to premium-rate numbers, and silently installs new software onto the infected device. To avoid detection, it terminates all processes belonging to anti-virus products. Trojan:SymbOS/Khluu.A Khluu.A is a program that sends out SMS messages to premium-rate numbers, and silently installs new software onto the infected device. To avoid detection, it terminates all processes belonging to anti-virus products. 27
Mobile Threat Report Q4 2012 Figure 5: Mobile Threats Motivated By Profit Per Year, 2006-2012 200 profit-motivated NOT profit-motivated 189 173 150 128 100 99 96 50 42 41 39 23 26 12 2 3 5 0 2006 2007 2008 2009 2010 2011 2012 Figure 6: Mobile Threats Motivated By Profit Per Quarter, Q1–Q4 2012 not profit-motivated profit-motivated Q1 2012 27 34 Q2 2012 26 40 Q3 2012 42 32 Q4 2012 33 67 NOTE: The threat statistics used in Figure 5 and Figure 6 are made up of families and variants instead of unique files. For instance, if two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics. 28
Mobile Threat Report Q4 2012 Figure 7: Profit-Motivated Threats By Platform, 2012 141 blackberry 1 0 P = profit motivated P NP NP = not profit motivated 97 29 28 symbian 2 ios 0 P NP P NP Windows mobile Android J2me 2 0 0 1 P NP P NP P NP NOTE: The threat statistics used in Figure 7 are made up of families and variants instead of unique files. For instance, if two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics. 29
New variants of already known families THE FOLLOWING IS A LIST OF NEW VARIANTS OF EXISTING MALWARE FAMILIES. THEIR FUNCTIONALITY IS NOT SIGNIFICANTLY DIFFERENT COMPARED TO THE EARLIER VARIANTS DESCRIBED IN PREVIOUS REPORTS. »» Adware:Android/AdWo.C »» Adware:Android/AirPush.B »» Adware:Android/Gappusin.B »» Hack-Tool:Android/SmsBomber.B »» Monitoring-Tool:Android/AccuTrack.B »» Riskware:Android/Boxer.E »» Riskware:Android/Maxit.B »» Riskware:Android/PremiumSMS.F-Z (21 variants) »» Spyware:Android/EWalls.B »» Spyware:Android/SmsSpy.I »» Trojan:Android/DroidDream.H »» Trojan:Android/FakeInst.S-Y (7 variants) »» Trojan:Android/GinMaster.E-J (6 variants) »» Trojan:Android/GoldDream.B, and variant D »» Trojan:Android/HippoSms.B »» Trojan:Android/IconoSys.B »» Trojan:Android/JiFake.J »» Trojan:Android/MarketPay.B »» Trojan:Android/OpFake.I, L-O, (5 variants) »» Trojan:Android/SmsSend.E-G »» Trojan:Android/SmsSpy.G, H »» Trojan:Android/Vdloader.B »» Trojan:SymbOS/Foliur.B »» Trojan:SymbOS/CCAsrvSMS.D
Mobile Threat Report Q4 2012 Figure 8: Number Of Android Threats Received Per Quarter, Q1–Q4 2012 75,000 60,326 51,447 50,000 25,000 3,063 5,033 0 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Figure 9: Top Android Detections, Q4 2012 15+13+109872125z Adware:Android/AirPush, 13.5% Others, 24.4% Adware:Android/AdWo, 11.8% Adware:Android/Gappusin, 1.2% Total samples = Trojan:Android/Ginmaster.J, 1.3% 60,326 Trojan:Android/Kmin.A, 2.1% Adware:Android/Ropin, 7.7% Heuristic–Malware, 10.4% Application:Android/Counterclank, 8.1% Trojan:Android/Boxer.C, 9.9% Heuristic–Potentially Unwanted Software, 9.6% NOTE: The threat statistics used in Figure 8 and Figure 9 are made up of the number of unique Android application package files (APKs). 31
Mobile Threat Report Q4 2012 Table 1: Top Malware and Potentially Unwanted Software On Android, Q4 2012 Top-30 Malware Top-30 Potentially unwanted software detection COUNT detection COUNT Heuristic – Malware 6265 Adware:Android/AirPush 8137 Trojan:Android/Boxer.C 5989 Adware:Android/AdWo 7127 Trojan:Android/Kmin.A 1270 Heuristic – Potentially Unwanted Software 5783 Trojan:Android/Ginmaster.J** 775 Application:Android/Counterclank 4860 Trojan:Android/FakeInst.A 723 Adware:Android/Ropin 4647 Trojan:Android/Ginmaster.G** 615 Adware:Android/Gappusin 733 Trojan:Android/FakeBattScar.A 608 Application:Android/FakeApp 549 Trojan:Android/SmsSend.A 543 Hack-Tool:Android/DroidRooter.A 230 Trojan:Android/FakeInst.K 502 Hack-Tool:Android/DroidRooter.B 161 Trojan:Android/SMStado.A 472 Riskware:Android/Boxer 115 Trojan:Android/Temai.A** 443 Riskware:Android/MobileTX 106 Trojan:Android/Ginmaster.I** 434 Spyware:Android/EWalls 91 Trojan:Android/Ginmaster.F** 423 Riskware:Android/PremiumSMS.F 69 Trojan:Android/Ginmaster.E** 368 Hack-Tool:Android/DroidRooter.I 51 Trojan:Android/Ginmaster.C 347 Riskware:Android/SMSAgent 46 Trojan:Android/Ginmaster.B 336 Application:Android/Steveware 39 Trojan:Android/Geinimi.D 295 Riskware:Android/FakeAngry 34 Trojan:Android/FakeBattScar.B 269 Monitoring-Tool:Android/MobileSpy.C 33 Trojan:Android/RuFailedSMS.A 257 Hack-Tool:Android/TattooHack.A 32 Trojan:Android/DroidKungFu.C 238 Application:Android/NandroBox 32 Trojan:Android/FakeInst.T** 230 Monitoring-Tool:Android/SpyTrack.B 28 Trojan:Android/OpFake.F 199 Riskware:Android/AutoRegSms 25 Trojan:Android/FakeInst.U** 188 Riskware:Android/PremiumSMS.J 23 Trojan:Android/Nyearleak.A 186 Riskware:Android/PremiumSMS.AA 22 Trojan:Android/SMSLoader.A 163 Riskware:Android/SmsReg 19 Trojan:Android/FjCon.A 158 Riskware:Android/PremiumSMS.L 18 Trojan:Android/Kmin.B 146 Monitoring-Tool:Android/MobileTracker.A 16 Trojan:Android/JiFake.E 144 Monitoring-Tool:Android/SpyBubble.B 16 Trojan:Android/Kmin.C 139 Riskware:Android/PremiumSMS.M 15 Trojan:Android/IconoSys.A 118 Hack-Tool:Android/DroidSheep.A** 15 **New family or new variant discovered in Q4 2012 NOTE: The threat statistics used in Table 1 are made up of the number of unique Android application package files (APKs). 32
Mobile Threat Report Q4 2012 f-SEcure mobile security F-Secure Mobile Security effectively protects your mobile device, smartphone or tablet, from all common mobile threats. It guards against loss and theft, protects your children online with powerful parental control functions, keeps your device free of malware and lets you browse the web safely. Find out more: http://www.f-secure.com/web/home_global/mobile-security Purchase F-Secure Mobile Security: https://shop.f-secure.com/cgi-bin/shop/?ID=FSMAV 33
Protecting the Irreplaceable This document was previously released under controlled distribution, intended only for selected recipients. Document made public since: 7 March 2013 F-Secure proprietary materials. © F-Secure Corporation 2013. All rights reserved. F-Secure and F-Secure symbols are registered trademarks of F-Secure Corporation and F-Secure names and symbols/ logos are either trademark or registered trademark of F-Secure Corporation. Protecting the irreplaceable | f-secure.com

Empfohlen

Mobile threat report q3 2012
Mobile threat report q3 2012Mobile threat report q3 2012
Mobile threat report q3 2012F-Secure Corporation
 
F-Secure Mobile Threat Report, Q2 2012
F-Secure Mobile Threat Report, Q2 2012F-Secure Mobile Threat Report, Q2 2012
F-Secure Mobile Threat Report, Q2 2012F-Secure Corporation
 
F-Secure Mobile Threat Report Quarter 1 2012
F-Secure Mobile Threat Report Quarter 1 2012F-Secure Mobile Threat Report Quarter 1 2012
F-Secure Mobile Threat Report Quarter 1 2012F-Secure Corporation
 
Mobile threatreport q1_2012
Mobile threatreport q1_2012Mobile threatreport q1_2012
Mobile threatreport q1_2012Shivmohan Yadav
 
When Malware Goes Mobile
When Malware Goes MobileWhen Malware Goes Mobile
When Malware Goes MobileSophos
 
Mobile Marketing: 99 Ways to Get Your App Noticed - Parisa Foster
Mobile Marketing: 99 Ways to Get Your App Noticed - Parisa FosterMobile Marketing: 99 Ways to Get Your App Noticed - Parisa Foster
Mobile Marketing: 99 Ways to Get Your App Noticed - Parisa FosterParisa Foster
 
Next11 Xyologic - In The App Economy Germany Is Not A Technology Adoption Isl...
Next11 Xyologic - In The App Economy Germany Is Not A Technology Adoption Isl...Next11 Xyologic - In The App Economy Germany Is Not A Technology Adoption Isl...
Next11 Xyologic - In The App Economy Germany Is Not A Technology Adoption Isl...Hmmaha
 
Panda labs annual report 2012
Panda labs annual report 2012Panda labs annual report 2012
Panda labs annual report 2012Itex Solutions
 

Empfohlen

Mobile threat report q3 2012
Mobile threat report q3 2012Mobile threat report q3 2012
Mobile threat report q3 2012F-Secure Corporation
 
F-Secure Mobile Threat Report, Q2 2012
F-Secure Mobile Threat Report, Q2 2012F-Secure Mobile Threat Report, Q2 2012
F-Secure Mobile Threat Report, Q2 2012F-Secure Corporation
 
F-Secure Mobile Threat Report Quarter 1 2012
F-Secure Mobile Threat Report Quarter 1 2012F-Secure Mobile Threat Report Quarter 1 2012
F-Secure Mobile Threat Report Quarter 1 2012F-Secure Corporation
 
Mobile threatreport q1_2012
Mobile threatreport q1_2012Mobile threatreport q1_2012
Mobile threatreport q1_2012Shivmohan Yadav
 
When Malware Goes Mobile
When Malware Goes MobileWhen Malware Goes Mobile
When Malware Goes MobileSophos
 
Mobile Marketing: 99 Ways to Get Your App Noticed - Parisa Foster
Mobile Marketing: 99 Ways to Get Your App Noticed - Parisa FosterMobile Marketing: 99 Ways to Get Your App Noticed - Parisa Foster
Mobile Marketing: 99 Ways to Get Your App Noticed - Parisa FosterParisa Foster
 
Next11 Xyologic - In The App Economy Germany Is Not A Technology Adoption Isl...
Next11 Xyologic - In The App Economy Germany Is Not A Technology Adoption Isl...Next11 Xyologic - In The App Economy Germany Is Not A Technology Adoption Isl...
Next11 Xyologic - In The App Economy Germany Is Not A Technology Adoption Isl...Hmmaha
 
Panda labs annual report 2012
Panda labs annual report 2012Panda labs annual report 2012
Panda labs annual report 2012Itex Solutions
 
Panda labs annual-report-2012
Panda labs annual-report-2012Panda labs annual-report-2012
Panda labs annual-report-2012Комсс Файквэе
 
Security Issues in the Mobile Environment
Security Issues in the Mobile EnvironmentSecurity Issues in the Mobile Environment
Security Issues in the Mobile EnvironmentLigia Adam
 
Malware detection techniques for mobile devices
Malware detection techniques for mobile devicesMalware detection techniques for mobile devices
Malware detection techniques for mobile devicesijmnct
 
MALWARE DETECTION TECHNIQUES FOR MOBILE DEVICES
MALWARE DETECTION TECHNIQUES FOR MOBILE DEVICESMALWARE DETECTION TECHNIQUES FOR MOBILE DEVICES
MALWARE DETECTION TECHNIQUES FOR MOBILE DEVICESijmnct
 
Malicious android-applications-risks-exploitation 33578
Malicious android-applications-risks-exploitation 33578Malicious android-applications-risks-exploitation 33578
Malicious android-applications-risks-exploitation 33578skowshik
 
Mobile threat report_q3_2013
Mobile threat report_q3_2013Mobile threat report_q3_2013
Mobile threat report_q3_2013Комсс Файквэе
 
Enter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox ComparisonEnter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox ComparisonJose Moruno Cadima
 
Threat Report H2 2012
Threat Report H2 2012Threat Report H2 2012
Threat Report H2 2012F-Secure Corporation
 
Top mobile security threats
Top mobile security threatsTop mobile security threats
Top mobile security threatsRingtoIndia
 
Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Комсс Файквэе
 
White Paper - Android Security
White Paper - Android SecurityWhite Paper - Android Security
White Paper - Android Securityryanfarmer
 
A Comprehensive Study on Security issues in Android Mobile Phone — Scope and ...
A Comprehensive Study on Security issues in Android Mobile Phone — Scope and ...A Comprehensive Study on Security issues in Android Mobile Phone — Scope and ...
A Comprehensive Study on Security issues in Android Mobile Phone — Scope and ...AM Publications
 
Android By Manish Seth
Android By Manish SethAndroid By Manish Seth
Android By Manish SethNitin Gupta
 
AndRadar: Fast Discovery of Android Applications in Alternative Markets
AndRadar: Fast Discovery of Android Applications in Alternative MarketsAndRadar: Fast Discovery of Android Applications in Alternative Markets
AndRadar: Fast Discovery of Android Applications in Alternative MarketsFACE
 
Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.Reham Maher El-Safarini
 
Rpt repeating-history
Rpt repeating-historyRpt repeating-history
Rpt repeating-historyAnatoliy Tkachev
 
Mobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit AryaMobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit AryaGarvit Arya
 
Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Комсс Файквэе
 
Android vs iOS security
Android vs iOS securityAndroid vs iOS security
Android vs iOS securitySumanth Veera
 
Malware Improvements in Android OS
Malware Improvements in Android OSMalware Improvements in Android OS
Malware Improvements in Android OSPranav Saini
 
Post-mortem of a data breach
Post-mortem of a data breachPost-mortem of a data breach
Post-mortem of a data breachF-Secure Corporation
 
How do you predict the threat landscape?
How do you predict the threat landscape?How do you predict the threat landscape?
How do you predict the threat landscape?F-Secure Corporation
 

Weitere ähnliche Inhalte

Ähnlich wie F-Secure Labs Mobile Threat Report Q4 2012

Security Issues in the Mobile Environment
Security Issues in the Mobile EnvironmentSecurity Issues in the Mobile Environment
Security Issues in the Mobile EnvironmentLigia Adam
 
Malware detection techniques for mobile devices
Malware detection techniques for mobile devicesMalware detection techniques for mobile devices
Malware detection techniques for mobile devicesijmnct
 
MALWARE DETECTION TECHNIQUES FOR MOBILE DEVICES
MALWARE DETECTION TECHNIQUES FOR MOBILE DEVICESMALWARE DETECTION TECHNIQUES FOR MOBILE DEVICES
MALWARE DETECTION TECHNIQUES FOR MOBILE DEVICESijmnct
 
Malicious android-applications-risks-exploitation 33578
Malicious android-applications-risks-exploitation 33578Malicious android-applications-risks-exploitation 33578
Malicious android-applications-risks-exploitation 33578skowshik
 
Enter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox ComparisonEnter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox ComparisonJose Moruno Cadima
 
Top mobile security threats
Top mobile security threatsTop mobile security threats
Top mobile security threatsRingtoIndia
 
White Paper - Android Security
White Paper - Android SecurityWhite Paper - Android Security
White Paper - Android Securityryanfarmer
 
A Comprehensive Study on Security issues in Android Mobile Phone — Scope and ...
A Comprehensive Study on Security issues in Android Mobile Phone — Scope and ...A Comprehensive Study on Security issues in Android Mobile Phone — Scope and ...
A Comprehensive Study on Security issues in Android Mobile Phone — Scope and ...AM Publications
 
Android By Manish Seth
Android By Manish SethAndroid By Manish Seth
Android By Manish SethNitin Gupta
 
AndRadar: Fast Discovery of Android Applications in Alternative Markets
AndRadar: Fast Discovery of Android Applications in Alternative MarketsAndRadar: Fast Discovery of Android Applications in Alternative Markets
AndRadar: Fast Discovery of Android Applications in Alternative MarketsFACE
 
Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.Reham Maher El-Safarini
 
Mobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit AryaMobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit AryaGarvit Arya
 
Android vs iOS security
Android vs iOS securityAndroid vs iOS security
Android vs iOS securitySumanth Veera
 
Malware Improvements in Android OS
Malware Improvements in Android OSMalware Improvements in Android OS
Malware Improvements in Android OSPranav Saini
 

Ähnlich wie F-Secure Labs Mobile Threat Report Q4 2012 (20)

Panda labs annual-report-2012
Panda labs annual-report-2012Panda labs annual-report-2012
Panda labs annual-report-2012
 
Security Issues in the Mobile Environment
Security Issues in the Mobile EnvironmentSecurity Issues in the Mobile Environment
Security Issues in the Mobile Environment
 
Malware detection techniques for mobile devices
Malware detection techniques for mobile devicesMalware detection techniques for mobile devices
Malware detection techniques for mobile devices
 
MALWARE DETECTION TECHNIQUES FOR MOBILE DEVICES
MALWARE DETECTION TECHNIQUES FOR MOBILE DEVICESMALWARE DETECTION TECHNIQUES FOR MOBILE DEVICES
MALWARE DETECTION TECHNIQUES FOR MOBILE DEVICES
 
Malicious android-applications-risks-exploitation 33578
Malicious android-applications-risks-exploitation 33578Malicious android-applications-risks-exploitation 33578
Malicious android-applications-risks-exploitation 33578
 
Mobile threat report_q3_2013
Mobile threat report_q3_2013Mobile threat report_q3_2013
Mobile threat report_q3_2013
 
Enter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox ComparisonEnter Sandbox: Android Sandbox Comparison
Enter Sandbox: Android Sandbox Comparison
 
Threat Report H2 2012
Threat Report H2 2012Threat Report H2 2012
Threat Report H2 2012
 
Top mobile security threats
Top mobile security threatsTop mobile security threats
Top mobile security threats
 
Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012
 
White Paper - Android Security
White Paper - Android SecurityWhite Paper - Android Security
White Paper - Android Security
 
A Comprehensive Study on Security issues in Android Mobile Phone — Scope and ...
A Comprehensive Study on Security issues in Android Mobile Phone — Scope and ...A Comprehensive Study on Security issues in Android Mobile Phone — Scope and ...
A Comprehensive Study on Security issues in Android Mobile Phone — Scope and ...
 
Android By Manish Seth
Android By Manish SethAndroid By Manish Seth
Android By Manish Seth
 
AndRadar: Fast Discovery of Android Applications in Alternative Markets
AndRadar: Fast Discovery of Android Applications in Alternative MarketsAndRadar: Fast Discovery of Android Applications in Alternative Markets
AndRadar: Fast Discovery of Android Applications in Alternative Markets
 
Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.
 
Rpt repeating-history
Rpt repeating-historyRpt repeating-history
Rpt repeating-history
 
Mobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit AryaMobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit Arya
 
Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012
 
Android vs iOS security
Android vs iOS securityAndroid vs iOS security
Android vs iOS security
 
Malware Improvements in Android OS
Malware Improvements in Android OSMalware Improvements in Android OS
Malware Improvements in Android OS
 

Mehr von F-Secure Corporation

How do you predict the threat landscape?
How do you predict the threat landscape?How do you predict the threat landscape?
How do you predict the threat landscape?F-Secure Corporation
 
Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!F-Secure Corporation
 
The Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security ServiceThe Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security ServiceF-Secure Corporation
 
Security A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important termsSecurity A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important termsF-Secure Corporation
 
Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espace Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espace F-Secure Corporation
 
Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espaceLes attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espaceF-Secure Corporation
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?F-Secure Corporation
 
Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3F-Secure Corporation
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2F-Secure Corporation
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeF-Secure Corporation
 
F secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and managementF secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and managementF-Secure Corporation
 
F-Secure Policy Manager - onsite security management with superior control
F-Secure Policy Manager - onsite security management with superior controlF-Secure Policy Manager - onsite security management with superior control
F-Secure Policy Manager - onsite security management with superior controlF-Secure Corporation
 
Best business protection for windows
Best business protection for windowsBest business protection for windows
Best business protection for windowsF-Secure Corporation
 
Six things to take into account when choosing cloud solutions
Six things to take into account when choosing cloud solutionsSix things to take into account when choosing cloud solutions
Six things to take into account when choosing cloud solutionsF-Secure Corporation
 
Small and midsize business security is big business
Small and midsize business security is big businessSmall and midsize business security is big business
Small and midsize business security is big businessF-Secure Corporation
 
大きなビジネスを生み出す中小中堅企業
大きなビジネスを生み出す中小中堅企業大きなビジネスを生み出す中小中堅企業
大きなビジネスを生み出す中小中堅企業F-Secure Corporation
 
Why should you care about government surveillance?
Why should you care about government surveillance?Why should you care about government surveillance?
Why should you care about government surveillance?F-Secure Corporation
 
Arbeta var du vill- eBook om modern mobilitet
Arbeta var du vill- eBook om modern mobilitetArbeta var du vill- eBook om modern mobilitet
Arbeta var du vill- eBook om modern mobilitetF-Secure Corporation
 

Mehr von F-Secure Corporation (20)

Post-mortem of a data breach
Post-mortem of a data breachPost-mortem of a data breach
Post-mortem of a data breach
 
How do you predict the threat landscape?
How do you predict the threat landscape?How do you predict the threat landscape?
How do you predict the threat landscape?
 
Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!
 
The Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security ServiceThe Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security Service
 
Security A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important termsSecurity A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important terms
 
Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espace Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espace
 
Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espaceLes attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espace
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
 
Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat Landscape
 
F secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and managementF secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and management
 
F-Secure Policy Manager - onsite security management with superior control
F-Secure Policy Manager - onsite security management with superior controlF-Secure Policy Manager - onsite security management with superior control
F-Secure Policy Manager - onsite security management with superior control
 
The State of the Net in India
The State of the Net in IndiaThe State of the Net in India
The State of the Net in India
 
Best business protection for windows
Best business protection for windowsBest business protection for windows
Best business protection for windows
 
Six things to take into account when choosing cloud solutions
Six things to take into account when choosing cloud solutionsSix things to take into account when choosing cloud solutions
Six things to take into account when choosing cloud solutions
 
Small and midsize business security is big business
Small and midsize business security is big businessSmall and midsize business security is big business
Small and midsize business security is big business
 
大きなビジネスを生み出す中小中堅企業
大きなビジネスを生み出す中小中堅企業大きなビジネスを生み出す中小中堅企業
大きなビジネスを生み出す中小中堅企業
 
Why should you care about government surveillance?
Why should you care about government surveillance?Why should you care about government surveillance?
Why should you care about government surveillance?
 
Arbeta var du vill- eBook om modern mobilitet
Arbeta var du vill- eBook om modern mobilitetArbeta var du vill- eBook om modern mobilitet
Arbeta var du vill- eBook om modern mobilitet
 

Kürzlich hochgeladen

Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 

Kürzlich hochgeladen (20)

Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 

F-Secure Labs Mobile Threat Report Q4 2012

  • 2. Mobile Threat Report Q4 2012 F-Secure Labs At the F-Secure Response Labs in Helsinki, Finland, and Kuala Lumpur, Malaysia, security experts work around the clock to ensure our customers are protected from the latest online threats. At any given moment, F-Secure Response Labs staff is on top of the worldwide security situation, ensuring that sudden virus and malware outbreaks are dealt with promptly and effectively. Protection around the clock Response Labs work is assisted by a host of automatic systems that track worldwide threat occurences in real time, collecting and analyzing hundreds of thousands of data samples per day. Criminals who make use of virus and malware to profit from these attacks are constantly at work on new threats. This situation demands around the clock vigilance on our part to ensure that our customers are protected. 2
  • 3. Mobile Threat Report Q4 2012 abstract THIS REPORT DISCUSSES THE MOBILE THREAT LANDSCAPE AS SEEN IN THE fourth QUARTER OF 2012, AND INCLUDES STATISTICS AND DETAILS OF THE MOBILE THREATS THAT F-SECURE RESPONSE LABS HAVE SEEN AND ANALYZED DURING THAT PERIOD. The data presented in this report was last updated on 31 December 2012. Contents abstract3 2012 Mobile Landscape Calendar 5 Executive Summary 6 Latest threats In the last three months 7 Figure 1: New Mobile Threat Families And Variants Received Per Quarter, Q1–Q4 2012 8 Figure 2: Threat Families And Variants By Platform,2010–2012 9 Potentially unwanted software 10 Hack-Tool:Android/Aniti.A11 Hack-Tool:Android/DroidSheep.A11 Hack-Tool:Android/EksyPox.A11 Monitoring-Tool:Android/GpsSpyTracker.A, and variant B 11 Monitoring-Tool:Android/SheriDroid.A12 Monitoring-Tool:Android/SmsSpy.A12 Monitoring-Tool:Android/SmsUploader.A12 Monitoring-Tool:Android/SpyMob.A13 Monitoring-Tool:Android/SpyPhone.A13 Monitoring-Tool:Android/TheftAware.A14 Monitoring-Tool:Android/TrackPlus.A14 Riskware:Android/AutoRegSMS.A14 Riskware:Android/SmsReg.A, and variant.B 15 Riskware:Android/SmsSpy.A16 Figure 3: Mobile Threats By Type, Q4 2012 17 Figure 4: Mobile Threats By Type, 2012 17 3
  • 4. Mobile Threat Report Q4 2012 Malware 18 Backdoor:Android/FakeLook.A19 Trojan:Android/Citmo.A19 Trojan:Android/EcoBatry.A19 Trojan:Android/FakeFlash.A20 Trojan:Android/FakeGuard.A20 Trojan:Android/GeoFake.A, and variant B 20 Trojan:Android/Gmuse.A21 Trojan:Android/InfoStealer.A22 Trojan:Android/MaleBook.A22 Trojan:Android/Placsms.A23 Trojan:Android/QdPlugin.A24 Trojan:Android/SMSAgent.A24 Trojan:Android/SpamSoldier.A24 Trojan:Android/Stesec.A25 Trojan:Android/Stokx.A25 Trojan:Android/Temai.A25 Trojan:Android/Tesbo.A26 Trojan:SymbOS/Ankaq.A27 Trojan:SymbOS/Khluu.A27 Figure 5: Mobile Threats Motivated By Profit Per Year, 2006-2012 28 Figure 6: Mobile Threats Motivated By Profit Per Quarter, Q1–Q4 2012 28 Figure 7: Profit-Motivated Threats By Platform, 2012 29 New variants of already known families 30 Figure 8: Number Of Android Threats Received Per Quarter, Q1–Q4 2012 31 Figure 9: Top Android Detections, Q4 2012 31 Table 1: Top Malware and Potentially Unwanted Software On Android, Q4 2012 32 4
  • 5. Mobile Threat Report Q4 2012 2012 Mobile Landscape Calendar JAN feb mar apr may jun jul aug sep oct nov dec 62 21 20 21 Google Bouncer Eurograbber attack introduced to iOS 6 and iPhone Android 4.1 on European banks Play Store 5 launched 17 (Jellybean) reported released 13 Drive-by malware 14 13 10 10 Samsung Berlin police found on Android TouchWiz exploit warned of Android Fidall found reported banking trojan on iOS 8 Samsung Exynos exploit FinSpy found on reported 4 multiple platforms 0 1 4 1 3 3 6 5 SMS-trojans 6 found on J2ME 7 Zitmo found on 8 Blackberry Nokia halts almost all Symbian 13 development Symbian Belle refresh rolls out Threat Statistics notable events New families/variants on Android Android New families/variants on Symbian Blackberry iOS J2ME Windows Mobile Symbian 5
  • 6. Mobile Threat Report Q4 2012 Executive Summary Android malware has been strengthening its position in the mobile threat scene. Every quarter, malware authors bring forth new threat families and variants to lure more victims and to update on the existing ones. In the fourth quarter alone, 96 new families and variants of Android threats were discovered, which almost doubles the number recorded in the previous quarter. A large portion of this number was contributed by PremiumSMS—a family of malware that generates profit through shady SMS-sending practices—which unleashed 21 new variants. “Bank Info Security Quite a number of Android malware employ an operation similar to PremiumSMS. It reported that is a popular method for making direct monetary profit. The malware quietly sends out SMS messages to premium rate numbers or signs up the victims to an SMS-based Eurograbber managed subscription service. Any tell-tale messages or notifications from these numbers and/ to steal USD47 million or services will be intercepted and deleted; therefore, the users will be completely unaware of these activities until the charges appear on their bills. from over 30,000 retail and corporate In addition to SMS-sending malware, some malware authors or distributors may choose to make profit through banking trojans. Citmo.A (a mobile version of the Carberp accounts in Europe.” trojan) recently made its debut in Q4. Just like Zitmo (Zeus for mobile) and Spitmo (SpyEye for mobile), Citmo.A operates in the same manner—it steals the mobile Transaction Authentication Number (mTAN) that banks send via SMS to customers to validate an online banking transaction. Using this number, it can transfer money from the victims’ account and the banks will proceed with the transaction because it appears to be coming from the rightful account owner. Such is the case with Eurograbber, a variant of the Zeus trojan; Bank Info Security reported that Eurograbber managed to steal USD47 million from over 30,000 retail and corporate accounts in Europe1. It first infected the victims’ personal computers before tricking them into installing a version of it onto their mobile devices. By positioning itself on both the victims’ computers and devices, Eurograbber can impersonate the victims and carry out transactions without raising suspicions from either the victim or the banking institution. The trojan had been found to infect not only devices running on Android, but also Symbian and BlackBerry operating systems. The rise of Android malware can be largely attributed to the operating system’s increasing foothold in the mobile market. Android’s market share has risen to 68.8% in 2012, compared to 49.2% in 20112. On the threat side, its share rose to 79% in 2012 from 66.7% in 2011. Symbian on the other hand, is suffering from the opposite fate. In 2012, it only held 3.3% market share which is a huge drop from 16.5% in the year before3. Its share in the threat scene also reflected this drop, going from 29.7% in 2011 to 19% in 2012. Nokia’s decision to halt all Symbian development in February 2012 may have contributed to the huge drop in numbers. As its market share declines, so does malware authors’ interest in the platform as evidenced by the statistics seen in Q4 where only four new families and variants of Symbian malware were recorded. As for the other platforms, i.e., Blackberry, iOS, Windows Mobile, they may see some threats popping up once in a while. But most likely, the threats are intended for multiple platforms similar to the case of FinSpy4. 1 Bank Info Security; Tracy Kitten; Eurograbber: A Smart Trojan Attack; published 17 December 2012; http://www.bankinfosecurity.com/eurograbber-smart-trojan-attack-a-5359/op-1 2,3 Engadget; Jon Fingas; IDC: Android surged to 69 percent smartphone share in 2012, dipped in Q4; published 14 February 2013; http://www.engadget.com/2013/02/14/idc-android-surged-to-69-percent-smartphone-share-in-2012/ 4 F-Secure Weblog; Mikko Hyppönen; Egypt; FinFisher Intrusion Tools and Ethics; published 8 March 2011; https://www.f-secure.com/weblog/archives/00002114.html 6
  • 8. Mobile Threat Report Q4 2012 Figure 1: New Mobile Threat Families And Variants Received Per Quarter, Q1–Q4 2012 100 100 96 all threats 90 Android Blackberry 80 iOS 74 J2ME 70 66 Windows Mobile 60 61 Symbian 50 49 47 46 40 30 21 20 18 14 10 4 2 2 1,1 25+25+a 33+34+33a 50+50+a 25+25+a 0,0,0,0 0,0,0 0 0,0,0,0 Q1 2012 Q2 2012 Q3 2012 Q4 2012 NOTE: The threat statistics used in Figure 1 are made up of families and variants instead of unique files. For instance, if two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics. 8
  • 9. Mobile Threat Report Q4 2012 Figure 2: Threat Families And Variants By Platform,2010–2012 11+3+2363x Android, 11.25% J2ME, 2.5% 2010 TOTAL = 80 Windows Mobile, families and 23.75% variants Symbian, 62.5% 66+3+130x Symbian, 29.7% 2011 TOTAL = 195 families and variants Windows Mobile, 1% Android, 66.7% J2ME, 2.6% 77+1+217x Symbian, 19% Windows Mobile, 0.3% J2ME, 0.7% iOS, 0.7% 2012 Blackberry, 0.3% TOTAL = 301 families and variants Android, 79% NOTE: The threat statistics used in Figure 2 are made up of families and variants instead of unique files. For instance, if two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics. 9
  • 10. Potentially unwanted software We consider the following program as potentially unwanted software, which refers to programs that may be considered undesirable or intrusive by a user if used in a questionable manner.
  • 11. Mobile Threat Report Q4 2012 Hack-Tool:Android/Aniti.A Also known as the Android Network Toolkit, Aniti.A is a penetration testing tool that allows user to perform certain tests via its automation interface. Using the tool, the user may evaluate or demonstrate a weak security point in the network by: • Performing network scanning • Generating network report • Checking the password strength • Checking for vulnerable machines in the network • Attacking a vulnerable machine • Monitoring unsecured connections • Sniffing ‘man-in-the-middle’ attacker • Performing a denial of service (DoS) attack Like most penetration testing programs, this tool is intended for use in a legitimate context. It may however also be misused by malicious parties. Hack-Tool:Android/DroidSheep.A DroidSheep.A is a tool that is capable of hijacking a logged-on session conducted over a shared wireless network. It is intended to demonstrate poor security properties in a network connection, but may be misused for malicious intent by irresponsible parties. Hack-Tool:Android/EksyPox.A EksyPox.A is a program that offers a workaround for a vulnerability found on the Exynos 4: A system-on-chip (SoC) that Exynos 4 chip. This vulnerability, if successfully exploited, could allow any application is used by some Samsung devices, e.g., Galaxy S III, Galaxy Note II, Galaxy Camera, to gain root access on devices running on the Exynos 4 chip. EksyPox.A provides a etc. way to patch the security hole, but not without exploiting the vulnerability first. NOTE: For additional reading, please refer to the article at (http://www.xda-developers. com/android/dangerous-exynos-4-security-hole-demoed-and-plugged-by-chainfire/). Monitoring-Tool:Android/GpsSpyTracker.A, and variant B GpsSpyTracker.A is a location tracking tool that performs its tracking function using a specific key and an email address assigned to a particular device. Once activated, it tracks the device’s location every 15 minutes. It displays the current location on a map and keeps the location history in a local file. 11
  • 12. Mobile Threat Report Q4 2012 Monitoring-Tool:Android/SheriDroid.A SheriDroid.A is advertised as an application that allows the user to perform these activities using its monitoring and alarm setting features: • Record pre-alarm warning message • Remotely trigger a location tracker using a password • If lost or stolen, enable the device to stealthily send SMS messages related to alarm or location tracking • Set system unlock pattern However, without the user’s consent or knowledge, the application keeps track of the user’s web surfing behaviors and other activities carried out on the device. SheriDroid.A’s icon (left), and EULA (right) Monitoring-Tool:Android/SmsSpy.A Please refer to Riskware:Android/SmsSpy.A on page 16. Monitoring-Tool:Android/SmsUploader.A SMSUploader.A uploads every SMS messages’ content found on the device to a remote server. Once installed, SmsUploader.A places an icon titled ‘SMSUpload’ on the application menu. When launched, it requests that the user restart the device and informs the user that the application will be running in the background. 12
  • 13. Mobile Threat Report Q4 2012 Monitoring-Tool:Android/SpyMob.A SpyMob.A is a commercial monitoring tool that collects information pertaining to SMS messages, contact list, call log and GPS location of a targeted device. These details are later uploaded to Spy2Mobile servers and can be viewed by logging in to the user’s account at Spy2Mobile.com. SpyMob.A’s icon (left), and requested permissions (right) To use this application, the user must first installs SpyMob.A onto the targeted device and register an account at SpyMobile.com. Installation and registration Monitoring-Tool:Android/SpyPhone.A SpyPhone.A is promoted as an application that lets user sneakily capture a photo or record a video/audio. However, it also keeps track of activities on the device and collects information such as a log of events, GPS locations, visited URLs, and the user ID. 13
  • 14. Mobile Threat Report Q4 2012 SpyPhone.A’s icon (left), and user interface (right) Monitoring-Tool:Android/TheftAware.A TheftAware.A is a commercial monitoring tool that helps the user to locate a stolen or a missing device. It allows the user to obtain the device’s GPS location, lock it, and delete data by issuing commands through SMS messages. Monitoring-Tool:Android/TrackPlus.A TrackPlus.A is a tracking tool that can be used to locate a device. It sends out the device’s International Mobile Equipment Identity (IMEI) number to a remote server, and has a web portal to keep track of the device’s location. Once installed, TrackPlus.A does not place an icon on the application menu but appears as a transparent widget on the device. Riskware:Android/AutoRegSMS.A Upon launching, AutoRegSMS.A displays the message “Hello, Android” but in the background, it secretly activates a game application using the user’s information. It also sends out SMS messages to the user’s contact list to get an activation serial number. AutoRegSMS.A is represented by an icon titled ‘Main Activity’ which can be located on the main application menu. 14
  • 15. Mobile Threat Report Q4 2012 AutoRegSMS.A’s icon (left), and the message it displays (right) Riskware:Android/SmsReg.A, and variant.B SmsReg.A is marketed under the name ‘Battery Improve,’ and claims to help maximizes a device’s battery usage. SmsReg.A as ‘Battery Improve’ Unbeknownst to the user, the application also collects the following information: • API key • Application ID • Carrier • Device manufacturer • Device model • GPS location • IMEI number • Network operator • Package name • SDK version 15
  • 16. Mobile Threat Report Q4 2012 Riskware:Android/SmsSpy.A SmsSpy.A is a stealthy application that places no visible icon on the application menu; its presence is only visible from the ‘Manage applications’ option under Settings. All of its activities are carried out inconspicuously in the background. These activities include tracking the device’s GPS location, accessing and reading SMS messages received on the device, and sending out SMS messages. SmsSpy.A as seen from ‘Manage applications’ (left), and requested permissions (right) 16
  • 17. Mobile Threat Report Q4 2012 Figure 3: Mobile Threats By Type, Q4 2012 Backdoor 1% 3+1+41027253v Adware 3% Hack-Tool 4% Monitoring-Tool 10% Trojan 53% Riskware 27% Spyware 2% Figure 4: Mobile Threats By Type, 2012 4+2+168125573v Trojan-Spy Application 1.0% 1.7% Adware 2.7% Backdoor Hack-Tool Trojan-Downloader 0.3% 5.6% 0.7% Monitoring-Tool 7.0% Riskware 11.2% Trojan 66.1% Spyware 3.7% NOTE: The threat statistics used in Figure 3 and Figure 4 are made up of families and variants instead of unique files. For instance, if two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics. 17
  • 18. Malware Programs categorized as malware are generally considered to pose a significant security risk to the user’s system and/or information. Malicious actions carried out by these programs include (but are not limited to) installing hidden objects as well as hiding the objects from the user, creating new malicious objects, damaging or altering any data without authorization, and stealing any data or access credentials.
  • 19. Mobile Threat Report Q4 2012 Backdoor:Android/FakeLook.A FakeLook.A avoids placing an icon on the application menu to hide its presence from the device owner. However, it can be seen listed as ‘Updates’ under the ‘Manage applications’ option in Settings. FakeLook.A connects to a command and control (CC) server to receive further instructions. It collects information such as the device ID and SMS messages, gets files list from the SD card, and compress files before uploading them to an FTP server using the username ‘ftpuser’ and the password ‘upload.’ Trojan:Android/Citmo.A Citmo.A is the mobile version of Carberp, a banking trojan that infects personal mTAN: Mobile Transaction Authentication computers to steal banking credentials. Citmo.A’s functions are similar to Zitmo Number. This number is used to (Zeus for mobile) and Spitmo (SpyEye for mobile)—it monitors incoming SMS authenticate an online banking transaction. messages and steals the mobile Transaction Authentication Number (mTAN) that banks send to their customers to validate an online banking transaction. NOTE: For additional reading on banking trojan, please refer to the article ‘Berlin Police: Beware Android Banking Trojans’ at (http://www.f-secure.com/weblog/ archives/00002457.html). Trojan:Android/EcoBatry.A Upon installation, EcoBatry.A requests for permissions that will allow it to access Internet, contact data, and information on the device. The malware then establishes an outgoing connection to a remote server, where it will be instructed to collect user’s contact information and upload the details to the server. EcoBatry.A’s icon (left), and requested permissions (right) 19
  • 20. Mobile Threat Report Q4 2012 Trojan:Android/FakeFlash.A FakeFlash.A takes the appearance of a legitimate Flash Player application. When launched, it displays a message to the user notifying that the Flash Player application has been successfully installed, and then redirects the user to another website. FakeFlash.A’s icon (left), and the application it supposedly has installed (right) Trojan:Android/FakeGuard.A FakeGuard.A is a malware that is capable of handling incoming SMS/WAP Push. WAP Push: A specially encoded message It steals user information, and establishes a connection to a remote server. The that includes a link to a WAP address. response received from the server will be decoded using MS949 character set, while the outgoing data is encoded in EUC_KR character set. Trojan:Android/GeoFake.A, and variant B GeoFake.A is distributed as a Chinese calendar application, but requests for unnecessary permissions during the installation process. The permissions it requested are as follows: • Manage account list • Access and use the account’s authentication credentials • Read and edit SMS or MMS messages • Read system log files • Access location information 20
  • 21. Mobile Threat Report Q4 2012 GeoFake.A’s icon (left), and requested permissions (right) Once successfully installed on a device, the malware sends SMS messages to premium rate numbers. It uses the Google Maps API to select which premium service should be used according to the geolocation of the device. GeoFake.A is distributed as a Chinese calendar application Trojan:Android/Gmuse.A Gmuse.A is marketed as an application that allows the user to store files and documents in a secret, password-protected location. However, without the user’s consent, it will sync the user’s file list through an SMTP server to an unknown user using the email “hbwhhouse@gmail.com” with the password “whwxhjbu.” 21
  • 22. Mobile Threat Report Q4 2012 Gmuse.A’s icon (left), and user interface (right) Gmuse.A also connects to a remote server to download an updated version of the application, which is named as “lightbox.apk.” Trojan:Android/InfoStealer.A InfoStealer.A, as clearly indicated by its name, is a malware that steals contact information and uploads the details to a remote MySQL server. Stolen information include: • Device ID • Email address • Latitude and longitude • Phone number • Postal code • Region • Street • Username Trojan:Android/MaleBook.A MaleBook.A collects device information, and later forwards the details to several remote servers. The collected information include: • Application ID • Application version • Country code • Device name • Device type • Device width and height • International Mobile Equipment Identity (IMEI) number • International Mobile Subscriber Identity (IMSI) number • Language • Operation system version • SDK version 22
  • 23. Mobile Threat Report Q4 2012 Additionally, the malware also attempts to download advertisements from the servers onto the infected device. MaleBook.A’s icon (left), and user interface (right) Trojan:Android/Placsms.A Placsms.A appears as ‘sp_pay’ on the application menu, and requests for permissions that will allow it to access Internet, SMS messages, SD card contents, and the device’s system during the installation process. Placsms.A’s icon (left), and requested permissions (right) The application collects information such as the device’s International Mobile Equipment Identity (IMEI) number and phone number; it later uploads the details to a remote server. NOTE: Placsms.A exhibits behavior that are similar to trojans in the PremiumSMS family (http://www.f-secure.com/v-descs/trojan_android_premiumsms.shtml). 23
  • 24. Mobile Threat Report Q4 2012 Trojan:Android/QdPlugin.A QdPlugin.A is repackaged into another legitimate application before being distributed to potential victims. Once installed and activated on a device, the malware will send out device information such as IMEI number and IMSI number to remote servers. It also receives commands from the servers, which may instruct it to carry out actions such as installing and removing packages. The command and control (CC) servers’ URLs are stored and encoded with a simple byte shift algorithm within the embedded malicious APK. Trojan:Android/SMSAgent.A SMSAgent.A appears as a game application, but silently performs malicious routines in the background. It attempts to download other potentially malicious files from a remote server and sends out SMS or MMS messages that place expensive charges on the user’s bill. SMSAgent.A’s icon (left), and requested permissions (right) Additionally, SMSAgent.A displays advertisements and collects the following information which are later uploaded to the remote server: • Device ID • IMEI number • Network type • Operator Trojan:Android/SpamSoldier.A SpamSoldier.A is distributed via unsolicited SMS messages that contain a link for a free application download. Once successfully installed on a device, the malware contacts a command and control (CC) server and obtains a list of phone numbers. To these numbers, it sends out more spam messages containing a link that entices users with attractive freebies. 24
  • 25. Mobile Threat Report Q4 2012 Trojan:Android/Stesec.A Once installed on the device, Stesec.A does not place any icon on the application menu to hide its presence from the user. It can only be viewed from the ‘Manage applications’ option in Settings, listed as ‘newService.’ Stesec.A sends out SMS messages containing the device information such as IMEI number, software version, and other details to a remote server. Stesec.A listed as ‘newService’ (left), and the permissions it requested (right) Trojan:Android/Stokx.A Stokx.A connects to a remote server and receives an XML file. The file contains details such as client ID, phone number that it will send SMS messages to, and URL for downloading additional APKs. The malware will forward the device’s International Mobile Equipment Identity (IMEI) number to the remote server, and sends out an SMS message with the content “SX357242043237517” to the number 13810845191. Trojan:Android/Temai.A Temai.A collects the following device information, and later forwards the details to a few remote addresses: • Application ID • Application version • Country code • IMEI number • IMSI number • Operating system version 25
  • 26. Mobile Threat Report Q4 2012 Different icons used by Temai.A In addition to collecting and forwarding device information, the malware also downloads and installs potentially malicious APKs and script files onto the infected device. Users may also be exposed to other risk resulting from the various permissions granted to the malware during the installation process. Permissions requested by Temai.A during installation Trojan:Android/Tesbo.A Tesbo.A establishes connection to a couple of remote servers, to which it forwards details such as the device’s International Mobile Subscriber Identity (IMSI) number and application package name. Furthermore, the malware will also send out SMS messages with the content “[IMSI]@[random from 1-10]” to the number 10658422. 26
  • 27. Mobile Threat Report Q4 2012 Trojan:SymbOS/Ankaq.A Ankaq.A is a program that sends out SMS messages to premium-rate numbers, and silently installs new software onto the infected device. To avoid detection, it terminates all processes belonging to anti-virus products. Trojan:SymbOS/Khluu.A Khluu.A is a program that sends out SMS messages to premium-rate numbers, and silently installs new software onto the infected device. To avoid detection, it terminates all processes belonging to anti-virus products. 27
  • 28. Mobile Threat Report Q4 2012 Figure 5: Mobile Threats Motivated By Profit Per Year, 2006-2012 200 profit-motivated NOT profit-motivated 189 173 150 128 100 99 96 50 42 41 39 23 26 12 2 3 5 0 2006 2007 2008 2009 2010 2011 2012 Figure 6: Mobile Threats Motivated By Profit Per Quarter, Q1–Q4 2012 not profit-motivated profit-motivated Q1 2012 27 34 Q2 2012 26 40 Q3 2012 42 32 Q4 2012 33 67 NOTE: The threat statistics used in Figure 5 and Figure 6 are made up of families and variants instead of unique files. For instance, if two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics. 28
  • 29. Mobile Threat Report Q4 2012 Figure 7: Profit-Motivated Threats By Platform, 2012 141 blackberry 1 0 P = profit motivated P NP NP = not profit motivated 97 29 28 symbian 2 ios 0 P NP P NP Windows mobile Android J2me 2 0 0 1 P NP P NP P NP NOTE: The threat statistics used in Figure 7 are made up of families and variants instead of unique files. For instance, if two samples are detected as Trojan:Android/GinMaster.A, they will only be counted as one in the statistics. 29
  • 30. New variants of already known families THE FOLLOWING IS A LIST OF NEW VARIANTS OF EXISTING MALWARE FAMILIES. THEIR FUNCTIONALITY IS NOT SIGNIFICANTLY DIFFERENT COMPARED TO THE EARLIER VARIANTS DESCRIBED IN PREVIOUS REPORTS. »» Adware:Android/AdWo.C »» Adware:Android/AirPush.B »» Adware:Android/Gappusin.B »» Hack-Tool:Android/SmsBomber.B »» Monitoring-Tool:Android/AccuTrack.B »» Riskware:Android/Boxer.E »» Riskware:Android/Maxit.B »» Riskware:Android/PremiumSMS.F-Z (21 variants) »» Spyware:Android/EWalls.B »» Spyware:Android/SmsSpy.I »» Trojan:Android/DroidDream.H »» Trojan:Android/FakeInst.S-Y (7 variants) »» Trojan:Android/GinMaster.E-J (6 variants) »» Trojan:Android/GoldDream.B, and variant D »» Trojan:Android/HippoSms.B »» Trojan:Android/IconoSys.B »» Trojan:Android/JiFake.J »» Trojan:Android/MarketPay.B »» Trojan:Android/OpFake.I, L-O, (5 variants) »» Trojan:Android/SmsSend.E-G »» Trojan:Android/SmsSpy.G, H »» Trojan:Android/Vdloader.B »» Trojan:SymbOS/Foliur.B »» Trojan:SymbOS/CCAsrvSMS.D
  • 31. Mobile Threat Report Q4 2012 Figure 8: Number Of Android Threats Received Per Quarter, Q1–Q4 2012 75,000 60,326 51,447 50,000 25,000 3,063 5,033 0 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Figure 9: Top Android Detections, Q4 2012 15+13+109872125z Adware:Android/AirPush, 13.5% Others, 24.4% Adware:Android/AdWo, 11.8% Adware:Android/Gappusin, 1.2% Total samples = Trojan:Android/Ginmaster.J, 1.3% 60,326 Trojan:Android/Kmin.A, 2.1% Adware:Android/Ropin, 7.7% Heuristic–Malware, 10.4% Application:Android/Counterclank, 8.1% Trojan:Android/Boxer.C, 9.9% Heuristic–Potentially Unwanted Software, 9.6% NOTE: The threat statistics used in Figure 8 and Figure 9 are made up of the number of unique Android application package files (APKs). 31
  • 32. Mobile Threat Report Q4 2012 Table 1: Top Malware and Potentially Unwanted Software On Android, Q4 2012 Top-30 Malware Top-30 Potentially unwanted software detection COUNT detection COUNT Heuristic – Malware 6265 Adware:Android/AirPush 8137 Trojan:Android/Boxer.C 5989 Adware:Android/AdWo 7127 Trojan:Android/Kmin.A 1270 Heuristic – Potentially Unwanted Software 5783 Trojan:Android/Ginmaster.J** 775 Application:Android/Counterclank 4860 Trojan:Android/FakeInst.A 723 Adware:Android/Ropin 4647 Trojan:Android/Ginmaster.G** 615 Adware:Android/Gappusin 733 Trojan:Android/FakeBattScar.A 608 Application:Android/FakeApp 549 Trojan:Android/SmsSend.A 543 Hack-Tool:Android/DroidRooter.A 230 Trojan:Android/FakeInst.K 502 Hack-Tool:Android/DroidRooter.B 161 Trojan:Android/SMStado.A 472 Riskware:Android/Boxer 115 Trojan:Android/Temai.A** 443 Riskware:Android/MobileTX 106 Trojan:Android/Ginmaster.I** 434 Spyware:Android/EWalls 91 Trojan:Android/Ginmaster.F** 423 Riskware:Android/PremiumSMS.F 69 Trojan:Android/Ginmaster.E** 368 Hack-Tool:Android/DroidRooter.I 51 Trojan:Android/Ginmaster.C 347 Riskware:Android/SMSAgent 46 Trojan:Android/Ginmaster.B 336 Application:Android/Steveware 39 Trojan:Android/Geinimi.D 295 Riskware:Android/FakeAngry 34 Trojan:Android/FakeBattScar.B 269 Monitoring-Tool:Android/MobileSpy.C 33 Trojan:Android/RuFailedSMS.A 257 Hack-Tool:Android/TattooHack.A 32 Trojan:Android/DroidKungFu.C 238 Application:Android/NandroBox 32 Trojan:Android/FakeInst.T** 230 Monitoring-Tool:Android/SpyTrack.B 28 Trojan:Android/OpFake.F 199 Riskware:Android/AutoRegSms 25 Trojan:Android/FakeInst.U** 188 Riskware:Android/PremiumSMS.J 23 Trojan:Android/Nyearleak.A 186 Riskware:Android/PremiumSMS.AA 22 Trojan:Android/SMSLoader.A 163 Riskware:Android/SmsReg 19 Trojan:Android/FjCon.A 158 Riskware:Android/PremiumSMS.L 18 Trojan:Android/Kmin.B 146 Monitoring-Tool:Android/MobileTracker.A 16 Trojan:Android/JiFake.E 144 Monitoring-Tool:Android/SpyBubble.B 16 Trojan:Android/Kmin.C 139 Riskware:Android/PremiumSMS.M 15 Trojan:Android/IconoSys.A 118 Hack-Tool:Android/DroidSheep.A** 15 **New family or new variant discovered in Q4 2012 NOTE: The threat statistics used in Table 1 are made up of the number of unique Android application package files (APKs). 32
  • 33. Mobile Threat Report Q4 2012 f-SEcure mobile security F-Secure Mobile Security effectively protects your mobile device, smartphone or tablet, from all common mobile threats. It guards against loss and theft, protects your children online with powerful parental control functions, keeps your device free of malware and lets you browse the web safely. Find out more: http://www.f-secure.com/web/home_global/mobile-security Purchase F-Secure Mobile Security: https://shop.f-secure.com/cgi-bin/shop/?ID=FSMAV 33
  • 34. Protecting the Irreplaceable This document was previously released under controlled distribution, intended only for selected recipients. Document made public since: 7 March 2013 F-Secure proprietary materials. © F-Secure Corporation 2013. All rights reserved. F-Secure and F-Secure symbols are registered trademarks of F-Secure Corporation and F-Secure names and symbols/ logos are either trademark or registered trademark of F-Secure Corporation. Protecting the irreplaceable | f-secure.com