The Mobile Malware Problem

Eddy WillemsSecurity Evangelist – G Data Security Labs

Director Security Industry Relationships - EICAR

eddy.willems@gdata.de

• Security Evangelist at G Data:

Privately owned - Established 1985 in Germany (Bochum) – First Atari AV software

Security solutions for end users and companies

• Personally Involved in the industry since 1989

Introduction

• Worked as Senior Consultant/Anti-Virus Expert for several CERT-organisations

and commercial enterprises like Kaspersky Lab, Westcon(Noxs), etc

• Co-founder of EICAR

• Press officer at AMTSO

Some History:

The old days !

Some years ago

Virus

Spam

Worm

Trojan

Current threats...

The Number Game

About 70.000 new threats per day => +70.000.000 Threats/Malware

Under the Radar = Money is involved

Today’s Networks Lack

Boundaries

ContractorsContractorsContractorsContractors

TelecommutersTelecommutersTelecommutersTelecommuters• Internal/External network

• Individual Users connect from multiple

locations

• Managed/Unmanaged devices

Internet

ContractorsContractorsContractorsContractors

Mobile Mobile Mobile Mobile

UsersUsersUsersUsers

Network

WirelessWirelessWirelessWireless

UsersUsersUsersUsers

• Managed/Unmanaged devices

• Individual devices operate both inside the

network, and on public networks

• New Devices on the Network eg.

Netbooks, Mobile devices, etc

• Question: Who has an Android phone?

iPhone? Symbian? BlackBerry? Other?

• The first incidents:

• Liberty Horse Trojan Sept 2000

• Telefonica SMS Mailer Dec 2000

• 911 DoS SMS Mailer in Japan April 2001

• Flooder sending not wanted SMS Aug 2001

Mobile threats...

Going back to the roots

• Flooder sending not wanted SMS Aug 2001

• Phage destroys files on Palm Sept 2001

• Vapor Trojan Horse hides applications Oct 2001

• GPRS hack into 2.5G US network devices Nov 2002

• Nokia 6210 V-card Exploit Feb 25, 2003

• Siemens “%String” Exploit March 2, 2003

• AT&T SMS Trojan May 5, 2003

• First Symbian based Trojan Sept 2003

Cabir Phone worm

(2003)

• Only works on Series 60 mobile devices,

– Eg. Nokia 3650, 6600, N-Gage.

– Siemens, Samsung, Sendo en Panasonic

• UsesBluetooth too spread each 15-20 seconds

• You must accept the transmission

• You must accept the installation …

• Long term: battery drain

• Total: 27 families (f), 170 modificaties (m)

• Symbian: Flexispy, Comwarrior,…

• Windows Mobile: Brador and Duts

• Java 2 Micro Edition: RedBrowser

Some known malware (2006)

• Java 2 Micro Edition: RedBrowser

• => Not many mobile malware…

Spyware the other wave

eg. Flexispy

Huike 3D anti-terrorist

Story

40%

50%

60%

70%

SymbianiPhoneBlackberry

Global Market Share of Mobile OSpercentage for smartphones - 2007 to 2012 (e = expected)

Source: Gartner

0%

10%

20%

30%

2007 2008 2009 2010 2011e 2012e

BlackberryWin MobileAndroid

Fakeplayer

• Beginning of 2010

• SMS Trojan

• „Pornplayer“

• SMS are send 3x (mostly)

• 8+ variants• 8+ variants

– Different names/icon

– Different premium numbers

http://skamv.wordpress.com/2010/11/02/kiss/

• Android trojan

• Infected hundreds of thousands of

„Geimini“ Attack in

China

• Infected hundreds of thousands ofchinese Android smartphones

• Sended mobile data to servers

• Remote controlled as a botnet forcalls and text messages

DroidDream

• Steals information

• Drops more malware

• Download code from the internet • Download code from the internet

• Misuses 2 vulnerabilities in the Android OS ( patched already)

• Download updates

• Apps released under the names “Kingmall2010″,

“we20090202″ and “Myournet” with DroidDream attached >

Removed from the official Android Market, More than 50

Apps affected…

DroidDream Google’s

removal tool

Which is the real

tool?

ZITMO

Zeus In The Mobile

– Steals mTANs

– Target = Spanish (online) banks

– Replication via PC by Zeus botnet– Replication via PC by Zeus botnet

The Update Problem

Mobile MalwareSituation ...

End of the year ... > 800% increase = Android Malware

• The higher the marketshare the more interesting it becomes for the cybercriminal > money

• How easier the distribution of the malware the more interesting it becomes for the cybercriminal > via several channels, not only via official online Apps Markets/Shops

• Uncontrolled=better/attractive …. Android=Windows?

The Real Problem with Android

• Uncontrolled=better/attractive …. Android=Windows?

• The Permission problem

• Use of exploits are easy because updates of Android are not always easy to install…

• More possibilities in the future: more entrance/backdoor possibilities to spread other malware into businesses and corporates

THE FUTURETHE FUTURE

• Exponential rise of Malicious Apps => Mobile Malware• Mobile malware targetting Social Media / Mobile Payments(NFC) / Banking• Targetted attacks via Mobile Malware • Under the radar of the public ...

Another Secure Solution …:-)

Thank you! Questions?

Twitter: @EddyWillems