Mobile

2/26/2018
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Threats from Mobile Ransomware & Banking Malware Are Growing

The number of unique mobile malware samples increased sharply in 2017 compared to a year ago, according to Trend Micro.

After years of focusing their attention largely on desktop systems, cybercriminals have, as expected, begun ramping up attacks on mobile devices.

Ransomware, banking malware, and other threats aimed at smartphones increased sharply in volume last year and will pose a growing threat to organizations and individuals in 2018 and beyond, Trend Micro said in a report released Monday.

In keeping with past trends, a vast majority of the threats affected Android devices and those downloading mobile applications from unofficial third-party stores.

But for the first time, people getting apps from Google's official Play mobile app store were affected significantly as well. According to Trend Micro, it found 30,000 more malicious applications published on Google Play last year than it did in 2016. The threats were harder to detect because they often hid in encrypted traffic and behind legitimate application functionality.

Apple's walled garden, though much harder to scale, wasn't completely impervious, either. Many applications infected with adware and other unwanted functionality found their way to the company's App Store. "Android is the predominant platform today for most malicious apps, including ransomware," says Jon Clay, director of global threat communications for Trend Micro. "But iOS appears to be a platform that threat actors are starting to target due to the number of potential victims," he adds. "Apple's walled garden makes it a more difficult platform to compromise."

Trend Micro's report comes amid growing enterprise concerns over the threat to data security posed by mobile devices. Eighty-five percent of the respondents in a recent survey by Verizon's wireless group said their organizations faced at least a moderate threat from mobile devices, with 74% saying those risks had increased over the past year. Four out of 10 see it as a "significant risk." Over a quarter of respondents said their organizations had suffered at least one security incident involving a mobile device.

In 2017, Trend Micro's Mobile App Reputation Service (MARS) analyzed more than 468,830 unique mobile ransomware samples. That number represented a 415% increase in new ransomware from 2016, according to the security vendor. Mobile ransomware detections were highest in China, which accounted for nearly one-third of all detections, followed by Indonesia, India, and Japan.

The most pervasive mobile ransomware in 2017 was SLocker, an Android file-locking malware tool that alone accounted for more than 424,000 of the unique samples that Trend Micro analyzed during the year.

The reason for SLocker's pervasiveness stemmed from the fact that its authors released the malware's source code publicly. This ensured that a lot more threat actors had access to the code and resulted in multiple versions of SLocker in the wild, each with different capabilities and ransom demands. One variant mimicked the user interface of the WannaCry crypto malware and was assembled using a do-it-yourself Android development kit, Trend Micro said.

On the (relatively) good news front, less than 1% of the mobile ransomware samples that Trend Micro spotted last year actually ended up hitting end-user devices. "When we look at the number of queries to our mobile app reputation service to see if an app is good or bad, they come back as detections around 0.27% of the time, Clay says. "In raw numbers. we had 28 billion queries and 75 million detections," he says.

A vast majority of the mobile ransomware that Trend Micro spotted last year was also not as sophisticated in capabilities as desktop versions of the malware. For instance, PC-based ransomware often uses obfuscation techniques that make it harder to detect than mobile versions, Clay says.

Ransomware was not the only mobile threat. In 2017, the number of unique mobile banking malware samples that Trend Micro spotted increased 94%, to 108,439.

With banking increasingly becoming an integral part of mobile device usage, attackers have begun building more-sophisticated capabilities into their mobile banking malware. "They blended in with legitimate processes — or masqueraded as one — to stay under the radar, steal more than just credit card data, and bypass security mechanisms," Trend Micro noted.

For example, the security vendor pointed to BankBot, malware with phishing templates for 160 banks, equipped with anti-sandbox and anti-signature capabilities and capable of communicating with command-and-control servers using Google's Firebase Cloud Messaging services. One BankBot version found its way to Google Play and was downloaded between 5,000 and 10,000 times last year alone, according to Trend Micro.

Related content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2018 | 7:00:08 PM
Two-factor
to stay under the radar, steal more than just credit card data, and bypass security mechanisms It is better to use two factor authentication and never click a link in the email to access to your bank.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2018 | 6:58:24 PM
Banking
With banking increasingly becoming an integral part of mobile device usage, attackers have begun building more-sophisticated capabilities into their mobile banking malware. This is critical to pay attention I think. When I hits bank apps it will hurt a lot of people.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2018 | 6:56:23 PM
SLocker
The most pervasive mobile ransomware in 2017 was SLocker Surprisingly I have not heard this, maybe because I am not an Android user.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2018 | 6:53:58 PM
Android
In keeping with past trends, a vast majority of the threats affected Android devices and those downloading mobile applications from unofficial third-party stores. This is one of the disadvantages of closed system. iOS has it right in a way that onky approved things could be run
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/27/2018 | 6:51:04 PM
Ransomware
Ransomware, banking malware, and other threats aimed at smartphones increased sharply in volume last year and will pose a growing threat to organizations and individuals in 2018 and beyond I thinks this is because most of us respond a ransomware attack.
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
The Case for a Human Security Officer
Ira Winkler, CISSP, President, Secure Mentem,  12/5/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8651
PUBLISHED: 2018-12-12
A cross site scripting vulnerability exists when Microsoft Dynamics NAV does not properly sanitize a specially crafted web request to an affected Dynamics NAV server, aka "Microsoft Dynamics NAV Cross Site Scripting Vulnerability." This affects Microsoft Dynamics NAV.
CVE-2018-8652
PUBLISHED: 2018-12-12
A Cross-site Scripting (XSS) vulnerability exists when Windows Azure Pack does not properly sanitize user-provided input, aka "Windows Azure Pack Cross Site Scripting Vulnerability." This affects Windows Azure Pack Rollup 13.1.
CVE-2018-8617
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8618
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8619
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions, aka "Internet Explorer Remote Code Execution Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Exp...