Android Malware Surges With New Banking, SMS Attacks


Android malware continues its steady climb, spurred on by a mobile version of a notorious banking Trojan and a volley of new premium SMS malware, according to antimalware vendor F-Secure.

There were 96 new families and variants of Android threats in the fourth quarter of 2012, doubling the number recorded in the previous quarter, according to the latest Mobile Threat Report issued by the Helsinki, Finland-based security company. Nearly 80 percent of all malware targeted Android devices in 2012, up from 66.7 percent of threats in 2011, the firm found.

The rise in Android malware could be related to the increased market share of Google Android, according to F-Secure, which cited market-share statistics from research firm IDC showing Google's OS climbing from 49.2 percent of the smartphone market in 2011 to 68.8 percent in 2012.

[Related: Top 5 Android Malware Threats]

"The majority of this malware is distributed as Trojanized apps, in which a legitimate program has been engineered to include a malicious component," F-Secure said in its report. This malware generally attempts to profit from the user by silently subscribing them to premium SMS-based services, or by placing calls to premium-rate numbers."

F-Secure said aggressive mobile adware accounted for the bulk of issues on Android devices, following information-stealing malware and SMS Trojans. Much of the malware is driven in third-party mobile application stores or victims are coaxed into downloading the malware by clicking on a malicious link sent via text message. Those with the highest risk of Android malware infection are device owners in Asia, Russia and Eastern Europe.

F-Secure said PremiumSMS, an SMS Trojan family with 21 new variants, was identified in the fourth quarter of 2012. "The users will be completely unaware of these activities until the charges appear on their bills," the firm said.

A banking Trojan believed to have stolen millions from victims' accounts also has surfaced on Android devices. The Carberp Trojan steals online banking credentials or usernames and passwords for other websites.

The mobile version, called Citmo.A, monitors incoming SMS and steals the mobile Transaction Authentication Number (mTAN) that banks send to customers to validate an online banking transaction. The cybercriminals behind the malware then use the stolen mTAN to drain victims' accounts, F-Secure said.

The technique is similar to the Zeus Man in the Mobile (Mitmo), an extension of the Windows-based Zeus Trojan, which records the mTAN number sent to Android users. The mobile version of Zeus surfaced in 2010. To get the malware on the user's device, the malware writers inject a phony security notice into the banking session asking the customer for their phone model and number. An SMS link is sent to the victim adding the malware component to the device, F-Secure said.

F-Secure also documented two new information-stealing Trojans. Android/InfoStealer.A masquerades as a legitimate application, but steals device details, the victim's email address phone number and location to a remote MySQL server. Android/MaleBook.A has similar functionality, collecting more device-specific information and sending it to a remote server. Both Trojans surfaced in Asia and are connected to aggressive advertising services.

PUBLISHED MARCH 11, 2013