Android, Mac malware on rise, and beware mom-and-pop websites
- By William Jackson
- May 23, 2012
Online malicious activity was up across the board in the first quarter of this year, according to the latest threat report from McAfee, with increases seen in the number of exploits targeting mobile devices and Macs.
But despite the growth of mobile and Mac malware, the PC remains the dominant target for criminals, said Adam Wosotowsky, one of the report’s authors.
“The number of malware samples we see in PCs is exponentially higher than we see in smart phones,” said Wosotowsky, messaging data architect at McAfee.
Targeted attacks, mobile vulnerabilities on the rise, report states
McAfee Labs gathers data on malware, attack vectors and vulnerabilities from its Global Threat Intelligence service. During the first three months of 2012 it added 8 million new samples of malware to its database, raising the total to 83 million. The sharpest spike in new malware came in those targeting mobile devices, which jumped from less than 2,000 samples last year to more than 8,000 samples in the first quarter of this year. The bulk of this, more than three quarters, was for the Android operating system.
Apple also is an increasingly popular target for malware writers. “Malware for Apple’s Mac continues to show consistent growth,” the report says. However, “as always, malware on the Mac appears relatively tame when compared with PC malware, but malware can be written for any operating system and platform.”
The number of malicious URLs continued to grow for the second straight quarter, and the United States is the premier host of malicious Web content.
“The Web is a dangerous place for the uninformed and unprotected,” the report said.
The prevalence of the United States as a source of malicious content is neither unprecedented nor unexpected, Wosotowsky said. “The United States is an early adopter of the Internet, and we also have the largest population of Web pages that have not updated in years,” he said.
Those pages are increasingly valuable real estate for criminals looking for sites from which to deliver malware, spam and other malicious content, Wosotowsky said. Malicious sites established by bad guys are relatively easy for security companies to identify and block. But an existing site with a history of legitimate use that has been compromised is more difficult to spot and can remain active for a longer time. Many of these legitimate sites are from small, mom-and-pop organizations that are not actively maintained or have been abandoned.
“The value of a compromised Web address has increased over time significantly,” Wosotowsky said. “We are now seeing botnet activity involved in scanning for them. It’s a way to monetize.”
Common uses of compromised sites include drive-by downloading of exploits for Flash and Java, for sending spam and phishing.
The large increase in mobile malware in the last quarter was targeted almost solely at Android. The hundreds of Android threats being identified in the middle of 2011 increased to thousands this year, now accounting for almost 7,000 of more than 8,000 total mobile malware samples in McAfee’s database.
It comes as no surprise that most of the malware is coming from third-party app developers rather than the official marketplaces for the devices, and that Android is the most popular target.
“The iPhone is a finished product,” Wosotowsky said. “The Android is a platform that other people can use to make a product. For that reason it’s more flexible” and more attractive to bad actors.
Despite its growth, he described mobile malware as still in its infancy compared with PC malware. The most common money-makers remain applications sending text messages to premium numbers. But the report also cited more interesting — and potentially damaging — examples, including what is called the first destructive Android Trojan, Android/Moghava.A.
“Instead of damaging apps or other executables this malware goes after photos,” the report warns. “Moghava.A searches for photos stored on the SD card, and adds the image of the Ayatollah Khomeini to each picture. The malware is also a bit buggy, so it will continue to add to the pictures until there is no more space on the card.”
Despite changes in the threat landscape from quarter to quarter, some things remain the same, the report concluded. “Threats continue to evolve, and attackers continue to push the envelope.”
William Jackson is freelance writer and the author of the CyberEye blog.