Mobile malware is not new, but a new tool in the cyber crime underground could ultimately pave the way for hackers to leverage malware in large mobile botnets.
Mobile malware is not new. According to Juniper Networks’ Third Annual Mobile Threats Report, there were more than 276,000 malicious apps for mobile devices discovered from March 2012 through March 2013. The Android platform, with an estimated two thirds of the mobile market share in 2012, is the target of 92 percent of that malware.
Now, researchers at Symantec have discovered a new wrinkle that combines a Remote Access Tool for Android devices with a kit that lets unskilled users easily repackage legitimate apps with AndroRAT to create Trojans. The new binder kit is being advertised in the hacker underground market as “first ever Android RAT app binder + builder.”
“To date, Symantec has counted 23 cases of popular legitimate apps being Trojanized in the wild with AndroRAT,” Symantec’s Andrea Lelli wrote in a recent blog post. Only several hundred infections of AndroRAT have been found worldwide, most of them in the United States and Turkey, but the number is growing.
AndroRAT enables control of the infected device, allowing the criminal to remotely monitor and make phone calls, send SMS messages, access GPS coordinates, use the camera and microphone and access stored files.
The appearance of AndroRAT packaged in an off-the-shelf kit for infecting applications is a significant step in the commercialization of mobile malware, said Vikram Thakur, Symantec’s principal security response manager.
“All this tool is doing is lowering the bar for people entering the malware space,” Thakur said. “But it’s only one piece of the puzzle.” The user “still has to figure out how to monetize it.”
Making money from malware for mobile devices has for years been a stumbling block for cyber criminals. The devices are increasingly popular and powerful, but do not offer as many opportunities for ripping users off as do desktop and laptop computers that are more often used in commerce. As much fun as it might be to take control of someone’s smartphone, there is not a lot of money in it.
But the ability to leverage malware in large mobile botnets can make it worthwhile. Common schemes are to deliver ads to the infected device, send premium text messages for which the smartphone owner is billed or to have the device browse a for-pay video site. These do not produce a big return on any one device, but Symantec discovered a large mobile botnet in 2012 that was pulling in more than $1 million a year for its owner, Thakur said.
“The bad guys are not trying to suck out as much money as they can on day one,” he said. They are staying under the radar, taking a few dollars a month from each victim for a small -- but long term -- return on investment.
The next phase in such schemes is to take products such as the AndroRAT binder one step further and bundle it with tools for hosting and delivering premium content to compromised devices: An all-in-one tool that can turn any wannabe into a successful mobile bot herder.
So far, it does not appear that this has been done, Thakur said. “If it is happening in the underworld, it is in a very siloed manner.” But he expects that we will see activity of this kind in the future.
The good news is that most mobile malware today is delivered in applications that have to be installed on a smartphone or other device, which means that the user is the first and best line of defense. You should have an antivirus tool installed on your phone, but be careful about what else you install on it.
“If somebody is offering you a free version of an app that you would have to pay for somewhere else, think twice,” Thakur said. “Nothing is free.”