Android banking Trojans are on the rise

The mobile malware sector continues to grow at a significant pace both technologically and structurally, and a majority of the mobile malware created in 2013 was focused on extracting financial profits, Kaspersky Lab has found.

In their analysis of the mobile threat landscape in 2013, Kaspersky researchers have found that:

• Nearly 100,000 new malicious programs for mobile devices were detected in 2013, which is more than double the 2012 figure of 40,059 samples. As of January 1, 2014, Kaspersky Lab has collected 143,211 mobile malware samples.
• 98.1 percent of all mobile malware detected in 2013 targeted Android devices.
• Approximately 4 million malicious applications were used by cybercriminals to distribute mobile malware for Android-based devices. A total of 10 million malicious Android apps were detected in 2012-2013.
• The top five countries with the highest number of unique attacked users: Russia (40%), India (8%), Vietnam (4%), Ukraine (4%) and the United Kingdom (3%).

The report also found that majority of mobile malware in 2013 was used to gain access to consumer’s money. The number of mobile malware modifications designed for phishing, stealing bank card information and money from bank accounts, increased by a factor of almost 20. There were also 2,500 attempted infections by banking Trojans were blocked.

In addition, Kaspersky Lab saw a shift in the use of banking Trojans, which are considered one of the most dangerous types of mobile malware for consumers. Many banking Trojans detected in 2013 were geared more towards stealing money from bank accounts rather than from a victim’s mobile account.

At the beginning of the year there were 64 known banking Trojans; however, by the end of the year, Kaspersky Lab’s collection contained 1,321 unique samples. Vulnerabilities in the Android OS architecture and its growing popularity were also important factors behind the increase in Android banking Trojans.

“Today, the majority of banking Trojan attacks target users in Russia and the CIS. However, that is unlikely to last for long: given cybercriminals’ keen interest in consumer bank accounts, the activity of mobile banking Trojans is expected to grow in other countries in 2014,” explained virus analyst Victor Chebyshev. “We already know of Perkel, an Android Trojan that attacks clients of several European banks, as well as the Korean malicious program Wroba.”

Cybercriminals are increasingly using sophisticated routed to the users’ money:

• They are increasingly using obfuscation, the deliberate act of creating complex code to make it difficult to analyze. The more complex the obfuscation, the longer it will take an antivirus solution to neutralize the malicious code and the more money the fraudsters can steal.
• Methods used to infect a mobile device include compromising legitimate sites and distributing malware via alternative app stores and bots (the bots usually self-proliferate by sending out text messages with a malicious link to addresses in the victim’s address book).
• Android vulnerabilities are used by criminals to enhance the rights of malicious applications, which considerably extend their capabilities and make it more difficult to remove malicious programs. To bypass the code integrity check when installing an application, the Master Key vulnerability is used. The fact that it is only possible to get rid of Android vulnerabilities by receiving an update from the device manufacturer merely complicates the situation further. If a smartphone or tablet was released more than a year ago, it is probably no longer supported by the manufacturer and patching of vulnerabilities is no longer provided. In that case, the only help comes from an antivirus solution.