Why Android Malware Must be on IT’s Watch List
Network security provider Fortinet is out with its monthly threat research, and as part of the report is the company’s list of Top 5 Android Malware Families. In addition, the company has commented on new root-level attacks on Android phones.
Fortinet says Gartner claims the Android operating system has a global market share of 52.5 percent, Symbian is in second place with 18 percent, and iOS is third (though no percentage is given). Android’s popularity is certainly attractive to hackers: the company found “approximately five times the amount of malicious families on the Android OS versus what we’ve found on iOS.”
Axelle Apvrille, a Fortinet senior mobile anti-virus researcher, explains that “this disparity can be attributed to the way Apple handles iOS application development and distribution. Unlike Android, which makes it fairly easy to place applications for people to download, iOS requires developers to undergo some strict screening from Apple before the application can make it to the Apple Store. That’s not to say that Apple is totally immune from being infiltrated by malware -- the Eeki banking worm proves that -- but it is a testament to why we’re seeing so little activity on the iOS platform.”
Android’s larger market share (not to mention its open development environment) may be why the company has seen a “90 percent increase in Android malware families in 2011 compared to 2010, while malicious iOS families only increased by 25 percent” during that period, according to Apvrille.
FortiGuard Labs’s antivirus engine detected the largest threat samples from these five malware families:
- Geinimi, Android’s first botnet, sends a user’s geographic location and controls infected phones remotely; Geinimi can cause an phone to call a particular phone number
- A Trojan in the form of live wallpaper called Hongtouto “steals private information such as the victim's subscriber number (IMSI) and automatically visits [Web sites] that the malware directs it to”
- DroidKungFu, a botnet that can remotely install other malware and start other apps
- A phony instant-messenger app, JiFake, “sends SMS messages to premium phone numbers”
- The BaseBridge Trojan also sends SMS messages to premium telephone numbers; the vulnerability was also available (and removed from) the Android Market
The malware comes dressed to look like legitimate apps, according to Karine de Ponteves, a malware analyst at Fortinet. “DroidKungFu was an example of malware that was found repackaged in a legitimate VPN utility, whereas Geinimi was found within the legitimate application ‘Sex Positions.’”
Unfortunately, it isn’t tough to exploit root access to Android devices. “The mobile security trend is a familiar one: as operating systems mature and gain popularity, malware and vulnerabilities follow since there is focus and motivation from cyber criminals,” Fortinet’s senior security strategist Derek Manky, explained. “With root access, hackers can gain access to system files and change system settings that are typically authored to be read only. For example, a malware creator with root access to a vulnerable device could silently download and install additional malicious software, such as ransomware, spambots, and keyloggers.”
-- James E. Powell
Editorial Director, ESJ
Posted by Jim Powell on 12/05/2011