Mobile Malware: Doing the Math

When you stop to consider how much data you’re carrying on the corporate smartphone in your pocket — e-mails, business apps, login credentials — it’s easy to understand why you and your phone might be targeted by cybercriminals.

In and of itself, information is valuable, after all. So somebody, somewhere, may try to take it from you. The key to defending yourself is knowing who, what, when, where and how. (We already know the why.)

Dan Guido, CEO of Trail of Bits, a security firm in New York City, and Mike Arpaia, formerly a security consultant and researcher at iSEC Partners, have made answering these questions the focus of their research in the Mobile Exploit Intelligence Project.

As Guido describes it, “We created a detailed understanding of mobile malware, where it is today and where it is going. We can now predict where to best build out mobile defenses, now and in the future.”

Malware by the Numbers

In their research for the MEIP, which was carried out December 2011 through March 2012 and is updated regularly, Guido and Arpaia came across about 100 examples of attack campaigns, including some of the more well-known malware projects such as Android.Pjapps, Android DroidDream and Android.Zeahache.

These 100 attacks were carried out by 81 unique pieces of mobile malware. Of that 81, only 16 were designed to escalate privileges, a technique to break outside an app’s sandbox in order to compromise other data on the mobile device. “The escalate-privileges vector is the easiest avenue for bad guys to steal your data,” says Guido, “and it helps that they can get all of the code to do that essentially for free.”

In order to escalate privileges on a mobile phone, the malware needs a privilege escalation exploit, more commonly known as a jailbreak. All the attacks that Guido and Arpaia observed in the wild used just three unique exploits, all documented previously by a single author. And distribution of these apps followed similar distribution patterns across attacks: They introduced the disguised malware to victims through a common mobile app storefront.

“This is the approach that works right now for malicious app distribution. Our data shows that this will be the dominant mobile threat vector for the next couple of years,” explains Guido.

Given that there are hundreds of millions of mobile devices in the world, these numbers might appear surprisingly small. But Guido says that’s not the right way to look at it. “Our research has determined that out of the 300 million Android devices out there, the presence of malware has been discovered on about a million of them. That’s a significant number.”

Crime Doesn’t Pay

These infection numbers, Guido suggests, highlight how relatively unexplored the field of mobile malware is by criminal enterprises. The reason for that is old-fashioned criminology 101: the lack of a financial incentive.

Regardless of how popular media sensationalizes it, cybercriminal behavior is easy to grasp and can be summed up in a short equation: Cost of Attack < Potential Revenue = Attack. Simple economics. When the cost of an attack is less than the potential revenue to be gained from the attack, someone will pursue it. And so far, cybercriminals appear to be reaching the collective conclusion that mobile devices are not yet worth the effort.

Avoid Past Mistakes

But while the current threat environment shows little in the way of successful exploits, there are many potential avenues for compromising a mobile device that have yet to be explored, such as introducing malware through mobile ads. And it’s important to keep in mind that the ubiquity of mobile platforms is a relatively new phenomenon. From Guido’s perspective, this offers an opportunity to build up defenses before rather than after the fact.

“What we want to avoid is having the mobile platform become the malware-filled ecosystem that desktops have become,” says Guido. “The malware threat is completely different on mobile devices than on desktops. So it’s taking some time for criminals to figure out how to exploit that environment the way they’ve exploited the desktop environment.”

The MEIP provides a snapshot of the mobile malware vector today and offers many clues as to what direction it will likely take in the near future. As Guido points out, this knowledge is key to staying ahead of the threat.

“We have an opportunity to really nail this problem and fix it before it gets too developed,” he states. “If the vendors don’t keep up, don’t stay ahead of the threat, this is going to be a bigger problem going forward. They’re at risk of falling behind.”