Informe «Mobile Threat Report Q2» de F-Secure, sobre l'estat de la seguretat als dispositius mòbils, especialment en els basats en sistema operatiu Android.
Every quarter, Android malware continues to grow in number, and q2 2012 is no exception. we received a total of 5033 malicious Android application package files (APKs), most of which are coming from third-party Android markets. This amount is a 64% increase compared to the number in the previous quarter. Out of this amount, we identified 19 new families and 21 new variants of existing families. A high concentration of these new variants is coming from FakeInst and OpFake, two families that are found to be related. Malware in these two families share a lot of similarities that in some instances, they can be classified as one family. In general, the new variants retain the same malicious behavior as found in the previous ones, only improving on the method used in defeating anti-virus technology in order to avoid detection.
After a while on the scene, Android malware has begun to explore new methods of infection as evidenced by NotCompatible.A and Cawitt.A. In May 2012, the first Android malware to use the drive-by download method was spotted in the wild, detected as Trojan-Proxy:Android/NotCompatible.A. A simple visit to a malicious website could render a device infected, if the device is configured to allow installations from unknown sources. when visiting a specially crafted website, the device will automatically download an application from the site. This application is then shown in the notification menu, waiting for the user to install it. To convince the user into installing it, the malware relies on social engineering tactics, naming the application as “com.Security.Update’ and the filename as “Update.Apk.” Once infected, the device is turned into a proxy or becomes part of a bot network.
In addition to drive-by download, another infection method discovered in this quarter is the utilization of Twitter as a bot mechanism. Cawitt.A for instance, accesses a Twitter account (possibly set up by the malware) to obtain a server address, from which it communicates with and receives further command from. Upon receiving instructions, this malware sends out SMS messages to certain numbers, and forwards data on the device’s International Mobile Equipment Identity (IMEI) number, phone number, and Android ID to the aforementioned server.
Aside from the continuing growth of Android malware and the discovery of new infection methods, the second quarter also reveals a trend in regionally-based attack. In Spain for instance, we tend to get a lot of reports on banking-related attacks. This quarter, SmsSpy.F which is related to Zitmo, is a fairly popular case being reported. The malware appears to be specifically targeting users who perform an online banking transaction and need the Mobile Transaction Authorization Number (mTAN). It arrives as an SMS message, notifying the user to download a security application from the provided link.