Where in the World is the Worst Android Malware?

There’s a good chance that if you’ve installed antivirus or security suite software, you’re sharing anonymized data with a security company. And that’s not a bad thing! The company can mine shared data from its entire user base to identify new threats and new trends, and (if it’s a big enough company) the results can provide a useful view of malware activity worldwide. We asked the research team at Symantec to do a little digging for us, and learned quite a bit about Android malware around the world.

As with virtually all modern malware, the purpose of Android malware is to make money for its creators. Some capture cash directly by secretly sending premium SMS messages that appear on your phone bill. Some enlist your device into a botnet that the bot herder can then rent out to spew spam, or participate in DDoS attacks. Some malicious apps scrape secrets that their creators can sell. We asked the Symantec team to slice and dice the data they’ve accumulated on spyware, botnets, and premium SMS malware.

Much Mobile Spyware

Symantec’s figures show 7.074 spyware infections for every 10,000 covered devices worldwide, almost all of which represent infestation by a Trojan they call Android.MobileSpy. This isn’t the type of Trojan that poses as a valid program; rather, it must be installed manually. Remember that time your spouse asked to borrow your phone for a while? Yeah, like that.

Shaun Aimoto, Principal Software Quality Assurance Engineer at Symantec, pointed out that defining spyware is a little difficult. Any product with antitheft features like location tracking or image capture could be misused, for example. “We don’t flag antitheft features,” said Aimoto. “Otherwise we’d be getting a lot of false positives.” As for mobile monitoring in general, it’s still a grey area. “If you use it on a cheating spouse, maybe it’s bad,” observed Aimoto, “but if you use it to protect your kids, maybe not.”

Are you likely to encounter mobile spyware? Well, that depends on where you live. In Asia, the spyware infection rate as measured by Norton was 16.18 per 10,000 devices, but in North America it came in at just 2.95 infections per 10,000 devices.

Not all apps that transmit your personal information are spyware, but when valid apps fail to use encryption, your data is at risk. Out of all the apps that transmit personal information, Symantec’s researchers found that almost three quarters correctly used encryption. Of those that omitted encryption, the majority were identified as malware or iffy “greyware” apps that use suspect ad libraries, make annoying changes to your settings, and so on. These could include so-called adware apps, that are just too pushy in their attempts to get you to buy things. As for the rest, Aimoto and team didn’t call them “safe” but rather “not yet convicted.”

Botnets Less Prevalent

Symantec found mobile spyware on more than seven devices per 10,000 tracked, but the prevalence of Android.Answerbot, the most prevalent botnet, was just 0.444 per 10,000. Even then, there’s a degree of overlap, as Android.Answerbot exists to steal personal information. The total prevalence for all detected botnets was 0.637 per 10,000 devices.

A botnet running on your smartphone can run down your battery, affect available bandwidth, or impact your data plan. However, the whole point of a botnet is to remain hidden, so it can do its job. You’re not likely to discover a botnet infestation without the help of an Android security product.

As with mobile spyware, botnets are more prevalent in Asia than North America, with 1.49 per 10,000 in Asia and 0.75 per 10,000 in North America. We were surprised to find Europe relatively botnet-free, just 0.09 instances per 10,000 devices. There could be a few reasons for this disparity. First, though it is an industry-leading company, Symantec only has so many customers and isn’t installed on every smartphone. While the information is likely indicative of larger trends, it’s by no means all-encompassing.

Second, many smartphone users in Asia don’t rely solely on first-party app marketplaces. “A major reason for the higher infection rate in Asia is the prevalence of more apps in the eco-system originating from third party markets,” said Aimoto. “The overall set of apps in Asia is subject to much less curation in Google Play than in other regions.”

Premium Texts Rake In Cash

“Text 1234 to 5678 to donate $10 to Save the Pupfish!” You’ve probably seen this kind of plea from time to time, but services collecting money using premium SMS messages are much more prevalent in Asia than elsewhere in the world. This is partly due to the prevalence of pay-as-you-go phone plans—with that sort of plan, the money transfer occurs the moment you send the text. And naturally, Asia is where we find the most abuse of the premium SMS system.

Worldwide, Symantec’s researchers report more than 39 premium SMS malware infections for every 10,000 covered devices, and over 27 infections specifically identified as Android.PremiumText per 10,000.

Android.PremiumText is a catch-all name for a variety of Trojans that exist as repackaged versions of various legitimate applications. The package name, publisher name, and other details will generally match the original application. These modified files generally don’t make it past screening by legitimate Android app stores, but they’re widespread on unofficial marketplaces.

Where’s Norton?

The average computer user will probably tell you that Symantec is an American company. Symantec’s own stats don’t really support identifying it as American, though. Almost 39 percent of their Android user base is in Asia, and almost 33 percent in Europe. Tracked devices in North America make up not quite 19 percent of the total.

Aimoto and the Symantec team supplied some country-by-country information, but not all of it was precisely useful. You might be shocked to hear that they found 1,408.45 infections per 10,000 devices in the Falkland Islands, and 523.56 in Monaco. The catch here is that the actual user population is tiny. The report states that each the five countries with the highest infection rate has no more than 150 devices registered. A little experimentation in Excel suggests that Falklands figure represents 20 infected devices out of 142 total, or 10 out of 71 total, for example.

Germany, the Netherlands, Austria, Canada, and New Zealand were the five least-infected countries, with infection rates ranging from 2.12 per 10,000 on down. Symantec reports at least 20,000 tracked devices in each of those countries, meaning those numbers are more meaningful. The U.S. snuck in at 8.11 infections per 10,000 devices.

Looking just at the countries with the most Symantec installations (more than 10,000 devices querying weekly), we weren’t surprised to find China and in the top three for worst infection rate at 148.03 infections per 10,000. We were surprised to see Japan at number one, with 183.05 infections per 10,000 devices, and Vietnam in the third slot with 104.16. After that is a precipitous drop to the notorious Belarus with 46.33 infections per 10,000 followed closely by Russia with 43.12.

As you can see, the tiny bits of non-personal information sent by your antivirus can add up to a gold mine of useful information. We’ll be working with Symantec and other vendors from time to time, looking to gain insight on the latest threats and trends.

Advertisements

iOS 9 will delete apps to make room for system updates

ios

Early adopters of iOS 9 beta 2 have discovered a new feature that will temporarily delete apps from overloaded devices when there isn’t enough space to install system updates. Many users with the smaller 8 GB and 16 GB iPhone’s reportedly had difficulty fitting the last upgrade onto their mobile devices. And while iOS 9 is only a fraction of the size of iOS 8 (they’re 1.3 GB and 4.3 GB, respectively), Apple is clearly trying to nip similar complaints in the bud this time around. The new feature will of course reinstall the deleted app once the update has completed — plus, presumably, any user data that was deleted along with the app itself.

Samsung Devices Found To Be Vulnerable To SwitfKey Updates

Security is increasingly becoming one of the most important factors for consumers when purchasing a new handset. This is not that surprising when you consider the amount of headlines that has been paid over the last year to attacks on devices, data breaches, leakage and malware. As the news repeatedly comes in, consumers become increasingly cautious of their data and manufacturers become increasingly interested in offering ways to protect your data. A prime example is the security emphasis which Google seems to have placed on their latest android update, Android 5.0 (Lollipop) and their next update, Android M.

Samsung is no different. The company has long been working on their Knox security suite, which is designed to offer users an additional level of security and safety. However, it is now emerging that many Samsung devices might have been suffering from a vulnerability, which could in turn lead to a device being compromised. The issue was brought to the attention at this year’s Blackhat conference by Ryan Welton from NowSecure, a mobile security specialist company. The vulnerability refers to the SwiftKey application which comes preinstalled on most Samsung devices. The short of the problem is as follows. SwiftKey routinely looks for language pack updates, however, the updates are looked for in plain text and not over encrypted channels. As a result, Welton was able to highlight how malicious updates could be sent to the device using this method. Furthermore, the malicious code could remain on the device, which in turn, could then be used to further attack the device or recover user’s data.

Now the actual issue with SwiftKey is not a new one, as it is reported that back in November of last year, Samsung had been made aware of the problem. Not to mention, that by the time the Galaxy S6 and S6 Edge had been unveiled, Samsung had also released a patch to fix the issue (for devices on Android 4.2 or higher). However, at the recent Black-hat event, Welton was able to show the vulnerability was still there and present on the Galaxy S6 and confirmed the vulnerability had been noted on devices running on both Verizon’s and Sprint’s network. Not to mention, a spokesperson for NowSecure stated that the vulnerability is likely to be still applicable to many Samsung devices, including both their flagship Galaxy S and Note ranges. On the positive side, it would seem that the vulnerability is most dangerous when the attacker is on the same network, therefore, the user can go someway to protecting their device by ensuring they only use trusted networks.