There’s a good chance that if you’ve installed antivirus or security suite software, you’re sharing anonymized data with a security company. And that’s not a bad thing! The company can mine shared data from its entire user base to identify new threats and new trends, and (if it’s a big enough company) the results can provide a useful view of malware activity worldwide. We asked the research team at Symantec to do a little digging for us, and learned quite a bit about Android malware around the world.
As with virtually all modern malware, the purpose of Android malware is to make money for its creators. Some capture cash directly by secretly sending premium SMS messages that appear on your phone bill. Some enlist your device into a botnet that the bot herder can then rent out to spew spam, or participate in DDoS attacks. Some malicious apps scrape secrets that their creators can sell. We asked the Symantec team to slice and dice the data they’ve accumulated on spyware, botnets, and premium SMS malware.
Much Mobile Spyware
Symantec’s figures show 7.074 spyware infections for every 10,000 covered devices worldwide, almost all of which represent infestation by a Trojan they call Android.MobileSpy. This isn’t the type of Trojan that poses as a valid program; rather, it must be installed manually. Remember that time your spouse asked to borrow your phone for a while? Yeah, like that.
Shaun Aimoto, Principal Software Quality Assurance Engineer at Symantec, pointed out that defining spyware is a little difficult. Any product with antitheft features like location tracking or image capture could be misused, for example. “We don’t flag antitheft features,” said Aimoto. “Otherwise we’d be getting a lot of false positives.” As for mobile monitoring in general, it’s still a grey area. “If you use it on a cheating spouse, maybe it’s bad,” observed Aimoto, “but if you use it to protect your kids, maybe not.”
Are you likely to encounter mobile spyware? Well, that depends on where you live. In Asia, the spyware infection rate as measured by Norton was 16.18 per 10,000 devices, but in North America it came in at just 2.95 infections per 10,000 devices.
Not all apps that transmit your personal information are spyware, but when valid apps fail to use encryption, your data is at risk. Out of all the apps that transmit personal information, Symantec’s researchers found that almost three quarters correctly used encryption. Of those that omitted encryption, the majority were identified as malware or iffy “greyware” apps that use suspect ad libraries, make annoying changes to your settings, and so on. These could include so-called adware apps, that are just too pushy in their attempts to get you to buy things. As for the rest, Aimoto and team didn’t call them “safe” but rather “not yet convicted.”
Botnets Less Prevalent
Symantec found mobile spyware on more than seven devices per 10,000 tracked, but the prevalence of Android.Answerbot, the most prevalent botnet, was just 0.444 per 10,000. Even then, there’s a degree of overlap, as Android.Answerbot exists to steal personal information. The total prevalence for all detected botnets was 0.637 per 10,000 devices.
A botnet running on your smartphone can run down your battery, affect available bandwidth, or impact your data plan. However, the whole point of a botnet is to remain hidden, so it can do its job. You’re not likely to discover a botnet infestation without the help of an Android security product.
As with mobile spyware, botnets are more prevalent in Asia than North America, with 1.49 per 10,000 in Asia and 0.75 per 10,000 in North America. We were surprised to find Europe relatively botnet-free, just 0.09 instances per 10,000 devices. There could be a few reasons for this disparity. First, though it is an industry-leading company, Symantec only has so many customers and isn’t installed on every smartphone. While the information is likely indicative of larger trends, it’s by no means all-encompassing.
Second, many smartphone users in Asia don’t rely solely on first-party app marketplaces. “A major reason for the higher infection rate in Asia is the prevalence of more apps in the eco-system originating from third party markets,” said Aimoto. “The overall set of apps in Asia is subject to much less curation in Google Play than in other regions.”
Premium Texts Rake In Cash
“Text 1234 to 5678 to donate $10 to Save the Pupfish!” You’ve probably seen this kind of plea from time to time, but services collecting money using premium SMS messages are much more prevalent in Asia than elsewhere in the world. This is partly due to the prevalence of pay-as-you-go phone plans—with that sort of plan, the money transfer occurs the moment you send the text. And naturally, Asia is where we find the most abuse of the premium SMS system.
Worldwide, Symantec’s researchers report more than 39 premium SMS malware infections for every 10,000 covered devices, and over 27 infections specifically identified as Android.PremiumText per 10,000.
Android.PremiumText is a catch-all name for a variety of Trojans that exist as repackaged versions of various legitimate applications. The package name, publisher name, and other details will generally match the original application. These modified files generally don’t make it past screening by legitimate Android app stores, but they’re widespread on unofficial marketplaces.
The average computer user will probably tell you that Symantec is an American company. Symantec’s own stats don’t really support identifying it as American, though. Almost 39 percent of their Android user base is in Asia, and almost 33 percent in Europe. Tracked devices in North America make up not quite 19 percent of the total.
Aimoto and the Symantec team supplied some country-by-country information, but not all of it was precisely useful. You might be shocked to hear that they found 1,408.45 infections per 10,000 devices in the Falkland Islands, and 523.56 in Monaco. The catch here is that the actual user population is tiny. The report states that each the five countries with the highest infection rate has no more than 150 devices registered. A little experimentation in Excel suggests that Falklands figure represents 20 infected devices out of 142 total, or 10 out of 71 total, for example.
Germany, the Netherlands, Austria, Canada, and New Zealand were the five least-infected countries, with infection rates ranging from 2.12 per 10,000 on down. Symantec reports at least 20,000 tracked devices in each of those countries, meaning those numbers are more meaningful. The U.S. snuck in at 8.11 infections per 10,000 devices.
Looking just at the countries with the most Symantec installations (more than 10,000 devices querying weekly), we weren’t surprised to find China and in the top three for worst infection rate at 148.03 infections per 10,000. We were surprised to see Japan at number one, with 183.05 infections per 10,000 devices, and Vietnam in the third slot with 104.16. After that is a precipitous drop to the notorious Belarus with 46.33 infections per 10,000 followed closely by Russia with 43.12.
As you can see, the tiny bits of non-personal information sent by your antivirus can add up to a gold mine of useful information. We’ll be working with Symantec and other vendors from time to time, looking to gain insight on the latest threats and trends.