In 2013 our Mobile-Sandbox analyzed over 150,000 Android applications that were submitted by mostly anonymous users, Anti-Virus-Companies and by our own. Within this huge amount of data our system detected a bunch of malicious and unwanted applications belonging to 44 different and newly discovered malware families.
Most of these malicious applications had been downloaded from Third-Party markets, but we also found 4 malware families with samples that had been downloaded from the official Google-Play market. When looking at the malicious and unwanted applications and the corresponding families, one can see the following distribution of malicious behavior:
|Characteristics||Share in 2013||Difference to 2012|
|Families that steal personal information||61,4 %||+ 10,1 %|
|Families with characteristics of a Botnet||25,0 %||+ 1,5 %|
|Families that send premium rated SMS messages||18,2 %||– 11,9 %|
|Families that install additional applications||11,4 %||+ 1,0 %|
|Families downloaded from the Google-Play Market||9,1 %||– 2,2 %|
|Families that contain Root-Exploits||9,1 %||– 9,2 %|
|Families that steal location related data||9,1 %||+ 0,4 %|
|Potentially unwanted applications||9,1 %||+ 1,3 %|
|Online-Banking Trojans||6,8 %||+ 3,3 %|
|Families which are able to infect a connected Windows PC||4,5 %||+ 4,5 %|
|Commercial Trojans or Spy-Kits||2,3 %||+ 2,3 %|
More than 60% of all malware families try to steal personal information from the smartphone like IMSI, IMEI and contact entries. Even if this action doesn’t harm the smartphone user directly the information can be sold on the underground market or used for targeted Spam campaigns. This kind of threat has increased by more than 10% as compared to 2012.
Last year´s second most common threat — sending premium rated SMS messages — has lost nearly half of its share within newly discovered malware families. We assume that it has to do with the security features of Android 4.x as well as the awareness of telephony and service providers.
The most dangerous malicious samples are those that come with their own root exploit. If this exploit works properly, the attacker can do nearly everything with the infected device without the knowledge of the smartphone user. This kind of malicious behavior was found in more than 9 % of the 44 new malware families (which is also half as common as compared to 2012).
Within 2012 a huge amount of banks switched from the common TAN procedure to the mobile TAN (mTAN) for additional security. This trend can also be seen when looking at the malware families. In 2012 we detected 4 different families (3,5 %) that try to intercept and modify this mTAN messages. In 2013 it went up to 6,8 % of newly analyzed malware families. This kind of malicious Android apps are extremely dangerous: If the computer and the smartphone of an online banking user are infected with this kind of malware, the attacker can modify each transaction without the knowledge of the infected user.
There were two newly discovered kinds of malware in 2013: Commercial trojans/spy-kits (which are — more or less — legally sold on the Internet) and trojans that are able to infect a connected Windows PC. Both kinds of malware were distributed very seldomly with only 2 – 5 %.
With Android.Chuli we have also seen the first publicly known targeted attack where Android smartphones were involved as main entity in the attack.