In 2014 our Mobile-Sandbox analyzed over 100,000 Android applications that were submitted by mostly anonymous users, Anti-Virus-Companies and by our own. In the same time we updated our system several times with new features and we modified the backend and the analyzing extensions. These updates unfortunately resulted in some downtimes and a clean database and we are still working to get all the data back in the system and to get everything running again.
Most of these malicious applications had been downloaded from Third-Party markets, but we also found some malware families with samples that had originally been downloaded from Google-Play. When looking at the malicious and unwanted applications and the corresponding families, one can see the following distribution of malicious behavior:
|Characteristics||Share in 2014||Difference to 2013|
|Families that steal personal information||63,1 %||+ 2,7 %|
|Families with characteristics of a Botnet||27,3 %||+ 2,3 %|
|Families that steal location related data||11,1 %||+ 2,0 %|
|Online-Banking Trojans||10,0 %||+ 3,2 %|
|Families downloaded from the Google-Play Market||9,0 %||– 0,1 %|
|Families that contain Root-Exploits||8,9 %||-0,2 %|
|Families that send premium rated SMS messages||8,0 %||– 10,2 %|
|Potentially unwanted applications||8,0 %||– 1,1 %|
|Commercial Trojans or Spy-Kits||7,5 %||+ 5,2 %|
|Families that install additional applications||5,0 %||-6,4 %|
|Families which are able to infect a connected Windows PC||0 %||– 4,5 %|
More than 63% of all malware families try to steal personal information from the smartphone like IMSI, IMEI and contact entries. Even if this action doesn’t harm the smartphone user directly the information can be sold on the underground market or used for targeted Spam campaigns. This kind of threat has increased by nearly 3% as compared to 2013 and by more than 13% as compared to 2012. So it seems, that this kind of exfiltrated information is still very valuable.
2012 second most common threat — sending premium rated SMS messages — has lost nearly half of its share within newly discovered malware families in 2013 and was still shrinking in 2014. We assume that it has to do with the security features of Android 4.x as well as the awareness of telephony and service providers. But we have seen the first samples that are able to circumvent the security features of Android and are able to send premium rated SMS messages without notifying the user.
In 2013 some malware families appeared on the market that tried to infect a connected Windows PC through Windows exploits that had been bundled with the Android apk file. This hasn’t been seen by us in 2014.
There was one newly discovered kind of malware in 2014: Ransomware. This kind of malware – also known as cryptolocker – is encrypting large amount of data on the device and then displaying a message telling the victim to pay a given amount to the attacker (often combined with some FBI warning) to get the encryption key. This kind of threat is well known to PC users and now also available on mobile phones.
In 2013 we have seen the first publicly known targeted attack where Android smartphones were involved as main entity in the attack, this was something we have seen in 2014 more often. It seems that attackers move to mobile phones as a first step of the targeted attack with increasing frequency.