In 2015 our Mobile-Sandbox analyzed only 25,000 Android applications that were submitted by mostly anonymous users, Anti-Virus-Companies and by our own. In the same time we had a large outage of the system (more than 4 months) due to some hardware defects and missing free time to get the system running again (I still hope to get it available for the public by end of this month).
Most of these malicious applications had been downloaded from Third-Party markets and from potentially infected mobile devices. When looking at the malicious and unwanted applications and the corresponding families, one can see the following distribution of malicious behavior:
Characteristics | Share in 2015 | Difference to 2014 |
Families that steal personal information | 50,0 % | – 13,1 % |
Families with characteristics of a Botnet | 23,0 % | – 4,3 % |
Cryptolocker/Ransomware | 15,4 % | + 14,8 % |
Adware | 13,0 % | + 8,2 % |
Families downloaded from the Google-Play Market | 11,5 % | + 2,5 % |
Families that contain Root-Exploits | 11,5 % | + 2,6 % |
Families that send premium rated SMS messages | 10,0 % | + 2 % |
Commercial Trojans or Spy-Kits | 10 % | + 2,5 % |
Online-Banking Trojans | 7,7 % | – 2,3 % |
Exactly 50% of all malware families try to steal personal information from the smartphone like IMSI, IMEI and contact entries. Even if this action doesn’t harm the smartphone user directly the information can be sold on the underground market or used for targeted Spam campaigns. This kind of threat has decreased by 13% as compared to 2014. Also the share has decreased, this kind of exfiltrated information is still very valuable.
There was one newly discovered kind of malware in 2014: Cryptolocker/Ransomware. This malware is encrypting large amount of data on the device and then displaying a message telling the victim to pay a given amount to the attacker to get the encryption key. We have seen a large increase of this malware families in 2015 by nearly 15%.
In 2013 we have seen the first publicly known targeted attack where smartphones were involved as main entity in the attack. In 2014 and 2015 smartphones have been a more recent aim for hackers that try to get into the network of larger companies. It seems that attackers move to mobile phones as a first step of the targeted attack with increasing frequency because the security hurdles and the awareness are lower on those devices. This can also be seen when looking at the amount of commercial malware and spy-kits that have been seen in 2015 (10% of all malware families).
Banking Trojans as well as malware that tries to locate the user by accessing GPS data has slightly decreased in 2015, but especially the banking Trojans are still a very dangerous threat.
Adware had a very high increase in its share in 2015. It seems that this kind of displaying ads to the user and tricking him/her into clicking the ads became very popular and a new business-model on Android.