Thanks to Anna Szalay and Vanja Svajcer of SophosLabs for their unstinting work behind the scenes to make this article possible.
It’s 10 years since June 2004, when the first mobile malware appeared.
It was called Cabir, and it infected Nokia phones running the Symbian mobile operating system.
In fact, it was a very specific sort of malware, not much seen any more, namely, a virus.
Compared to most modern malware, viruses are double trouble.
They are capable not only of infecting and taking over your device, but also of self-replication, spreading themselves to other devices, almost like some kind of malevolent living organism.
So we don’t want to celebrate this anniversary, you understand, but we did think we should look back at the last decade, and see what we can learn from…
…10 Years of Mobile Malware.
|2004||• Cabir •||Symbian|
Cabir, also known as Caribe, was a family of Symbian viruses that kicked off the mobile malware problem.
More of a research curiosity than a dangerous virus, Cabir spread using Bluetooth.
That meant it could jump between phones as they came into proximity – as happens all the time on buses and trains, at work, in shops, and so on.
The year before Cabir appeared, we’d already reported on a craze called Bluejacking – sending unsolicited messages to any Bluetooth-enabled devices you could find within range, typically about 10 metres.
Our advice back then then was simple: make your device “undiscoverable”, so it didn’t announce itself to other phones nearby; or turn off Bluetooth except when you were actually using it (prolonging your battery life at the same time).
Undiscoverable devices were immune to viruses like Cabir.
|2005||• Drever •||Symbian|
Drever was the first fake mobile anti-virus.
This malware app tried to make itself look legitimate by claiming to be an anti-virus program from Russian anti-malware company Dr Web.
That way it didn’t need to be a virus or worm, or to try to sneak onto your phone by itself; instead, it could invite you to install it under false pretences.
Ironically, Drever deliberately attempted to wipe out anti-virus programs from Simworks and Kaspersky, thus making it an anti-anti-virus.
|2006||• Xrove •||WinCE|
Fortunately, this was just a proof of concept virus, but it could jump from Windows PCs to Windows Mobile devices when you plugged the latter into the former.
The idea of using a desktop or laptop computer as a carrier for mobile malware, rather than delivering the malware over a mobile network connection, was revived in 2014, in the APK Downloader Trojan for Android.
Despite being written just to prove a point, the author of Xrove couldn’t resist including a malevolent payload: the virus tries to delete all the documents in and below your My Documents folder.
|2007||• FlexSpy •||Symbian|
FlexSpy for Symbian was a product you could buy.
In fact, the company that produced it is still going, openly promoting its products online under the banner headline “Spy on Mobile Phones, Cellphones and Tablets,” and urging you to “Catch Cheaters” and “Monitor Employees.”
The Symbian version of FlexSpy achieved notoriety as the first spyware to use an incoming call from a predefined number as a signal to activate and start eavesdropping invisibly.
The vendor considers that the legal ramifications of acquiring and using the software are a matter for its customers; indeed, the company’s website still states:
It is the responsibility of the product user to ascertain, and obey all applicable laws in their country in regard to the use of the product for 'sneaky purposes'. Please read our full LEGAL DISCLAIMER.
|2008||• Meiti •||WinCE|
Cybercriminals never really embraced Windows Mobile.
Sadly for Microsoft, neither did the rest of us.
That probably contributed to keeping the Bad Guys away: not enough potential victims.
But some crooks tried anyway, and Meiti was a data stealing virus that came in the disguise of a games pack.
It added a whole raft of games into the games folder, so you were getting something for nothing.
And a little something extra, too.
|2009||• Ikee •||iOS|
Ikee was the first, and so far only, in-the-wild viral malware for Apple iOS devices.
Infected devices were “Rickrolled,” with their wallpaper changed to a picture of 1980s pop star Rick Astley.
Ikee was written and released “for fun” by a young man in Australia; Naked Security tracked him down to Wollongong, New South Wales, from clues in the code.
The police decided not to take the matter further, so he was never charged; in fact, he went on to land a job as an iPhone application developer.
The virus only infected jailbroken devices, where Apple’s iOS security lockdown had deliberately been bypassed.
|2010||• Android Wallpapers •||Android|
By some measures, these Android apps aren’t true malware.
But researchers at the 2010 BlackHat conference in Las Vegas identified numerous wallpaper apps, downloaded by more than 1,000,000 users, that sailed as close to being malware as you might like.
On installation, the apps rummaged in your phone without asking, extracted private information such as your SIM serial number, subscriber ID and phone number, and sent it off to the developers in China.
This overzealous collection of device data was a portent of things to come in Android and iOS apps, even mainstream apps in the official Google and Apple marketplaces.
Numerous vendors have recently ended up in trouble, either with the technical community or with the US Federal Trade Commission, over this sort of behaviour:
- Path and Hipster took your contact list without asking.
- Brightest Flashlight posed as a simple flashlight (torch) app, but secretly took your location data and sold it on to advertisers.
- Snapchat asked for your phone number, then took this as an invitation to grab all your friends’ phone numbers from your address book at the same time.
Worse still, many mobile apps that collect this sort of data have been uploading it unencrypted, so that any eavesdroppers on your network can grab the data in transit.
|2011||• DroidDream •||Android|
Early in 2011, a whole raft of hacked apps – such as a bowling alley game that looks otherwise entirely innocent and is probably quite fun to play – were dumped into the Play Store, thus acquiring Google’s imprimatur.
But these apps had been Trojanised to send intimate information about your device to the crooks, such as your IMSI (subscriber) and IMEI (equipment) numbers, which identify both you and your phone.
The DroidDream malware also installs a set of privilege escalation exploits to prepare your device for later abuse.
Future attackers who ride into your phone on the back of DroidDream start off with root level access, giving them complete control over the device.
Obviously embarrassed by this surge of “Google-approved” malware in the Play Store, Google rushed out a clean-up app called the Android Market Security Tool.
The Market Security Tool implemented what was effectively a “kill switch” so that Google could retrospectively unapprove Play Store apps, even if some users had already downloaded and installed them.
|2012||• KongFu •||Android|
The hacked-games-as-malware theme continued in 2012, with the crooks taking advantage of the popularity of Angry Birds and the Angry Birds Space version, which was released in March 2012.
The malware is a full working ripoff of the game, hacked in the manner of DroidDream to include a privilege escalation exploit that grabs root access before downloading and installing whatever malware the crooks serve up next.
Interestingly, and presumably as a trick to make the malicious code less obvious to security software, this malware uses a form of steganography, where one file is hidden away inside another file of a completelty different sort.
KongFu sneakily squirrels away two Android executable programs, known as ELF files, inside a JPEG image.
|2013||• MasterKey •||Android|
2013 was a bad year for Google coders, who ended up with a series of rather sloppy vulnerabilities in the code verification component of Android.
That’s the much-vaunted part of the operating system that checks an app’s digital signature and verifies that the app hasn’t been hacked.
The security holes were caused by:
- Inconsistent handling of duplicate filenames in application package (APK) files.
- An integer overflow in the handling of filename lengths in APK files.
- Incorrect processing of corrupted directory information in APK files.
Without code verification, anyone can grab a well-known and much-trusted app from the Play Store, change it to do nasty things, and sail in under the banner of respectability, cryptographically endorsed by Android itself.
These bugs in the verifier allowed malware known as MasterKey to do exactly that, taking on the identity of legitimate programs and casting the blame on legitimate vendors.
|2014||• Koler •||Android|
Last in the history list is Koler, our most recent example of mobile malware that has copied techniques known to work on desktop and laptop computers.
Koler is what’s known as “policeware” or a “police locker,” and it takes over your Android with a warning that claims you are under surveillance by law enforcement for alleged criminal activity.
The malware then demands a ransom of $300, paid via MoneyPak, to unlock your device.
We chose eleven different malware samples for four different mobile platforms to illustrate the past ten years of mobile malware.
As you can see, tricks and techniques that have worked well for the cybercrooks on Windows have proved to be applicable in the mobile world, too.
All of the malware-related risks we have faced over the past decade on our desktop computers and laptops will need facing on mobiles as well, such as:
- Stealing your data for industrial or state-sponsored espionage.
- Phishing or logging your payment card data and passwords for sale on the cybercriminal underground.
- Scrambling your files and extorting payment to decrypt them.
In addition, we face new threats unique to mobile devices, including:
- SMS interception to undermine two-factor authentication.
- Phone call eavesdropping for lawful and unlawful surveillance.
- Location logging to keep track of where you go in real time.