Android malware samples jump six-fold in Q2

Android malware samples jump six-fold in Q2

Summary: Malware samples which consist mostly of mobile spyware rocketed to over 120,000 last month within three months. The OS's application signing shows further weakness, according to Alcatel-Lucent's Kindsight Security Labs study.


The number of Android malware samples have grown by six-fold over the past quarter, and loopholes have been found in Android application signing, enabling malware to easily enter the devices.

Alcatel-Lucent's Kindsight Security Labs Malware Quarterly Report released Wednesday, showed the number of Android malware samples had exceeded more than 120,000 in June 2013, a sharp increase compared to around 20,000 samples in March 2013.

Overall, 0.52 percent of devices were infected with high threat level malware, a slight increase from 0.5 percent last quarter. Majority of infected devices are either Android phones or Windows laptop tethered to a phone or connected directly through a mobile USB stick or Mi-Fi hub.

The number of infected Android devices are also starting to dominate the total number of infected mobile devices.

Android malware samples growth from July 2012 to June 2013 (Source: Alcatel-Lucent)


Mobile device infection rate from January to June 2013 (Source: Alcatel-Lucent)

According to the report, the major infection vector comes from Trojanized apps distributed from Google Play Store, legitimate third party app stores or "shadier" app stores specializing in pirated applications. While Google Play had made efforts to scan and remove any apps containing malware, many of the third party app stores have not checked for apps containing malware.

Most mobile threats detected belong to the spyware category, and this poses a large threat to organizations in the Bring Your Own Device (BYOD) era because they can be installed on an employee's phone for industrial or corporate espionage.

The report also found vulnerabilities existed when it came to Android application signing. All Android applications need to be signed cryptographically, which can help verify the identity of the application author and ensure the application has not been tampered with but issues exist on this model, the report noted.

While the Android operating system checks the app has been signed, it makes no attempt to verify that the signature is legitimate, but simply accepts any old signatures. This allows the "signer" to put any information they want into the certificate, making it easy to make pirated copies of applications with Trojan services injected into them.

The digital signature is also only checked during the installation process, but not when the application is running. The report cited BlueBox Security which found it is possible to modify the APK file of an existing application without the system raising an alarm, allowing the attacker to inject malicious code into existing applications.

Rise of home networks infected with malware

In terms of fixed broadband deployments in Q2 this year, 10 percent of residential households also showed evidence of malware infection, an increase from 9 percent infection last quarter.

Of which, 6 percent of households were infected by a high threat level malware such as a botnet, rootkit or banking Trojan, while 5 percent of households also infected with a moderate threat level malware such as spyware, browser hijackers or adware. Some households had multiple infections including both high and moderate threat level infections. 

Home networks infected with malware and the division of infection by threat level in Q2 2013 (Source: Alcatel-Lucent)

The ZeroAccess Bot remains the most common malware threat in Q2, infecting about 0.8 percent of broadband users. It uses rootkit technology to conceal its presence, while downloading additional malware used in a large scale ad-click fraud. This can cost Internet advertisers millions of dollars and when aggregated over a month, it can be quite significant for the user.

Topics: Malware, Android, Mobile OS, Security

Ellyne Phneah

About Ellyne Phneah

Elly grew up on the adrenaline of crime fiction and it spurred her interest in cybercrime, privacy and the terror on the dark side of IT. At ZDNet Asia, she has made it her mission to warn readers of upcoming security threats, while also covering other tech issues.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Android is dominating

    .... also on malware :)
  • Google in denial as Apple was once

    Working within Android and Chrome OS with devices. I have come to the conclusion from corresponding on forums that Google and many of its loyal supporters don't believe they have a problem. I had a rather heated exchange when I supported a Chrome OS user who wondered why their was no security suites available for Chrome OS. I myself wondered that same thing? Yes, both Chrome OS and Android have a ecosystem you would think limits its exposure to malware by distributing applications through their own channels. But obviously you have users who defy that system and invoke the developer switch in the OS allowing for more options. But in return also opening the system to rogue applications. But I doubt this increase is just about users hacking their phones. Its been about Google failing at properly dealing with applications on their own app store that are not safe. I don't think Google is doing a good job of minding its store.
    Open source is great, but it still needs a system of making sure your ecosystem is not tainted.
  • How much

    Does apple pay you guys?
    • Twice the amount you got paid by Google

      Sorry but why don't you give links or references which says otherwise and add value to discussions. Rather than just throwing mud.
    • Nothing

      Apple doesn't resort to desperate sales and marketing tactics. Apple doesn't give lots of products away to rich and famous people to promote the brand like others do, nor do they give sales reps spiffs to entice them to promote their products at these resellers. Why don't you just choose the most secure and safest platform and get a little more piece of mind. It's a lot better than complaining or bringing up false accusations.
  • Weak Plafform by design

    Google has created incompetent software and dumped into the market for its own benefit.
    Don't use android on any of your personal devices, because your data and privacy will be compromised for sure.
    • Sour grapes?

      Windows no longer tops any charts now they've lost the mobile malware crown as well.
      Little Old Man
    • Funny

      We've being saying that for years about Windows and the fanbois retort is because Windows is so populous.
      Alan Smithie
      • its too easy with android

        Any fool can create malware in android, its that weak...
        • And windows is obviously so difficult

          Otherwise there would be millions of attacks. Oh wait..........
          Little Old Man
        • Has Windows share of the mobile market

          with WP8 or W8RT hit double figures yet? I doubt it!
    • top 20 malware, the hard DATA and the FUD

      read the report by Alcatel/Lucent, they list top 20 malware and 19 out of the top 20 are win32 and 1 of them is Mac OSX. Android malware doesn't even make the list!
      of the Android malware samples, top 2 specific malware is responsible for over 76% and neither of them can be found in the Google store. The top 6 represents over 96% of all Android malware samples and they are not found in the Google store. They are all found on free versions of paid games distributed on 3rd party download sites.
      If you add up all the Android malware samples, you don't even come close to the malware samples of any ONE of the top 20 windows/mac OS malware sample count!
      Android malware is 99.994% FUD
  • Interesting report

    More in the fact that they don't elaborate where the majority of malware was found, no breakdown of the increase either. I would suspect (as the majority of malware reported is always in 3rd party stores) that unlike the poster above suggests, the increase will be seen in the rise of 3rd party app stores. I'll leave mine on trusted sources and should be fine I think.
    Statement about easily getting pirated apps into Play is also false if you compare the statement to the security procedures that google has in place. Google have patched the play store and actively checks for any instances in new apps.

    Also quite interesting that 10% of home networks are recorded to have malware infection? Wow, considering how anti-google fanbois shout loud and proud about refusing to use a system so infected with malware, I presume they'll all be throwing out their routers as clearly no home network can be trusted?? Fanbois?
    Little Old Man
    • Security companies reports are always like that

      I believe it's obvious malware for android is bigger than anything else, but I still have to find details about the different threats everyone is talking about.
      So far there is one thing that is very wrong with android - malware in the official Google play store.
      Malware with fake applications found on some cheesy sites or 3rd party android app stores are almost irrelevant in my opinion... .Actually it can be good for Google, they can say - "stay with us and you are safe".
      • I don't know

        Several months ago I talked to a T-Mobile rep and he had bought a S3 for his dad and he admitted that his father gets a lot of malware from downloading apps from Google Play so I don't know how safe Google Play is. They probably take them down once they find out that there is something that contains malware, but I don't think they screen ahead of time and sometimes the malware can go undetected since it the various virus protection software might not catch it.
        • Oh! A dad from a friend....

          But yes it seems that there are fake apps there. There should be a warning for apps with very few downloads or something similar.
          The problem is that people don't read the warnings, or the permissions asked, or read comments... an angry birds apps with less than 10000 downloads is obviously suspicious.
        • I have yet to see this unicorn...

          I manage the MDM and device support at my enterprise and we have hundreds of Android phones and tablets connected to our system. I have yet to see malware on Android. Its out there but as with much of of it, its in Russia and Asia via third party app stores.

          Please note which app gave your "friend's dad" the malware.
          Rann Xeroxx
    • @Little Old Man

      Actually, it's your mobile and it's your choice to trust Google or not. If you choose to trust, no number of articles could change your mind. Article did give the reasons of breaching security in Google Play store and not some article which just says that Play store is infected.

      If you have gone through the report(the report by Kindsight), they actually planned to demo a proof of concept spy phone module at Blackhat 2013. I would take these things seriously, if I have an Android Phone. At the end, it comes to whether you want it or not.
      • Actually you're completely wrong

        It's exactly articles like this, on various sites, that I use to make up my mind. In fact, it's slightly insulting to suggest I take google at their word and stick to the party line. You are so far wrong with that suggestion. I was actually waiting for the Bluebox Security to pop up on zdnet to watch the fun, having read all about it and the security procedures, in play, that Bluebox themselves highlighted as making it very difficult for this exploit to actually get a foothold in the official store. Do I believe they've patched the play store to detect and stop it? Yes, I do actually, I give them the benefit of the doubt on not leaving it unpatched after it went public. Same as I would with apple or MS (although last I read, MS weren't patching publicised exploits?) when they say they've applied the patch and issued to OEM's.

        Now, as to your statements about the report. 1) They do not detail an effective attack vector other than to say they could pirate apps - play has safeguards against this, both in the update procedure and duplicate apps. New apps would be scanned and from what I've read, the code would be detected. So there's no way to get it into play and no way to get at my handset to inject the code. I believe that was confirmed by Bluebox. 2) This demo they propose, they injected the code onto their own device. We can do that with any phone, physical access to a phone does not equate to getting into play and pushing it to handsets. If they show they can do that, well, I stand corrected. I don't think there is any handset that has resisted physical access attacks in any of the previous hacker events, including iphones and WP. 3) The report does not state where the increased malware has been recorded. Yes they go into great detail into what each exploit is, and in some cases how it operates, however they do not detail a breakdown which stores they found them on, other than to state there is malware in the play store. No figures on that either.

        So to sum up, don't assume I have or haven't read reports, that was your first mistake. Now, Have you seen the latest reports that this big bad latest exploit has already been found in 3rd party app stores yet not in play? I'll stand by my comments thank you.
        Little Old Man
      • ANYONE can write a proof of concept SPYPHONE app

        but to make one that will bypass the sideload switch is mission impossible.
        secondly, they have to demonstrate that it passes the Bouncer test.
        If they can demonstrate that their spyphone app has fallen thru Google's bouncer filter, I will be impressed.
        I can write a proof of concept Tasker script that does everything their proof of concept spyware does.
        This "security group" is just spreading FUD.