Malware authors are getting better at attacking mobile phones, by taking a trick or two from their desktop days and applying them to phones, according to researchers from Symantec and Total Defense.
(Screenshot by Michael Lee/ZDNet Australia)
Symantec researcher Joji Hamada said that criminals have turned to Twitter as a means of advertising and luring mobile victims to places they have stashed malware online, which will, for example, force a phone to send SMS texts to premium-rate numbers that the criminal has a stake in.
During a single eight-hour operation, Hamada witnessed over 130,000 malicious tweets from about 100 Twitter accounts. Another operation saw over 1500 tweets from over 50 accounts in one hour. He said that this could just be the tip of the iceberg as several operations are typically conducted at the same time.
The other issue that Hamada identified was that like malware aimed at desktop software, which antivirus attempts constantly to keep in front of, malicious tweeting played what he called the "cat-and-mouse game".
"Cybercriminals mix their game around, thereby making it difficult to recognise all bad tweets and most of all: they are persistent," he said.
"Smartphones have allowed users to access the internet anytime, anywhere and perform tasks that were only possible using computers. While the convenience provides so many great advantages, cybercriminals are also taking this opportunity to accomplish their bad deeds [over mobile]."
Hamada is not the only researcher that has noted the ability of criminals to take desktop malware concepts and apply them to mobile platforms.
Total Defense researcher Dinesh Venkatesan has found another anti-detection technique that criminals are using when writing malware for Android in recent samples that he has been examining.
Traditionally, when malware calls say a sendTextMessage() function in Android, this is sufficient grounds for anti-malware applications to raise a red flag and stop suspicious behaviour. However, an older technique previously used in desktop malware called reflection has been found in a number of malware samples collected by Venkatesan.
The technique allows the executing program to examine classes and, among other abilities, find particular functions to execute at runtime without necessarily knowing what that code is at compile time.
Instead of directly calling the sendTextMessage() function, the malware stores the name of the function as a presumably harmless string and, after searching the API for the function by this name, stores its location as a reference. When the malware then wants to execute the sendTextMessage() function, it will call on this reference rather than its direct name.
For static code analysis tools, this is typically enough for the malware to escape detection.
Venkatesan also found that these particular samples were taking steps to encrypt the data they used. In particular, criminals had taken steps to ensure that the data was only decrypted at runtime. From here, the data was stored in memory as an XML file and used to determine which number to send SMS messages to and their content.
Venkatesan noted that there was more than one premium SMS number included in the decrypted file he had looked at, but found that the sample he was examining did not appear to use the additional numbers. This has led him to believe that the malware he had found was only an early version and that mobile users can expect new innovative versions to attack them in the future.