Mobile malware yielding low ROI, but attacks to rise

While mobile malware has yet to provide hackers with the same financial returns as that of the Windows platform, these attacks are set to rise with the increasing proliferation of smartphones and transaction devices.

According to a Symantec report released Sunday, the majority of efforts so far to monetize mobile malware have yielded only a low revenue-per-infection, thus, limiting the returns on investment (ROI) hackers can gain from such attacks. Furthermore, for each attack seen on Google's Android mobile operating system (OS), none had been repeated, raising the possibility that attackers did not generate enough revenue and, hence, did not bother relaunching the same attack. 

Symantec also noted that the security industry had predicted a flood of mobile malware every year, in the last decade, and yet only "a trickle" of mobile malware had emerged, with the most widespread threats being SymbOS.Cabir and SymbOS.Commwarrior in 2004 and 2005. The majority of mobile malware were merely "a nuisance" and affected only a very small fraction of the mobile phone industriy, the report added.

However, it warned that this ratio is likely to increase in future as smartphones gain traction as payment devices and smartphone usage continues to grow exponentially, with the shipment of new mobile device increasing 55 percent in 2010.

Mobile devices will provide an additional vector when devices are used as payment devices via protocols such as near-field communications (NFC), which allows consumers to pay for goods using their mobile devices. However, it remains to be seen how the malware will take advantage of mobile payment devices as this payment method is still in its infancy, the report noted.

"Mobile technology is advancing at a rapid pace and cybercriminals are keeping close tabs on these developments," Eric Chien, technical director of Symantec's security technology and response, said in the report. "The marked increase in mobile malware--particularly that targeting the Android platform--is likely only the beginning in terms of both the quantity of threats and their sophistication."

Other than attacker motivation, which is usually monetary, a mobile platform that is both open and ubiquitous is usually the base of a high level of malware activities. As Android is now the most prolific smartphone OS, occupying 43 percent of the global smartphone market in the second quarter of 2011 according to Gartner figures, the continued rise in market share will be inevitable, especially due ot the adoption of smartphones over regular phones, Symantec said.

Some of the monetization schemes seen in a recent spate of Android malware are also likely to be seen in the future. These include premium rate number billing, spyware, search engine poisoning, pay-per-click, pay-per-install and adware.

"Only if these monetization schemes succeed do we expect attackers to continue to invest in the creation of Android malware," Chien said.

Potential rise of data selling, fake security products
Future motivations also exist, Symantec warned, noting that data selling or stealing information such as login credentials and financial data had been "quite lucrative" in the PC space and could spillover to mobile devices.

Stealing of identifiers such as IMEI, a unique number that identifies a particular device, is another example of data stealing. While cloning mobile phones using data gathered from applications is not possible, IMEIs can be sold and reused on previously blocked phones or counterfeit phones that may not have proper IMEIs. Many of the recent Android threats do export IMEIs, however, the purpose of exporting these values seems to be to "uniquely identify" the infected device, rather than to resell the identifiers.

Another common risk on the PC is the sale of fake security products to trick a user into purchasing software to remove non-existing threats. This model of revenue generation could work equally well on a mobile device, Symantec said.

The IT security vendor added that in China, some phones were reportedly preinstalled with Fei Liu, a download manager application which reportedly caused system reliability isues and unconfirmed reports of improper billing. These same phones were reported to have a mobile security product installed from NetQin, which could only remove Fei Liu if the user paid an aditional US$2.

Chien said: "While we continue to see malicious Android applications, additional advances in the mobile technology space that allows greater monetization are likely required before malicious Android applications reach parity with Windows."

Investigators had speculated that NetQin was colluding with Fei Liu to generate revenue on the removal of a product they created. NetQin, however, later issued a statement denying the allegations and said it had submitted the Fei Liu software to be tested by China's State Information Center Software Testing Center. It said the national certification organization confirmed the software met all testing requirements and contained "none of the malicious functions previously alleged".