Android Is Best for Malware; Apple iOS Gets Phished Instead

The malware market reached a weird little milestone this week, with the list of known malware and high-risk applications for Android devices passing the 1 million mark.

The number emphasizes (if any enterprise infrastructure specialists ever doubted it) that smartphones and tablets flooding corporations via BYOD programs, as well as the wireless infrastructures built to support them, have become the entry point of choice for attackers. Malware and phishing techniques can be used to build bot nets from vulnerable mobile devices, or steal confidential personal or corporate information.

There are currently 857,142 legitimate apps available for Android, according to AppBrain: that’s 142,758 fewer than the number of malicious apps.

The score beats, by three months, the Dec. 13 prediction by Trend Micro security analysts that the number of bad apps aimed at Android would triple during 2013, up from the 350,000 they counted at the end of 2012. The number hit 718,000 by the Aug. 6 publication of Trend Micro’s quarterly security roundup before rushing to the million mark three months early, according to a Trend Micro report published Sept. 30.

Trend Micro analysts estimated that 75 percent of the million bad apps “perform outright malicious routines” while the other quarter run “dubious routines” such as aggressive displays of advertising. The most common were from the FAKEINST (34 percent) and OPFAKE (30 percent) – Trojans that pose as legitimate apps to lure users into installing them. OPFAKE often poses as part of the WhatsAPP application; FAKEINST often includes a fetish video as a draw, but has also been circulated with a fake version of the game Bad Piggies, according to Trend Micro.

Among high-risk applications, the adware and infostealers ARPUSH and LEADBOLT were the leaders, with 33 percent and 27 percent of the total volume of bad apps, the report showed.

Analysts also noted strong growth in attacks on mobile banking applications, especially spoofing and info-stealing malware such as FAKEBANK and FAKETOKEN.

FAKEBANK hides behind the Google Play icon after installing itself, and replaces parts of legitimate mobile-bank application files with its own information. Then it lays low until the user logs into a bank, at which time it swipes account information, call logs and text messages, according to Trend Micro.

Though most malware used to directly steal data from end users is aimed at their own banking or other financial information, there is a large contingent of mobile malware that uses an initial breach to collect data on corporate network structures it can use to penetrate further or steal data directly, according to a Trend Micro update on data exfiltration published Sept. 23.

While Android is the target platform-of-choice for malware writers, mobile devices from Apple have become a prime target for phishing attacks that are aimed primarily at Apple ID login information, iCloud authentication, or to present “social-engineering bait” that would allow attackers to talk directly to end users into providing sensitive information.

Despite efforts to educate users and filter phishing attempts out of email streams, phishing and spear-phishing remain the most effective techniques to penetrate corporate security.

In a study published Sept. 30, psychology researchers at Polytechnic Institute of New York University found that 17 percent of a population of tech-savvy students fell for phishing schemes created by fellow students as part of a study designed to identify the personality characteristics most likely to cause end users to be susceptible to attempts at phishing.

Personality characteristics identified most often with those who fell for the scam were irrational thinking and negative feelings including guilt, sadness, anger or fear. The scam promised offered prizes from a lottery to those willing to share personal information.

There was no correlation between the students’ level of awareness of computer security and their likelihood to fall for phishing schemes, indicating that direct education about security practices or threats may not be an effective approach to minimize attacks based on personal behavior rather than electronic security flaws. DeiMosz