At the end of last year we released our predictions for 2013; chief among them was the eye-catching assertion that mobile malware would hit the 1 million mark by the end of the year. At the time, it may have been tempting to dismiss this prediction as a marketing stunt, however the facts and the figures are unfortunately bearing out the truth of this prediction. By the end of the first quarter, we were already over halfway there and by the end of June we counted 718,000 malicious and high risk Android apps in our collection.
If you consider these figures, it’s easy to see that the cess-pool of Android malware isn’t only growing, it’s accelerating. In only six months, the number of Android malware increased by 350,000 a number that it originally took 3 years to reach.
Until now the majority of apps still come packaged as Trojans and focus on the abuse of premium rate services to turn a coin for the criminal and are still delivered via app store environments. The evolution of exploit kits to deliver malware to mobile platforms has yet to appear, however the discovery of the so-called “master-key” vulnerability which meant that installed legitimate apps could be invisibly subverted by an attacker, and the OBAD malware which also leveraged a vulnerability to get root and admin on an Android device have continued to raise the stakes inexorably. It took only weeks for the “master-key” vulnerability to move from proof of concept to reality.
The ongoing and historical fragmentation in the Android user base has unfortunately become a fact of life which means vulnerabilities or lack of security features for a large percentage of users, vulnerabilities which will likely never be fixed. The major problem is the lack of a centralised means of providing critical security fixes for all versions of operating systems and this is something that should be resolved with all speed. Right now the responsibility for distributing updates lies primarily with handset manufacturers and carriers, and their major motivation is often more in persuading you to buy a newer handset than in prolonging the life of your older one.
To read the full Trend Micro 2Q 2103 Security Roundup, that covers all this and much more, follow the hypertext to Mobile Threats Go Full Throttle