Mobile Malware State of Play
By Adam Bridge and Scott Lester, 18 Nov. 2016
For a while we've been suggesting to our colleagues that mobile malware is not being dealt with as maturely as is desktop malware. Anecdotally, it seems like a lot of organisations - from both the corporate and government sectors - all of whom have a well-established process for dealing with suspected malware on a laptop, would baulk at what to do with a phone that might have been compromised.
We're likely not alone in this opinion; for example CheckPoint say that: "...the tools, skills and knowledge used in the world of PC malware haven’t fully evolved to serve these analysts when it comes to mobile malware" .
This seems a little baffling for a number of reasons: mobiles are ubiquitous, many applications are largely moving from desktop to mobile , and the mobile security testing community is very mature. Many of our customers are using Mobile Device Management (MDM) solutions, and we evaluate a lot of mobile apps to check their security, but the end-goal is typically to protect the corporate infrastructure that the phone is connected to, rather than the device and its data.
Is it down to a perceived lack of threat? If so, is the threat to mobile devices any less real than that to desktops and servers? When we started writing this blog, the weekly submission stats for the VirusTotal scanning service  counted 467,400 Android submissions (plus 20,700 Java bytecode), and 54,013 Mach-O submissions. And even 5,100 Symbian submissions. So the threats are out there; but how prevalent are they, and what do we know about them?
This blog tries to provide an overview of the state of mobile malware: how much of it is there, how does it infect a phone, and what does it do upon infection?
This Kaspersky article  provides a good overview of the trends and new developments in mobile malware for 2015. Whilst most of the general stats are getting worse. Ransomware in particular seems to be a growing trend . If we take the UK as an example, it's gone from 2.6% of the reported malware found in 2014/15 to 16.13% in 2015/16. Whilst iOS does very well in comparison to Android for all of the statistics, it too is seeing an increase in malware, with  showing that in 2015 the number of malicious programs for iOS more than doubled, compared to 2014.
There are a number of ways a phone could be compromised by mobile malware, for example by installation from a legitimate or illegitimate source; from being plugged in to an infected computer; by tricking the user into installing it; or from content added to social networking or web browsing traffic.
All of the legitimate app stores check apps before publishing to see if they contain malware, but malware writers are well aware of how to defeat some of the checks, for example by putting a time delay into some malicious functionality, or by checking whether it's running on a Google-owned IP. Indeed, malicious apps do get through: ZergHelper made it into the Apple Store , and BrainTest got up to a million downloads from the Google Play Store .
One of the big dangers for Android in particular is a malicious application that is designed to look like a legitimate app, or is even a repackaged malicious version of an existing app. This can be done to steal revenue (from purchases or from advertising) from the legitimate app, to trick the user into installing the malicious app, or both. One 2012 piece of academic analysis into categorising Android malware  found that for "1260 malware samples, we find that 1083 of them (or 86.0%) are repackaged versions of legitimate applications with malicious payloads". These repackaged applications can be commonly found in third-party marketplaces, representing 5% - 13% of the apps in six marketplaces tested in another piece of research . It's even happened to Pokemon Go already .
Alternatively, these repackaged apps can be spread via file-sharing websites, social networks, or in mass-mailed SMS containing links to malicious websites , . All of these delivery mechanisms require the user to at least accept an application install.
Some malware, such as the iOS malware Yispecter, can be installed by sophisticated means such as DNS hijacking and the introduction of malicious popups into the browsing of otherwise legitimate websites at the ISP level . It is also spread from an infected PC, as are other infamous malware such as Wirelurker  and SnapPea , which suggests that desktop and mobile security should be considered together.
All of the above examples describe apps that are designed to be malicious from the start, which makes XCodeGhost  an even more interesting example, in that it was a malicious version of Apple’s XCode tool, which is used to write and build iOS applications. Again distributed via file sharing websites, it came with a modified linker that included malicious content in an otherwise legitimate application. Estimates of how many applications were affected vary between the low hundreds and the many thousands.
Infection can have the most serious of consequences, due to the level of access that malware can achieve. One of the studies into Android malware mentioned above found that "among 1260 samples in our dataset, 463 of them (36.7%) embed at least one root exploit" . It’s likely worse than that; some recent malware comes packaged with multiple root exploits , meaning it can likely get root on most modern Android devices. Given root, you can realistically do what you want to a phone, which is why many MDMs check whether a device has been rooted.
One trend seems to be the increase of malware that seeks to steal banking information, or to create false transactions. Kaspersky has documented this; in their analysis they say "…mobile trojans targeting user bank accounts continue to develop – in 2015, we detected 7,030 new mobile banking Trojans" .
As mentioned earlier, mobile ransomware also seems to be on the rise. Like its desktop equivalent, mobile ransomware seeks to take over the device, or to lock out the user, until a ransom is paid. Whilst there are no doubt technical means to remove the ransomware, as with desktops it should at least serve as a reminder to backup your data.
Kaspersky say that "nearly half of the top 20 Trojans in 2015 were malicious programs displaying intrusive advertising on mobile devices" . Compared to losing your online banking credentials or money to a fraudulent transaction, stolen advertising revenue might not sound that bad. However, adverts that pop up constantly and have to be clicked to dismiss them are going to be disruptive and annoying, plus who knows what this money is being used for, it could be funding other criminal activities. And we're talking about a lot of money: the recent Hummingbad malware "generates $300,000 a month...in fraudulent advertising revenue" by forcing the user to click on pop-up adverts .
At Context we carry out investigations on potentially compromised customer devices. We're approached typically for one of two reasons: because a customer has a perceived threat that someone is likely to attack or has attacked their phone or mobile device, or because of a perceived change in the behaviour of the device itself. Some incidents are certainly going to be false alarms; the problem, as with any intrusion investigation, is in trying to prove definitively that a device hasn't been compromised.
But what is the systematic approach to detection? Can there be one? It's great if a user reports a device behaving oddly, but how could, for example, a SOC detect a compromised phone on their network?
As with any kind of suspicious or malicious behaviour detection within an estate, we have to look for known-bad, unexpected behaviour, or the absence of expected-good. The challenge of course is identifying the known bad, detecting unusual behaviour and knowing your systems well enough to know when something that should be there, isn't.
So what can you do to prevent malware on your mobile device, or on devices that you are responsible for? As ever, there are technical and behavioural steps to take. Whilst we could likely fill a whole blog on securing mobile devices, here are some high-level steps.
Standard infosec best practice applies as much to mobiles as it does to everything else; stick to the principle of least privilege (you don't *really* need to root it, do you?), don't click on links you weren't expecting, enable full disk encryption if it's not on by default, don't connect to unknown networks, steer clear of installing applications from untrusted sources, and keep the security settings that protect you from unorthodox application installs turned on.
For corporate devices, be they company-owned or BYOD, implement a reasonable MDM policy that protects against the above mentioned threats (see our advice on Enterprise Mobile Management from another recent blog).
For individuals against whom there might be a greater threat there are extra measures they could take when visiting high-risk countries or events: consider taking a disposable phone with limited applications and accounts, or at least turn off the data connections.
Mobile Malware Investigations
There are a number of approaches to investigate a potentially compromised device. As with any investigation, proving beyond doubt the absence of malware is hard. So instead you have to cover as many angles as possible in the time allowed. We're not going to cover them all here, but you could, for example, run the anti-virus scanner in a mobile forensic tool (the industry-standard mobile forensics tool, Cellebrite, includes a virus scanner ), you could manually analyse all of the applications on a phone statically or dynamically, or you could treat the phone as a black box and analyse the traffic going in and out of it.
One obvious indication that an application might be malicious is the certificate that was used to sign it - iOS and Android applications shouldn't be signed with development or debug certificates, and few iOS applications are legitimately signed with an enterprise certificate (see  for examples of enterprise certificate signed malware).
Contact and Follow Up
Adam works in Context's Response team in our Cheltenham office; Scott's a researcher in the London office. Both have spent some of their previous careers doing mobile forensics for one reason or another. See the contact page for ways to get in touch.