Every year for the past decade, the security industry has predicted a flood of mobile malware. However, only a trickle of such malware has emerged. Technology writer Dene Mackenzie reviews the latest Symantec Security Response.
Internet security firms are starting to take notice of the threat mobile users face from malware as Android phones and tablets become more widespread.
Symantec security response technical director Eric Chen says three factors are needed for an increase of mobile malware to occur: an open platform, a ubiquitous platform and attacker motivation - which is usually monetary.
"The first has been fulfilled most recently with the advent of Android. It is probably also the most likely open platform to achieve the second condition of becoming ubiquitous."
Given that Android was now the most prolific smartphone operating system, the continued rise in market share seems all but inevitable, Mr Chen said.
The most uncertain condition was the third, an ability to make money through malware.
Symantec had prepared a research paper looking at some of the money-making schemes thought likely to appear in the future.
Only if those schemes succeeded did Symantec expect attackers to continue to invest in the creation of Android malware, he said.
Premium rate number billing: Attackers set up and register a premium-rate number. Typically, these are short codes, which are shorter than usual phone numbers.
Each country and carrier regulates short codes differently but usually an oversight body issues the short codes for a fee. When calling or sending an SMS to a short code, the caller is billed a premium rate above the normal cost of an SMS or phone call.
The revenue is then shared by the attacker, carrier and the SMS aggregator. Most carriers allow a premium rate of up to $10 per message but some carriers will allow charges of more than $50 per message.
Android applications can request permissions to send SMS messages at installation. They can be sent without the user confirmation. Sending an SMS to a premium short code causes the phone owner to incur a charge on their phone bill and the attacker to generate revenue.
An application can easily send multiple messages, inflating charges. Short codes are usually carrier- and country-specific. This means multiple short codes are needed or threats could only target specific regions.
Spyware: Multiple Android applications exist that allow someone to track and monitor a user of a mobile phone.
Applications may record and export all SMS messages, emails, call logs, GPS locations or turn on the microphone. Typically, these applications require an attacker to purchase the application from the vendor and then gain physical application to the phone. While these applications might not generate revenue for the attacker, they generate revenue for the vendor of the spyware application.
Examples include Android.tapsnake and SpywareFlexispy. Such applications can sell for $400 and some of them are available on the Android market.
Android.tapsnake is an example of spyware that pretends to be just game of snake, actually including a fully functional copy of the game.
But in the background, the application is uploading the GPS co-ordinates of the device every 15 minutes. The attacker then uses another program to view the saved locations.
Search engine poisoning: Some search engines recommend sites or change search engine rankings by monitoring users visit rates. The recommendations can be further customised when using a mobile version of the search site, monitoring visits explicitly by mobile users.
Malicious applications can initiate multiple requests to these sites, poisoning the hit rates monitored by the search engines.
Artificially raising their search rank allows attackers to increase visits by prospective customers or generate revenue through pay-per-view or pay-per-click advertisements shown on the site.
Mr Chen said that while those schemes had been seen used by recent Android malware, future possibilities existed.
Data selling was lucrative in the PC area. Stealing information such as log-in credentials and financial data was the primary motivation for PC malware.
Mobile devices provided an additional vector when devices were used as payment devices through near-field communications that allowed someone to pay for goods using their mobile devices.
"How malware may take advantage of mobile platform devices remains to be seen as this payment method is still in its infancy."
Currently, the mobile technology landscape provided some malicious opportunities to make money but none at the revenue scale achievable in Windows, Mr Chen said.
