The phrase “mobile malware”–how cybersecurity researchers describe the small but growing number of nasty programs designed to infect smartphones–is quickly becoming synonymous with a more specific term: “Android malware.”
According to data released Monday by the Finnish antivirus firm F-Secure, 37 of the 49 variants of malicious software targeting smartphones in the last quarter were aimed at Android devices, compared with just ten out of the 16 malware variants it found in the same quarter last year.
F-Secure’s data doesn’t necessarily show a spike in smartphone-targeted malware–it counted 52 Android malware samples in the third quarter of last year–but it does show cybercriminals narrowing their focus onto Google’s platform. But as the data at right makes clear, malware targeting Symbian’s platform is quickly waning, and insidious software targeting obscure platforms like J2ME and PocketPC have disappeared. Outside of a lab, no malware has yet infected iPhones or iPads, with just two exceptions from 2009, both of which targeted jailbroken devices that have had Apple’s strict security measures removed.
“I don’t think this is an epidemic breaking out, but we’re seeing a slow creep,” says F-Secure’s Sean Sullivan. “And Android is the spear point.”
Whether F-Secure’s numbers mean Android users should install antivirus on their phones isn’t yet clear–at least not for those that are careful only to download apps from the official Android market. The vast majority of the samples tracked by F-Secure were found in third-party app stores in China and other foreign markets. In February Google launched “Bouncer,” a malware scanning utility for its Android market that has likely made it far more difficult to sneak insidious software into Google’s official app store. (Though a pair of researchers claim they’ll explain how they’ve done it as a proof of concept at the upcoming Black Hat security conference this summer.)
According to F-Secure’s survey, most Android malware seeks to send text messages to premium numbers that charge fees to the user, though other examples it analyzed were used for banking fraud and distributed denial of service attacks. The firm saw a huge explosion in obfuscation techniques for Android malware, with 3,063 different application package files–the “shells” used to obscure a malicious app–appearing in the latest quarter versus 139 in the same quarter last year.
Given that the majority of the malware’s victims are overseas and even using modified versions of Android, F-Secure’s Sullivan says the problem is still marginal for Google, though it should teach users not to download apps outside of Google’s official Android market. “This isn’t yet a threat to the Google’s growth,” he says, “But it’s not a happy story for the consumers that get nailed by it.”