Android malware samples jump six-fold in Q2


Staff member
Mar 24, 2011
Summary: Malware samples which consist mostly of mobile spyware rocketed to over 120,000 last month within three months. The OS's application signing shows further weakness, according to Alcatel-Lucent's Kindsight Security Labs study.

By Ellyne Phneah |July 24, 2013 -- 09:02 GMT (02:02 PDT)

The number of Android malware samples have grown by six-fold over the past quarter, and loopholes have been found in Android application signing, enabling malware to easily enter the devices.

Alcatel-Lucent's Kindsight Security Labs Malware Quarterly Report released Wednesday, showed the number of Android malware samples had exceeded more than 120,000 in June 2013, a sharp increase compared to around 20,000 samples in March 2013.

Overall, 0.52 percent of devices were infected with high threat level malware, a slight increase from 0.5 percent last quarter. Majority of infected devices are either Android phones or Windows laptop tethered to a phone or connected directly through a mobile USB stick or Mi-Fi hub.

The number of infected Android devices are also starting to dominate the total number of infected mobile devices.


Android malware samples growth from July 2012 to June 2013 (Source: Alcatel-Lucent)


Mobile device infection rate from January to June 2013 (Source: Alcatel-Lucent) According to the report, the major infection vector comes from Trojanized apps distributed from Google Play Store, legitimate third party app stores or "shadier" app stores specializing in pirated applications. While Google Play had made efforts to scan and remove any apps containing malware, many of the third party app stores have not checked for apps containing malware.

Most mobile threats detected belong to the spyware category, and this poses a large threat to organizations in the Bring Your Own Device (BYOD) era because they can be installed on an employee's phone for industrial or corporate espionage.

The report also found vulnerabilities existed when it came to Android application signing. All Android applications need to be signed cryptographically, which can help verify the identity of the application author and ensure the application has not been tampered with but issues exist on this model, the report noted.

While the Android operating system checks the app has been signed, it makes no attempt to verify that the signature is legitimate, but simply accepts any old signatures. This allows the "signer" to put any information they want into the certificate, making it easy to make pirated copies of applications with Trojan services injected into them.

The digital signature is also only checked during the installation process, but not when the application is running. The report cited BlueBox Security which found it is possible to modify the APK file of an existing application without the system raising an alarm, allowing the attacker to inject malicious code into existing applications.

Rise of home networks infected with malware

In terms of fixed broadband deployments in Q2 this year, 10 percent of residential households also showed evidence of malware infection, an increase from 9 percent infection last quarter.

Of which, 6 percent of households were infected by a high threat level malware such as a botnet, rootkit or banking Trojan, while 5 percent of households also infected with a moderate threat level malware such as spyware, browser hijackers or adware. Some households had multiple infections including both high and moderate threat level infections.


Home networks infected with malware and the division of infection by threat level in Q2 2013 (Source: Alcatel-Lucent) The ZeroAccess Bot remains the most common malware threat in Q2, infecting about 0.8 percent of broadband users. It uses rootkit technology to conceal its presence, while downloading additional malware used in a large scale ad-click fraud. This can cost Internet advertisers millions of dollars and when aggregated over a month, it can be quite significant for the user.