The Dark Side of the Limelight

Marketers frequently discuss the benefits of market leadership – the ability to charge premium pricing, attract the best talent, retain customers – and the like. Today, there is a new metric: if you develop operating systems, applications and other kinds of software, if someone isn’t trying to hack your work, then you must not be a market leader.

Android developers are discovering the downside of their new-found popularity. McAfee’s Third Quarter Threats Report, notes that Android malware samples by quarter rose from just over 20 million in Q1 2011 to approximately 60 million in Q2 and more than 90 million in Q3. Oh, that my stock portfolio should show such growth!

There are several layers of interesting information here, covered well by GigaOm’s Ryan Kim in August. First, that hackers are shifting their focus to mobile platforms - clearly where the action is today in terms of innovation and rapid subscriber growth. In addition, Android’s app store lacks the strong oversight that reduces malware threats in Apple’s App Store, and allows users to sideload apps.

Earlier this month, Microsoft urged Android owners to share their Android-related malware issues, entering those who responded into a contest to win a new Nokia Windows smart phone. Smart ploy or cheap gimmick? Well, with just 2 percent of the U.S. smartphone market, Microsoft has little to lose.

Eric Chien, Symantec’s Technical Director of Security Response, notes in an October white paper, seven schemes attackers often use malware for against Android subscribers:

• Premium Rate Number Billing- Attackers set up and register premium-rate numbers, which can charge up to $50 per message, the revenues split among the attacker, carrier and the SMS aggregator.  The attacker then creates an app and releases it on the Android market. Users download the app, which periodically sends SMS messages to the premium-rate number.
• Spyware – Attackers will take advantage of the many Android apps that allow someone to track smart device users. Attackers purchase one of these apps and then gain physical access to the phone.  The attacker doesn’t directly make money in this approach, but the spyware vendor does.
• Search Engine Poisoning – Many search engines rank or recommend websites by tracking user visit rates. Smart device users may customize this monitoring based on their interests. Attackers will set up malicious apps that initiate multiple requests to these sites, poisoning the hit rates monitored by the search engines. By raising their search rank, attackers can generate revenue through pay-per-view or pay-per click ads.
• Pay-per-Click – Many services, such as advertising networks, pay every time an affiliate or partner site refers a user to a website. Attackers will use malicious apps to generate artificial visits and receive a few cents per click.
• Pay-per-Install – Legitimate distribution marketplaces will host apps for download and charge vendors based on the number of downloads and installs by subscribers. To date, the report notes Symantec has not seen attackers use pay-per-install schemes to generate revenue, but it has see threats that install new applications.
• Adware – Many mobile advertising networks pay content providers by view and click, which can average $1-2 per thousand impressions. Attackers have repackaged or cloned popular legitimate games and included a mobile ad library registered to the attacker. Every time the app is used and ads are displayed, the attacker generates money.
• mTAN Stealing – When using an online bank account, some banks require additional credentials to be sent out-of-band to avoid man-in-the-middle attacks. This can sometime include the bank sending a random Transaction Authentication Number (mTAN), to a previously registered mobile phone number. Malware must be installed on this phone to receive this number.

As Android popularity continues to grow, attackers will continuously find new ways to monetize malware schemes. This is why Google needs to work in concert with Android developers to combat the malicious efforts of these attackers. Google should establish requirements for higher quality and force Android Market to scrutinize applications more closely for structural quality – at all would be a nice start – before making an application available.

As for the developers themselves –the legitimate ones at least – would likely welcome such scrutiny. They should embrace such a vetting process as a sort of third-party corroboration of their application’s security and structural quality, which could be a competitive differentiator.

By establishing standards for application software structural quality, mobile app stores like Android Market would certainly foster a growth of application integrity among developers by frequently assessing and improving how their code is designed and implemented.

Granted, quality software won’t absolutely prevent attackers from plying their malicious trade, but much like the car thief who targets unlocked cars first, it may slow them down enough that they find another app to hack in place of yours.