Android now 'mobile world's equivalent' of Windows for hackers

The capabilities of malware targeting the market-leading Android platform are mimicking those of Trojans that have wrung profits from Windows PC users for years, a new study shows.

With nearly an 80 percent market share, Android's mobile dominance parallels Windows in the PC world, making Google's operating system the "mobile world's equivalent," Kaspersky Lab said in its latest Threat Evolution report, released on Thursday.

The difference between Windows and Android malware is that the latter is evolving much quicker, as criminals borrow from what they learned in targeting PCs since the 1990s.

"The evolution of Android malware has gone much more quickly than the evolution of Windows malware," Roel Schouwenberg, a senior researcher for Kaspersky Lab, told CSOonline.

The peak in Android malware development so far was Backdoor.AndroidOS.Obad.a, which Kaspersky labeled in June as the most sophisticated mobile Trojan to date. Capabilities included opening a backdoor for downloading files, stealing information about the phone and its apps, sending SMS messages to premium rate numbers and spreading malware via Bluetooth.

Obad also reached new heights in its use of encryption and code obfuscation to thwart analysis efforts. In addition, it exploited three previously unknown Android vulnerabilities.

Looking at Obad overall, Kaspersky determined that the Trojan looked more like Windows malware than the typical Android program.

The vast majority of malware written today still targets the much more profitable Windows PC. Nevertheless, the rising number of malicious code samples indicated there is a new generation of developers working hard on breaking into smartphones, which surpassed PCs in shipments in 2011.

"That's where they believe the future is, and the future is there," Schouwenberg said.

[Also see: New malware shows Android has a target on its back]

In the first half of this year, the number of malicious code samples collected by Kaspersky broke 100,000 for the first time. For all of 2012, the security vendor collected about 76,000 samples.

Nevertheless, infection rates remain very low. For example, in watching Obad over a three-day period in June, Kaspersky found that attempts to install the malware reached only 0.15% of all infection tries by programs.

Part of the reason for the low infection rate overall is a paucity of channels for distributing malware. Most infections today occur through downloading malicious code tucked in an app found in an online app store, other than the official Google Play store.

Most of the users of those third-party stores are in Asia and Russia. In the U.S., smartphone users favor Google Play, which scans for malware.

The infection rate is expected to rise as other distribution methods evolve. Spam carrying links to malicious web sites is often used today and is expected to increase.

In addition, Kaspersky is seeing an increasing number of ads in mobile apps pointing to malicious sites. The vendor has also found a handful of sites with the popular Blackhole exploit kit, modified to download malware when the visitor is using an Android device.

Another troubling trend is the type of mobile malware discovered in the wild. While Trojans that send SMS messages to premium numbers account for the majority of smartphone infections, Kaspersky collects more mobile malware with backdoors for connecting to command and control servers.

"As soon as backdoors and Trojan downloaders come into play, that's when you realize these guys are trying to do something that's a little bit more sophisticated," Schouwenberg said.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.