Protecting the irreplaceable | f-secure.com
Mobile Malware -Past and Future
MikkoHypponen
Chief Research Officer
F-Secure
•15 February, 2010
Smartphone market shares in 2009
Apple
Microsoft
Android
12%
13%
47%
Data source: Canalys
Android
Others
Palm
RIM
Symbian
19%
Mobile Security -Where are we today?
•First mobile malware found in 2004
•Now: 430 viruses, worm
s and trojans for mobile
platform
s
•Targeting the most common platform
s
•No exploit-based malware, yet
•Real problems elsewhere
•Lost, broken or stolen phones
Bluetoothworm
spreadingpatterns
.
•Cabir foundin-the-wild
fromPhilippinesin August 2004
Singapore
UAE
China
HongKong
France
South Africa
China
India
Finland
Vietnam
Turkey
Russia
UK
Italy
USA
Japan
South Africa
Australia
The Netherlands
Egypt
Luxembourg
New Zealand
Switzerland
Germany
…
Skulls.D
Skulls.D
Making Money With Trojans
Some trojanssend SMS messages to premium rate numbers
•When the trojan application is executed it shows some social
engineering text and either sends SM
S messages directly or asks for
user perm
ission
•Case Redbrowser
How did the vendors react?
•Fixing bluetooth
•Building mandatory signing
Mobile Signing / Certification frameworks
Symbian Signed
iPhone App Store
Palm App Catalog
BlackBerry App World
BlackBerry App World
Windows Marketplace for Mobile
Android Marketplace
Flexispy
•Spying tool that monitors:
•Voice calls
•SM
S messages
•Mobile email
•Phone location
•Phone location
•Remote audio
They cheated!
How did Flexispyget signed?
SexyView.A
•First SM
S worm
•Found in February 2009
•Works on Sym
bian Series 60 3rd edition
•The installation file is signed
•The installation file is signed
Links to:
http://www.wwqx-cyw
.com/gam
e
http://www.wwqx-sun.com/gam
e
http://www.wwqx-mot.com/gam
e
SexyView.D
•Found in July 2009
•Uses English SMS messages
•Downloads the message templates from the web
•First mobile botnet
•First mobile botnet
iPhone
iPhone worm
Ikee
•Found on 8th of November 2009
•Written by an Australian hobbyist
•Hits jailbroken iPhones
•Uses a known ssh
password
•Rickrollsthe phone
•Rickrollsthe phone
Ashley Towns
iPhone w
orm
Duh, 22 November 2009
February 2010 iPhone patches
•CoreAudio(CVE-2010-0036)
arbitrary code execution
•ImageIO
(CVE-2009-2285)
arbitrary code execution
•WebKit(CVE-2009-3384)
arbitrary code execution
•WebKit(CVE-2009-2841)
arbitrary code execution
Android Action
Banks targeted by "09droid"
Abbey Bank
Alaska USA FCU
Alliance & Leicester (v. 1.1)
Bank Atlantic
Bank of America
Bank of Queensland
Barclaycard (v. 1.1)
Barclays Bank (v. 1.2)
LloydsTSB
M&I
Mechanics Bank v.1.1
MFFCU v.1.1
Midwest
Nationwide (v. 1.1)
NatWest (v. 1.1)
Navy Federal Credit Union (v. 1.1)
PNC
Barclays Bank (v. 1.2)
BB&T
Chase
City Bank Texas
Commerce Bank
Compass Bank
Deutsche Bank
Fifty Third Bank v.1.1
First Republic Bank v.1.1
Great Florida Bank
PNC
Royal Bank of Canada
RBS v.1.1
SunTrust
TD Bank v.1.1
US Bank v.1.2
USAA v.1.1
Valley Credit Union
Wachovia Corp (v. 1.2)
Wells Fargo (v. 1.1)
33
Future
•More malware
•Mobile botnets
•Drive-by-exploits
•Rogue dialers
•Major outbreaks
•Major outbreaks
•Mobile spam
bots
Protecting the irreplaceable | f-secure.com
Mobile Malware -Past and Future
MikkoHypponen
Chief Research Officer
F-Secure