Does polymorphic Android malware signal escalating mobile security war?

By | February 06, 2012

Posted in: Network Security Trends

We don’t want to overplay the rise of mobile device malware — Security Bistro bloggers have been posting on mobile security issues quite a bit. That being said, new Symantec research that reveals the use of server-side polymorphism in malicious Android applications is yet another indication cyber criminals are getting more serious about smart phones as an attack vector, and their expectation that users will install antimalware software to protect their devices.

Symantec reports they have seen the technique in malicious Droid apps hosted on Russian websites. Polymorphism has long been used to evade signature-based detection on PCs, with no little success. Server-side polymorphic techniques create a new version of the malware each time it is downloaded. The combination of these mechanisms, sophisticated obfuscation and the sheer volume of unique malware samples — tens millions annually — have rendered client-based antimalware far less effective that it was just a few years ago.

By comparison, new smart phone malware specimens number in the hundreds. Nevertheless, the Symantec news indicates that the cat-and-mouse (or virus-and-exterminator) game between malware creators and security vendors is moving into the mobile market. Security experts have predicted that mobile will become a significant attack vector when both the number of smart phones and their use for business applications, online banking etc. reached critical mass.

The other inhibitor has been the fragmentation among mobile operating systems, in contrast with PCs, which are dominated by highly vulnerable Windows OSes. Now, with the rise in popularity of Android phones and the wide open Droid application environment, mobile security is on many companies’ agenda.

The variants discussed are detected as Android.Opfake, and purport to be free versions of the Android OS. The malicious Android application is changed automatically in several ways with each download, and manually every few days, which indicates, Symantec says, that the authors are actively maintaining Opfake.

Symantec says its mobile security software detects all the variants. The question for enterprises is how effective our defenses will be when — and to what scale — the war for smart phones escalates. The problem is exacerbated by the overwhelming trend is to bring your own device (BYOD) into the workplace, as enterprises wrestle with how to manage and secure all those personally owned smart phones and tablets.

You May Also Be Interested In: