2013: Made-to-Measure Malware and the Battle Against Adware

February 20, 2014
Download Case Study


2013 was a year of changes in the world of mobile malware. Mobile threat campaigns became increasingly targeted as the criminals that operate them adapted their practices to maximize profit and operate in a less detectable way. In places where regulation is tough, they identified different ways to operate, often dropping more traditional monetization strategies like premium rate SMS fraud and leveraging “grey area” tactics that are actually legal.

Location, Location, Location

After years of iterating and incrementally changing code and tactics, in 2013 specific patterns of evolution became increasingly clear in the mobile threat industry. Forced to compete while constantly working to evade detection by law enforcement or security companies - mobile criminals started to specialize. Regulation varies from country to country. A criminal enterprise which might be highly profitable while difficult to prosecute in one part of the world is often explicitly forbidden and therefore easy to prosecute in another. This variation forces malware developers to evolve, adapting to their particular marketplace in a similar manner to the way species of animals adapt to their environment in order to survive.

Unlike countries such as Russia, China and parts of Asia, strong regulation exists in Western Europe to combat premium SMS fraud. This forces the criminals in Western Europe to employ other tactics. For example, in Western Europe “chargeware”, often built on the back of legal premium SMS services, is the primary offender. Chargeware is typically comprised of racy porn subscription apps that are intentionally very unclear about how they charge users. As a result, people often unknowingly run up huge fees or find themselves locked into services that are difficult to escape.  In 2013, hundreds of thousands of Lookout users encountered apps of this nature (an encounter rate of 13% in France and 20% in the UK). SMSCapers, one of the more prolific chargeware campaigns, first hit the market in late 2012 mostly in France and the UK, luring victims in with racy photos and a hard-to-read EULA (end user license agreement).

Adware: We’ve Made Strides, but We’re Still Fighting the Battle

Adware on the other hand is made up of aggressive, frequently malicious advertising SDK’s which are bundled into ordinary apps, often paying the developer a financial reward for their inclusion. Unlike benign advertisements which benefit the whole ecosystem by allowing developers to monetize their hard work, adware takes advantage of this relationship by stealing personal data and often spoiling user experience with occasionally disruptive, often offensive adverts. Allowed to spread unchecked, adware reached a pinnacle, spreading until it reached every corner of the globe. You are five times more likely to encounter adware than you are malware, yet often the line between the two is a difficult one to distinguish. In 2012 we published a set of guidelines, tightening the definition of what constituted adware, recommending that offending networks be flagged as hostile to the user. In September 2013, Google updated the Play Store terms and conditions, culling around 36,000 apps containing ad networks which broke the rules.

The impact was immediate.

Through Q3 2013 Adware began to fall. By late 2013 the biggest offenders, LeadBolt, and RevMob updated their advertising SDKs to be compliant with the new guidelines providing a much less intrusive experience to users.

Many advertising SDK’s are built without privacy as a priority, transmitting the data they harvest without taking any steps to protect it, such as encryption. Meaning that this often highly sensitive data is vulnerable to interception by anyone that happens to be in the right place at the right time. Once intercepted this data is then can be used to track, or even defraud its original owner. In this world where our personal phones are used in the corporate workplace, gaining unprecedented access to valuable information, it is even more important than ever before that we police advertising networks. Ensuring that they, and the apps that carry them, are built from the ground up with privacy and security in mind is the only way we will prevent criminals from adapting to this latest opportunity.

Risky Behavior Begets Other Risky Behavior

Lookout’s always saying that behavior is the best indicator of risk, in other words the risk of encountering something is highly dependent on user behavior. Once you open the mobile door to one category of infection, you are highly likely to experience a second, separate infection. Not because malware breeds more malware, but because people who download shady material once are more likely to do it again. Specifically:

  • If you’ve encountered adware once, you’re twice as likely to download an app riddled with adware a second time.
  • Having a malware trojan on your phone means you’re seven times more likely to download another app with a trojan.
  • A device with chargeware more than doubles your risk of encountering a trojan in a different app you download.
  • Your risk of downloading a trojan triples if you've already downloaded a root enabler.

In this world of made-to-measure malware, we shouldn’t be surprised that mobile criminal authors are looking to take advantage of particular patterns of behavior in order to further their cause. Just like advertisers, they strive to understand their target market and adapt their approach in order to better reach them.


Moving into 2014 we expect criminals or shady actors to continue to take advantage of the “grey area” and use people as a means to an end to pull of their schemes. New monetization methods may appear, but as long as Premium SMS fraud continues to be a successful business model in certain regions around the world, we don’t expect it to go away.

2013 was the year where we really saw the effect of diversification by region. We also saw that by an industry rallying together to stop a massive threat - aka adware - you can bring about change and reduce the overall threat. Like in life, people who regularly takes risks are more likely to get hit again. Businesses already have vast amounts of sensitive and confidential company data on mobile devices - everything from credentials to corporate network and cloud services through to customer lists and contact info. As BYOD becomes more commonplace, rather than attacking traditional, heavily monitored network services, criminals will evolve once again using mobile devices as an easy way to get into the enterprise and access valuable data. With the recent news of both ad SDKs inside apps and the mobile apps themselves leaking personal and corporate data, businesses are more aware than ever of the need to implement solutions that minimize data leakage and loss. To combat these rising concerns around data leakage, businesses large and small will look to rapidly adopt products to help control data leakage on phones. Check out the full Mobile Threats, Made to Measure report.

Discover how Lookout can protect your data