2014 Mobile Threat Report

Download PDF Read the Enterprise Report

In 2013 the notable trend in mobile security was the geographic diversification of mobile threats1, such as the prevalence of chargeware in Western Europe, where the popularity of premium-rate SMS billing made this path to monetization more viable than in geographies where this billing mechanism is largely prohibited, such as the United States.

In 2014 this pattern of regional adaptation continued, but the new and noteworthy mobile security trend this year has been the emergence of new mobile threat tactics (like ransomware) and an increase in threat sophistication. This is a reaction, no doubt, to mobile operators stepping up their threat countermeasures around the world and a general crackdown on premium-rate SMS abuse. For example, in 2014 Lookout observed a handful of mobile threats, such as DeathRing2 and a new variant of Mouabad3, that suggested the compromise of mobile supply chains and pre-loading of malware on factory-shipped devices. In addition, a new variant of the threat NotCompatible4, a sophisticated mobile threat with layers of complex self-defense mechanisms to evade detection and countermeasures5, gained considerable traction in the U.S. and Western Europe.

Methodology

To prepare this report Lookout analyzed security detections from its dataset of more than 60 million global users. The encounter rate measurement used in this report reflects the percentage of unique Android devices that encountered a given threat or threat type during the year. Please note, encounter rates are weighted calculations that account for varying user lifecycles and moreover these rates cannot be added since a unique device could be counted multiple times in such calculations. Lastly, at the highest level Lookout classifies app-based threats using three categories (defined at the beginning of this report): malware, chargeware, and adware.

Key Highlights

Mobile threat highlights from 2014 include:

  • Malware grew substantially in the U.S. - 2014 saw an astounding 75% increase in Android mobile malware encounter rates in the United States compared to 2013 (a 4% vs. 7% encounter rate), an increase driven largely by prolific mobile threats that hold victims’ mobile devices hostage in exchange for payment, using a variety of coercion schemes6.
  • Device-for-ransom malware schemes surged globally - “Ransomware”, a type of malware that locks users out of their mobile devices in a pay-to-unlock-your-device ploy, grew by leaps and bounds as a threat category in 2014, with ransomware such as ScareMeNot and ScarePakage finishing in the top five most-prevalent mobile threats in countries such as the U.S., U.K., and Germany.
  • Mobile threat sophistication and experimentation is on the rise - as mobile operators and platforms have continued to crack down on mobile attackers and their monetization methods, the attackers’ strategies have shifted. In 2014 Lookout observed, for example, one of the first instances of attackers attempting to use compromised mobile devices for cryptocurrency mining -- a novel, if ultimately unprofitable scheme7.
  • Adware prevalence fell dramatically in 2014 and risks losing its crown as the most prevalent mobile threat - 2014 saw adware encounters fall dramatically, evidence that Google’s crackdown8 on adware in the latter half of 2013 and its continued policing of the Play Store has substantially reduced the prevalence of abusive mobile advertising practices in Android applications. In some countries, such as the U.K., adware encounter rates are now surpassed by other threats like chargeware!
  • Chargeware prevalence fell in the U.K. and France, but exploded in Germany - In 2014 chargeware continued to be a regional phenomenon, with encounter rates in Western Europe (9% in France, 11% in the U.K.) averaging much higher that those in countries like the U.S. (4%). Notably, chargeware encounter rates did fall in the U.K. and France in 2014, a sign, perhaps, that the efforts of regulatory bodies such as PhonepayPlus have become more effective at curbing premium-rate service abuse. Premium-rate service abuse has historically been a popular monetization method for both chargeware and malware threats globally. Germany, however, experienced a 250% surge in chargeware encounter rates in 2014 (2% vs. 7% encounter rate) due to the prolific success of the SMSCapers threat.

Top New Malware Threats Lookout Discovered in 2014

ScarePackage | Ransomware

ScarePakage masquerades as an Adobe Flash update or a variety of anti-virus apps, and is distributed as a drive-by-download.
When downloaded, it pretends to scan victims’ phones and then locks the device after falsely reporting that its scan found illicit content. ScarePakage then displays a fake message from the FBI and attempts to coerce victims into paying them to avoid criminal charges and regain control of their device9.

DeathRing | Trojan

DeathRing poses as a ringtone app and then surreptitiously downloads fake SMS content to infected devices, in a possible attempt to capture victim login credentials by impersonating trusted entities like banks via SMS. Notably, DeathRing appears to come pre-installed on certain devices, suggesting its authors were able to infiltrate the device supply chain and inject their malware into factory-shipped devices10.

CoinKrypt | Trojan

CoinKrypt infects phones and harnesses their processing power to mine cryptocurrency. This activity can drain a device’s battery and its monthly data allotment. While this is one of the first examples of malware using smartphone computing power for digital currency mining, Lookout estimates that these activities yield minimal profits given the immense processing power required to mine cryptocurrencies11.

ShrewdCKSpy | Spyware

ShrewdCKSpy pretends to be an app marketplace, but the market icon disappears on first launch and the malware starts to run in the background, intercepting and recording victims’ SMS and phone calls and uploading them to a remote server. ShrewdCKSpy also has the ability to auto-accept and record calls, which means attackers could possibly turn a victim’s phone into a de facto bugging device by auto-accepting their own call. 12

Country Trends

In the U.S. ransomware such as ScarePakage, ScareMeNot, ColdBrother, and Koler dominated the mobile threat list in 2014 and largely drove the 75% increase in malware encounter rates. Millions of U.S. mobile users were targeted by ransomware attacks, resulting in an untold number of victims paying hundreds of dollars each to unlock their devices and “avoid” fraudulent criminal charges. In the non-ransomware category, the trojan NotCompatible emerged as the top mobile threat in the U.S. in 2014, enabling its operators to harness a considerable mobile botnet to do their bidding. In one instance, Lookout observed attackers using NotCompatible-infected mobile devices to purchase tickets en masse to circumvent anti-fraud measures on ticketing websites.

2014 Top Threats in the U.S.

1. NotCompatible | Malware

NotCompatible is a trojan that surreptitiously acts as a network proxy, allowing attackers to send and receive traffic through a victim’s mobile device onto connected networks for fraudulent purposes.

2. Koler | Malware

Koler is a trojan disguised as a media app that then locks a victim’s device after falsely reporting the discovery of illegal activity. Koler attempts to coerce victims into paying them to avoid criminal charges and regain control of their device.

3. ScareMeNot | Malware

ScareMeNot is a trojan that pretends to scan victims’ phones for security issues and then locks their device after falsely reporting that its scan found illicit content. It attempts to coerce victims into paying them to avoid criminal charges and regain control of their device.

4. ColdBrother | Malware

ColdBrother is a trojan that pretends to scan victims’ phones for security issues, but then locks their device after falsely reporting that its scan found illicit content. It can also take a front-facing camera photo and attempts to coerce victims into paying them to avoid criminal charges and regain control of their device.

5. ScarePakage | Malware

ScarePakage is a trojan that pretends to scan victims’ phones for security issues and then locks their device after falsely reporting that its scan found illicit content. ScarePakage attempts to coerce victims into paying them to avoid criminal charges and regain control of their device.


While malware and chargeware rates fell in the U.K. they remained significant: 2% of all Lookout users in the U.K. encountered malware this year and more than 1 in 10 encountered chargeware threats. Just as in 2013, chargeware, and more specifically the threat SMSCapers, emerged as the top threat in the U.K. this year. SMS premium-rate billing is a common billing practice in the U.K. and attackers have leveraged this capability as an effective monetization technique in the past, although a year-over-year decline in chargeware and malware encounter rates in the U.K. suggests this may be a decreasingly effective monetization path given countermeasures by regulatory bodies like PhonepayPlus13. In 2014 the U.K. was also hit with ransomware attacks much like the U.S., with ransomware threat ScareMeNot emerging as the second most prevalent threat to U.K. users.

2014 Top Threats in the U.K.

1. SMSCapers | Chargeware

SMSCapers is a pornographic app that charges users without providing clear notification and the opportunity to provide informed consent for the charges.

2. ScareMeNot | Malware

ScareMeNot is a trojan that pretends to scan victims’ phones for security issues and then locks their device after falsely reporting that its scan found illicit content. It attempts to coerce victims into paying them to avoid criminal charges and regain control of their device.

3. ActSpat | Malware

ActSpat is a trojan that commits premium-rate SMS fraud and may push obtrusive ads to the notification bar, create pop-up ads, place shortcuts on the device's home screen and download large files without asking.

4. Tornika | Chargeware

Tornika is a trojan disguised as a media player that sends personal information from compromised devices to third parties and may attempt to charge victims money. It can also enable third parties to display ads without a way to opt out.

5. NotCompatible | Malware

NotCompatible is a trojan that surreptitiously acts as a network proxy, allowing attackers to send and receive traffic through a victim’s mobile device onto connected networks for fraudulent purposes.


In 2014 France experienced an overall decline in mobile threat encounter rates, though 2% of French Lookout users still encountered malware this year and almost 1 in 10 encountered a chargeware threat. Chargeware, and its reliance on premium-rate abuse for monetization, still remains among the more prevalent mobile threat types, with threats such as SMSCapers and SMS4You emerging in the top five mobile threats in France this year. Like in the U.K., a decline in malware and chargeware encounter rates in France may be a sign of increased regulatory pressure. In August of 2014, for example, PhonepayPlus fined a French app company for abuse of premium-rate phone services14.

2014 Top Threats in France

1. Tornika | Chargeware

Tornika is a trojan disguised as a media player that sends personal information from compromised devices to third parties and may attempt to charge victims money. It can also enable third parties to display ads without a way to opt out.

2. ActSpat | Malware

ActSpat is a trojan that commits premium-rate SMS fraud and may push obtrusive ads to the notification bar, create pop-up ads, place shortcuts on the device's home screen and download large files without asking.

3. SMSCapers | Chargeware

SMSCapers is a pornographic app that charges users without providing clear notification and the opportunity to provide informed consent for the charges.

4. Sms4You | Chargeware

SMS4You is a pornographic app that charges users without providing clear notification and the opportunity to provide informed consent for the charges.

5. Spytic | Malware

Spytic is a form of surveillanceware that enables remote monitoring of the activity and information on compromised devices by third parties.


In 2014 malware encounter rates held steady in Germany at 3%, but the country saw an absolute explosion in chargeware this year (250% increase), due largely to the successful proliferation of SMSCapers, which emerged at the top of the list of mobile threats encountered by German users this year. Germany also saw ransomware encounters grow - as they did in the U.S. and elsewhere in Western Europe - with ScareMeNot emerging at the number two spot for top mobile threats in Germany.

2014 Top Threats in Germany

1. SMSCapers | Chargeware

SMSCapers is a pornographic app that charges users without providing clear notification and the opportunity to provide informed consent for the charges.

2. ScareMeNot | Malware

ScareMeNot is a trojan that pretends to scan victims’ phones for security issues and then locks their device after falsely reporting that its scan found illicit content. It attempts to coerce victims into paying them to avoid criminal charges and regain control of their device.

3. ActSpat | Malware

ActSpat is a trojan that commits premium-rate SMS fraud and may push obtrusive ads to the notification bar, create pop-up ads, place shortcuts on the device's home screen and download large files without asking.

4. ScarePakage | Malware

ScarePakage is a trojan that pretends to scan victims’ phones for security issues and then locks their device after falsely reporting that its scan found illicit content. ScarePakage attempts to coerce victims into paying them to avoid criminal charges and regain control of their device.

5. NotCompatible | Malware

NotCompatible is a trojan that surreptitiously acts as a network proxy, allowing attackers to send and receive traffic through a victim’s mobile device onto connected networks for fraudulent purposes.


In 2014 Japan continued to enjoy one of the most favorable threat encounter rates in the world, with approximately 1% of Japanese Lookout users encountering malware this year and less than 1% encountering chargeware threats. While in 2014 adware lost its title in some countries as the most prevalent mobile threat, but adware continues to be the top threat in Japan with a 3% encounter rate.

2014 Top Threats in Japan

1. ActSpat | Malware

ActSpat is a trojan that commits premium rate SMS fraud and may push obtrusive ads to the notification bar, create pop-up ads, place shortcuts on the device's home screen and download large files without asking.

2. Ackposts | Malware

Ackposts is a trojan that steals device contacts and sends them to a third party server, showing an error message claiming device incompatibility to disguise its activity.

3. OneClickFraud | Malware

OneClickFraud is a trojan that visits web pages while a victim’s device screen is turned off in an attempt to defraud third parties with fake pageviews.

4. CreepyBanner | Malware

CreepyBanner is a trojan disguised as an Adobe Flash player that attempts to install another application which serves obtrusive ads.

5. ConeSMS | Malware

ConeSMS is a trojan that advertises itself as pornographic app, but actually commits premium rate SMS fraud in the background.

Conclusion

In 2014 the new and noteworthy mobile security trend was a surge in new mobile threat tactics like ransomware and an increase in threat sophistication and experimentation. This is likely a reaction to mobile operators increasing their threat countermeasures and a general crackdown on premium-rate SMS abuse, which has historically been the primary monetization path for malware and chargeware threats. Premium-rate SMS was low-hanging fruit that attackers could easily exploit and they did so with great success in 2013. Fortunately, premium-rate SMS abuse is also low-hanging fruit for countermeasures, since sending text messages to a premium rate number is a rather obvious behavior that can be flagged and blocked by security vendors and mobile operators and platforms.

The apparent success of these threat countermeasures in 2014 is a double-edged sword: while it seems to have lowered threat encounter rates in certain geographies, it also seems to have driven attackers toward developing more insidious threats like ransomware. The individual impact of premium-rate SMS abuse is a handful of nominal charges to a victim’s monthly bill. The individual impact of a ransomware threat like ScarePakage, however, is the complete loss of device functionality and potential mental anguish from false criminal accusations, as well as substantial financial loss if a victim elects to pay the ransom.

The success of ransomware in the United States (where it largely drove a 75% year-over-year increase in malware) and Western Europe indicates that when thwarted, mobile attackers will innovate and pivot to maintain an edge. The discovery of threats injected in mobile supply chains (e.g. DeathRing) and the rise of technically sophisticated threats (e.g. NotCompatible.C) reveals that attackers are upping their threat construction and deployment game. In the face of more sophisticated adversaries, consumers can stay one step ahead by remaining vigilant, installing apps from trusted app marketplaces, and installing advanced mobile security solutions like Lookout on their devices.

Download PDF

Endnotes

    2013 Lookout Mobile Threat Report: Mobile Threats, Made to Measure”. Lookout. 2013.
  1. DeathRing: Pre-loaded malware hits smartphones for the second time in 2014.” Lookout. December 2014.
  2. MouaBad: When your phone comes pre-loaded with malware”. Lookout. April 2014.
  3. The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks”. Lookout. November 2014.
  4. NotCompatible.C: A Sophisticated Mobile Threat that Puts Protected Networks at Risk”. Lookout. November 2014.
  5. Android Phones Hit by ‘Ransomware’”. New York Times. August 2014.
  6. Sorry, mobile mining likely isn’t going to be profitable — unless you’re criminal”. Lookout. July 2014.
  7. The war against mobile ‘adware’ isn’t over yet, warns Lookout”. The Guardian. February 2014.
  8. U.S. targeted by coercive mobile ransomware impersonating the FBI”. Lookout. July 2014.
  9. DeathRing: Pre-loaded malware hits smartphones for the second time in 2014”. Lookout. December 2014.
  10. CoinKrypt: How criminals use your phone to mine digital currency”. Lookout. March 2014.
  11. ShrewdCKSpy: Mobile Spyware With A Hidden Agenda”, Lookout. March 2014.
  12. £330,000 fines issued to UK companies over mobile malware and WAP opt-in.” PhonepayPlus.
  13. Premium-rate ‘voice changer’ service fined £60,000 for children’s apps ads”. August 2014.