Mobile Threats, Made to Measure

MOBILE THREATS, MADE TO

MEASURETHE SPECIALIZATION OF MOBILE THREATS

AROUND THE WORLD

What global trends and patterns defined mobile security threats in 2013? To answer this question, Lookout analyzed the threats encountered by more than 50 million Lookout users around the world. We categorized mobile threats into three distinct app-based threat categories: adware, chargeware, and malware.

2013 stood out as the year when mobile threat campaigns became increasingly targeted by region as the criminals adapted their practices to maximize profit and minimize detectability. In regions where regulation is stringent, attackers favored alternate ways to operate, often dropping traditional monetization strategies like premium rate SMS fraud in favor of “grey area” tactics like deceptive, if legal, in-app billing practices.

We also examined how user behavior impacts their exposure to mobile threats. If a mobile user has rooted their phone, for example, how might that affect their chance of encountering a trojan in the future? In short, this report contains a comprehensive overview of the current, global state of app-based threats. We hope the security insights presented in this report may serve to help educate individuals and businesses on how to better protect their mobile devices from threats in a highly networked, globalized age.

1

To prepare this report Lookout analyzed security detections from its dataset of more than 50 million users around the world who were active from January 1, 2013 - December 31, 2013. The encounter rate calculation referenced in this report measures how many devices encounter a given threat, and it is a weighted calculation that normalizes the differences between the life cycles of users.

It should be noted that encounter rates are not additive since devices may be counted multiple times. Lookout excluded countries from this report where representative sample sets of users could not be achieved. Lastly, app-based threats in this analysis were separated into three categories: (a) Adware (b) Malware (c) Chargeware. These app-based threat categories are defined in the glossary at the end of the report.

© 2014 Lookout2

© 2014 Lookout

● The diversification of app-based threats by region is readily apparent. 2013 stood out as the year when mobile threat campaigns became increasingly targeted by geographic region as the criminals adapted their practices to maximize profit and minimize detectability.

● Financial gain continues to dominate the mobile threat landscape, with premium rate SMS fraud being the primary type of malware affecting people across the globe.

○ In 2013, hundreds of thousands of Lookout users encountered chargeware - apps with hard-to-read EULAs that deceptively bill victims, often after luring them in with racy photos (porn). The encounter rate of chargeware is 13% in France, 20% in the UK and 5% in the U.S.

○ In Russia and China, premium rate SMS fraud continues to be a massive problem where regulation isn’t as stringent.

● Adware is the most prevalent threat facing consumers. People are five times more likely to encounter adware than malware. Allowed to spread largely unchecked, adware reached a pinnacle in 2013, and reached every corner of the globe. (The average encounter rate ranges from 20-30% depending on the country: U.S. 25%, UK 23%, Germany 27%, France 31%, Spain 30%).

● The encounter rate of malware drastically changes depending on the region. Specifically, in the U.S. it is only 4%, while in Russia and China it is 63% and 28% respectively.

● Risky behavior begets other risky behavior. Having a trojan on your phone means you’re seven times more likely to download another app with a trojan.

3

GLOBAL THREATS

In 2013 mobile threats were clearly a global problem, but Asia, Russia and parts of Eastern Europe and Africa continue to stand out with higher levels of risk.

© 2014 Lookout5

In 2013 encounter rates remained low in the US and Western Europe, while regions such as Asia and Eastern Europe continued to be “hot zones” for mobile malware, largely due to the popularity of unregulated 3rd party app stores and low risk monetization paths like premium rate SMS fraud (a prime example being ActSpat, a premium SMS trojan). Also, Lookout’s 2013 ‘Dragon Lady’ investigation uncovered an entire mobile malware industry in Russia.

© 2014 Lookout6

© 2014 Lookout7

In the first half of 2013 very little curbed the spread of adware and so it was evenly distributed, with fairly similar encounter rates in almost every country. Lookout called out adware in June 2013 and Google started taking steps that September to remove adware that violated its policies. One of the primary adware SDKs was operated by a company called Leadbolt, which has since changed their ad SDK to comply with Google policies.

© 2014 Lookout8

In 2013, chargeware (apps that charge users without clear notification) was especially prevalent in Western & Eastern Europe and South East Asia. Pornograhic apps with deceptive charging practices made up the most prevalent forms of chargeware in 2013, with one campaign “SMS Capers” representing more than 50% of the risk in the UK.

NORTH AMERICA

The United States and Canada have comparable threat encounter rates while mobile users in Mexico have an elevated risk of encountering adware.

© 2014 Lookout10

The mobile malware encounter rate is low and consistent across North American countries: mobile users in these countries tend to download apps from trusted app stores where the likelihood of encountering malware is much lower. Encounters occur nonetheless and the threats are real: NotCompatible, a trojan that turns devices into proxies for 3rd party traffic, was the most prevalent threat in the U.S. © 2014 Lookout11

EUROPE

© 2014 Lookout13

The total encounter rate is relatively even across Europe and comparable to the US. Germany has lower levels of risk in all categories, but especially chargeware and adware, while Spain has an elevated risk of chargeware and malware.

The encounter rates of UK and France are elevated due to the large volume of chargeware in both regions. The UK is especially high to due to the emergence of one chargeware campaign - SMScapers, a pornographic app which makes up more than 50% of the total encounter risk in the UK.

© 2014 Lookout14

ASIA

Japan has the lowest encounter rates in all categories, while China and Russia have the highest malware encounter rates out of any country in the world. The bulk of the threats in this part of the world are made up from malware rather than adware (like in the US and Western Europe).

© 2014 Lookout16

© 2014 Lookout17

Japan has the lowest malware encounter rate due to its strict regulatory environment, while China and Russia have the highest malware encounter rates in the world. Russia is particularly high as the ease with which malware authors are able to monetize drives the creation of new families. RuPaidMarket, a premium SMS fraud trojan, was the most prevalent family in Russia in 2013.

MOBILE THREAT

CORRELATIONS

© 2014 Lookout19

QUARTERLY

MOBILE THREAT ANALYSIS

© 2014 Lookout21

Apart from a slight dip in Q2, malware maintained a constant presence in China but overall was dwarfed by the volume of malware in Russia. The apparent drop in malware in Russia actually represents the tail-end of a couple of incredibly prolific malware campaigns in the RuPaidMarket family (a family of trojans that commit premium SMS fraud).

Prior to June 2013 no industry guidelines defined adware. In June 2013 Lookout published its own guidelines and in September 2013 Google updated its policies and removed as many as 36,000 infringing apps from the Play Store. The increase from Q2 to Q3 reflects Lookout’s implementation of more comprehensive adware detection policies. The drop from Q3 to Q4 reflects apps removing offending ad networks or getting removed themselves.

© 2014 Lookout22

© 2014 Lookout23

Chargeware is highly geographic and campaign-based and this slide shows this clearly. What we see here is the rise and fall of the pornographic chargeware campaigns “SMS Capers” and “Plus TV” which primarily hit the UK and France.

24

The diversification of app-based threats by region is readily apparent. Regulation varies by country and a criminal enterprise that might be highly profitable and difficult to prosecute in one part of the world is often explicitly forbidden and easy to prosecute in another. This regulatory variation produces a state of natural selection in which criminals evolve to exhibit attack strategies that are best suited for their environment.

When it comes to malware, people who use trusted, mainstream app stores (as the bulk of users in the US and Western Europe do) are less likely to encounter malware. By contrast, users in Eastern Europe, Russia and Asia face a risk of encountering malware that is as much as 20 times higher due to the widespread use of high-risk third-party stores. This increased risk is also driven in part by more robust malware development activities in these regions as evidenced by Lookout’s 2013 Dragon Lady investigation, which uncovered organized groups of Android malware developers in Russia who operated like startups, with real organizational structures and affiliate programs.

Chargeware too is a highly country specific threat because it relies on mobile charging practices, which can vary on a per country (or even per carrier) basis. In 2013 chargeware emerged as the most lucrative method of monetizing in Western Europe for this reason, where country encounter rates (13% - France, 20% - UK, 23% - Spain) are two to four times higher than those seen in North America and up to twenty times higher than those seen in Asia. Most of these chargeware threats are pornographic in nature, as was the case with SMSCapers in the UK and PlusTV in France (the two most prolific instances of chargeware in each country).

Adware went largely unchecked for the first half of 2013 and encounter rates were high, ranging from 20-30% globally. In Q3 2013 companies such as Lookout and Google implemented detection policies that flagged the presence of adware to developers and adware encounter rates began to fall. These policy changes forced apps to remove adware and forced adware developers to modify their advertising SDKs to bring their practices in line.

Risky mobile behavior begets risky behavior - a rather self-evident, but nonetheless sobering observation when you consider that risky activities like downloading malware once increases your likelihood of encountering another piece of malware by seven times.

Moving into 2014 we expect criminals and shady actors to continue to take advantage of the “Grey area” and use people (and their devices) as a means to an end to pull off their schemes. New monetization methods may appear, but as long as premium rate SMS fraud continues to be a successful business model in certain regions around the world, we don’t expect it to go away.

As BYOD becomes more common in the workplace, rather than attacking traditional, heavily monitored network services, we expect criminals to evolve once again and turn to mobile devices as an easier way to get into the enterprise and access valuable data. With the recent news of both ad SDKs and mobile apps leaking device data, businesses are more aware than ever of the need to implement solutions that minimize mobile data leakage and loss.

The strongest defence against app-based threats comes from a three part strategy of (1) only downloading apps from trusted marketplaces, (2) exercising common sense and avoiding risky behavior (like rooting a mobile device), and (3) downloading a mobile security application like Lookout that can flag and protect against these threats in real time.

25

26

ADWAREAdware is an SDK whose primary purpose is to serve obtrusive or unexpected ads on compromised devices.

CHARGEWAREChargeware is an app where the user is charged for a service without clear notification and the opportunity to provide informed consent.

ENCOUNTER RATEEncounter rates in this report measure how many devices encounter a given mobile threat during a specific time period, as a percentage of all devices that have connected to Lookout during that period.

With this calculation we are measuring how many devices encounter a threat and it should be noted that encounter rates are not additive since devices may be counted multiple times. Additionally, encounter rates do not necessarily mean that that percentage of users were actually infected or would be infected without Lookout.

MALWAREFor the purposes of this report malware includes viruses, trojans, worms, and spyware and excludes chargeware.

MOBILE THREATSMobile threats in this report describe the composite threat of malware, chargeware, and adware.