If your ISP contracts with Kindsight's Identity Theft Protection service, you'll get an extra layer of protection for your home network without installing any software. The service watches for malware and other threats; if it finds anything, it notifies you and serves up a fix. It also reports non-personal information about the event back to the company. Sifting through this data keeps Kindsight's researchers informed about trends in mobile malware. Once per quarter they share their findings with the rest of us.
As with the recent market share report from OPSWAT, this study doesn't pretend to be perfectly representative of the entire online community. Kindsight has no sensors in China or Russia, for example, so there's no data from those regions. Also, the report specifically looks at "malware infections in home networks and infections in mobile devices and computers connected through mobile adapters," not at every type of malware infestation. That said, there's a lot to be learned by mining a data collection like Kindsight's.
Network infections down, mobile up
Kindsight reports that 8.7 per cent of all covered home networks experienced a malware infection during the quarter. That's down from 9.6 per cent the previous quarter, but wow, it still must represent a lot of infections.
The infection rate for mobile devices is up from last quarter, to 0.55 per cent. That figure may seem low, but Kindsight estimates that it represents 11.6 million mobile devices infected with malware at any given time. Over 60 per cent of those are Android devices.
Android beats Windows
At the start of 2013, Windows devices with a mobile connection made up over 60 per cent of the infected mobile devices detected by Kindsight. By the end of the year, Android had taken the lead, and not just by a little bit. December's figures show Android at well over 60 per cent of the total. As for BlackBerry, iOS, Symbian, and Windows Phone, well, taken all together they still don't come to one per cent of the total.
The report calls Android "the Windows XP of mobile," and notes several reasons that Android is the preferred platform for mobile malware. First, it has the biggest mobile market share, and hence the biggest number of potential victims. Second, users can load any program on an Android device if they're willing to use a non-approved app store. Third, Trojanising an Android app is ridiculously simple. I can attest to that; I've seen it done in less than five minutes.
Deceptive explosion in Android malware
The number of Android malware samples in Kindsight's database grew by a factor of 20 during 2013. However, that doesn't actually mean there are 20 times as many distinct malicious payloads. Trojanised apps are by far the most common type of Android malware. To get maximum coverage, an attacker will add precisely the same malicious code to as many apps as possible. The report states: "Often we will discover a third-party app store distributing a single malware type disguised as hundreds of different wallpaper apps."
The report does note that generally speaking, mobile malware seriously lags behind Windows malware in terms of sophistication, stating that: "A lot of Android malware is currently fairly naïve and simplistic in its design and operation." Many Windows-based botnets can "rally" to a new command and control server if their existing one gets knocked offline. Some, like ZeroAccess and GameOver Zeus, transmit commands via peer-to-peer networks, with no central server. Mobile botnets, on the other hand, tend to use a single, hard-coded IP address for command and control. Take out that server and the botnet is dead.
Cutting access for ZeroAccess
ZeroAccess is still the number one botnet, according to the report. However, attempts by Microsoft and Symantec to curb its activities have had some limited success. Symantec managed to disrupt the peer-to-peer command and control system, at least temporarily. Microsoft hit them in the cashbox by disabling the non-P2P click-fraud system by which the botnet's owners made money.
The report includes details on a number of other widespread threats, including (when possible) a map showing just where the commands come from. Because ZeroAccess uses a peer-to-peer command system, it seems to be everywhere in the world.
The full report, available to download here, offers more information than I can begin to summarise. It charts the most common infestations for home networks and Android devices, for example, and separately charts those with a high threat level. It describes the more interesting ones in detail.
What's coming in 2014? Kindsight suggests that cyber-crooks will move to mobile malware only if they can see a profit in it, either due to new opportunities opening or old cash sources drying up. Mobile malware can be incredibly useful in advanced persistent threat attacks or cyber-espionage. Plant a spy app on a victim's phone and you can track him anywhere, slurp down personal info, and circumvent network security at his workplace.
Mobile danger doesn't have to come in the form of malware. "Imagine an underground hacktivism organisation that provided their own app for Android and iPhone," suggests the report. Its authors go so far as to posit an "Occupy the Internet" movement. Will it happen? We'll certainly find out.