Cyber Hackers on Course for One Million Malware Apps

Google's (NASDAQ:GOOG) Android mobile operating system is so besieged by cyber hackers’ malicious apps that the malware count is on track to hit the million mark by 2014, a new report from cyber analysts Trend Micro warns.

In contrast, it took a decade for PC malware to hit that number versus just several years for mobile phone malware apps.

The rise in cyber attacks on Google’s Android mobile operating system comes as Android continues to dominate the smartphone market. Android now controls 79.3% of the global smartphone market, up from 69.1% a year ago, according to the latest data from IDC.

The majority of the malware apps were designed as fake or Trojanized versions of popular apps. Nearly half of the mobile malware, 44%, uncovered in the second quarter was designed to lure unwitting users into downloading costly services, like sending expensive texts with the malware developer pocketing the profit. A large 24% were designed to steal user data. Apps that uploaded to devices adware came in third at 17%. The U.S. is the prime target of online banking malware apps on Android phones, the report says, followed by Brazil and Australia.

The report says that the number of malicious Android apps worldwide soared by 350,000 in the first half of 2013, hitting a total of 718,000 by June. The number is “well on track to hit the million mark before the year is out," the Trend Micro report warned, noting that most of the malware apps are packaged to look like regular, popular smartphone apps.

Cybercriminals also came up with more diverse app attacks that hacked into various social engineering sites used on mobile phones, like Facebook and Twitter, exploiting news events like the Boston marathon bombing.

Trend Micro warns that a big factor that may be hastening this rapid increase in malicious apps is the lack of security on Android smartphones and tablets.

"Google's open Android ecosystem continues to be exploited by cyber criminals,” the report says, adding that "malware has even been found on the official Google Play store.” That means mobile security software is no longer just a “nice-to-have” offering for Android device owners, “but an increasingly essential tool to prevent malicious app downloads,” the report warns.

“Due to the fractured nature of the Android network, it is very difficult for patches to reach all users in an effective time frame,” said JD Sherry, vice-president, technology and solutions at Trend Micro. “In some cases, users will never get patches as vendors leave their customers at risk of attack.”

Sherry also warns: “Until we have the same urgency to protect mobile devices as we have for protecting PCs, this very real threat will continue to grow rapidly. At the rate this malware is accelerating – almost exponentially – we appear to be reaching a critical mass. To fight this, Android users need to take great care when using their devices and take the simple, but effective, step of adding security software to all mobile devices.”

U.S. #1 in Cyber Online Banking Attacks

When it came to online banking, malware increased 29% from the previous quarter, from 113,000 to 146,000 infections, the Trend Micro report shows.

The U.S. was the No. 1 target of online banking malware, with more than one million instances or nearly a third, 28%, of malware app infections, followed by Brazil at 22% and Australia and France at 5%.

Another online banking malware app uploads false Android app package files to a device’s secure digital card. The malware then displays fake icons and a user interface that mimics legitimate banking apps.

Android Master Key

The recent discovery of the Android master key vulnerability was a turning point in cyber phone hacking, as nearly 99% of Android devices were found to be vulnerable, the report says. The vulnerability lets cyberhackers modify installed apps without users’ consent.

Last month, a team from Bluebox Security found a vulnerability which lets a phone cyber malware convert 99% of apps already sitting on a user’s phone into a Trojan -- which could then be used to steal data or connect to botnets without the user knowing.

Duo Security and System Security Lab (NEU SecLab) released an app, ReKey, which they assert fixes the security flaw for users.

One malware, OBAD, requests root and device administrator privileges from a mobile phone user, and then lets it seize full control of an infected device, the report says. OBAD then “repeatedly shows popup notifications to convince users to grant permissions.”

Trend Micro also found more fake “antivirus” security malware this quarter that even more closely resembled legitimate ones.

Social Media, Blogging Sites Vulnerable

Cybercriminals’ favorite social media websites include Facebook, Twitter, Tumblr, and Pinterest, the report says.

Cyber hackers also “abused popular blogging sites like Tumblr, WordPress, and Blogger to host fake streaming sites of popular summer movies, including Man of Steel, Fast and Furious 6, and Iron Man 3,” the report notes.

Apple ID and well-known multiprotocol instant-messaging (IM) platforms like Digsby were also targeted by attacks, it says.

Users were also hit with social engineering malware apps that exploited news events, including the Boston marathon bombing, the Oklahoma tornado disaster, the Texas fertilizer plant explosion, and the tax season, as bait, the report warns.

LinkedIn, Evernote, and Twitter recently introduced additional security measures, built on a two-step verification process, the report says, warning that “the attack on Twitter posed an interesting case study on how social media can be used to spread false news that can have severe results.”