3. 3
Motive Security Labs Malware Report – H1 2015
Alcatel-Lucent
Introduction
The “Motive Security Labs H1 2015 Malware Report” examines general trends and statistics for
malware infections in devices connected through mobile and fixed networks. The data in this report is
aggregated across the networks where the Motive Security Guardian network-based malware detection
solutions are deployed. This solution is deployed in major mobile and fixed networks around the world,
covering over 100 million devices.
2015 first half highlights
Mobile
• The mobile infection rate declined to 0.50% in Q1 due to a reduction in infections on devices running
the Android™ operating system (Android) and then rose to 0.75% at the end of Q2 due to a noticeable
increase in adware infections on PCs running the Microsoft Windows® operating system (Windows/PCs).
• 80% of infections on the mobile network are attributable to Windows/PCs connected via dongles,
mobile Wi-Fi® hotspots or tethered through phones.
• Mobile spyware is definitely on the increase. Ten of the malware entries on the top 25 mobile
infection list are mobile spyware. These are apps that are used to spy on the phone’s owner. They
track the phone’s location, monitor ingoing and outgoing calls and text messages, monitor email and
track the victim’s web browsing.
Residential
• The overall monthly infection rate in residential fixed broadband networks averaged 14.4%, up slightly
from 2014. The increase is mostly
• attributable to an increase in moderate-threat-level adware infections.
• The infection rate for high-level threats such as a bots, rootkits, keyloggers and banking Trojans
increased to 6.3% from 5% in 2014.
80%
of mobile
infections
are on
Windows PCs
14%
of homes are
infected with
malware
of the
top10 25
smart phone
infections are
spyware
4. 4
Motive Security Labs Malware Report – H1 2015
Alcatel-Lucent
Malware in mobile networks
In the first half of 2015 the overall mobile infection rate continued its upward trend. The number of
Android malware samples continued to grow significantly, but not at the exponential rates seen in 2013.
Mobile network infection rate
Figure 1 shows the percentage of infected mobile devices observed on a monthly basis since December
2012. This data is averaged from actual mobile deployments.
Figure 1. Mobile infection rate since December 2012
0.6%
0.7%
0.5%
0.4%
Mobile infection rate
0.8%
Oct 12 May 13 Nov 13 Jun 14 Dec 14 Jul 15
After two years of growth, the infection rate for mobile devices actually dropped from 0.68% in January
2015 to 0.50% in April. It then rebounded to close the first half of 2015 at 0.75% at the end of June.
A number of factors caused this, but the major contributing factors have been a reduction in Android
infections in the early part of the year followed by an increase in Windows/PC infections in Q2.
Infections by device type
Figure 2 shows the percentage of infections by device type. Most people are surprised to find such a
high proportion of Windows/PC devices involved. These Windows/PCs are connected to the mobile
network via dongles and mobile Wi-Fi devices or simply tethered through smartphones. They are
responsible for a large percentage of the malware infections observed. This is because these devices are
still the favorite of hardcore professional cybercriminals who have a huge investment in the Windows
malware ecosystem. As the mobile network becomes the access network of choice for many Windows/
PCs, the malware moves with them. In June of 2015 Windows/PCs were responsible for about 80% of
the malware infections that we detected on the mobile network.
Figure 2. Infected device types from 2013 to 2015
Android Windows
Infected device type 2013 – 2015
Jan13
Feb
Mar
Apr
May
June
July
Aug
Sept
Oct
Nov
Dec
Jan14
Feb
Mar
Apr
May
June
July
Aug
Sept
Oct
Nov
Dec
Jan15
Feb
Mar
Apr
May
June
0
10
20
30
40
50
60
70
80
90
100
5. 5
Motive Security Labs Malware Report – H1 2015
Alcatel-Lucent
Between 2013 and 2014 the contribution to the infection rates in the mobile network were roughly
50/50 between Android and Windows/PCs. This changed significantly in 2015. At the end of Q2, 80%
of infections observed on the mobile network were from Windows/PCs connected via dongles, mobile
Wi-Fi hotspots or tethered through phones. Android devices made up 20% of the infections. The other
smartphones (iPhone, Blackberry, Windows Mobile, etc.) made up less than 1% of the infections we have
observed. The iPhone and Blackberry have a more controlled app distribution environment and are
thus less of a target.
Two factors contributed to this change. In Q1 the actual number of Android infections declined. This
was followed by a significant increase in Windows/PC adware infections in Q2.
Currently most Android malware is distributed as “Trojanized” apps and Android offers the easiest
target for this because of its open app environment. Specifically, the following Android issues have
been observed:
• Android apps can be downloaded from third-party app stores and web sites.
• There is no control of the digital certificates used to sign Android apps.
¬ Android apps are usually self-signed and can’t be traced to the developer.
¬ It is easy to hijack an Android app, inject code into it and re-sign it.
Another way to look at the data is to show the contribution of the device types to the infection rate
itself, as shown in Figure 3.
Figure 3: Contribution to infection rate by device type
0.6%
0.7%
0.5%
0.4%
0.3%
0.2%
Infections by device type
0.8%
0.1%
0.0%
Oct 12 May 13
Android
Nov 13 Jun 14 Dec 14 Jul 15
Windows Total
This clearly indicates the reduction in Android infection in Q1 and the increase in Windows/PC infection
in Q2.
The Android reduction is probably due to efforts by Google to eliminate malware from Google Play
and to the introduction of the Verify Apps feature on Android. Most Android malware is distributed as
Trojanized apps that are downloaded and installed from Google Play and other third-party app stores.
So eliminating malware from the app store and verifying apps at install time can have a major impact
on the infection rate. The Verify Apps feature was introduced in Android 4.2 (JellyBean) and is now
available on close to 80% of deployed devices. It is activated by default, but the user does have to
consent to have the service run the first time they side-load an app.
6. 6
Motive Security Labs Malware Report – H1 2015
Alcatel-Lucent
The increase in Windows/PC infections can be attributed to the fact that more people are using their
phone’s data connection to provide Internet access for their devices. Most of these infections are due
to a resurgence of moderate-threat-level adware, bundled with games and free software.
Android malware samples continue growth in 2015
An indicator of Android malware growth is the increase in the number of samples in our malware
database. The chart below shows numbers since June 2012.
Figure 4. Mobile malware samples since June 2012
Mobile malware samples
0
50000
100000
150000
200000
250000
300000
Jul 12 Oct 12 Jan 13 Apr 13 Jul 13 Oct 13 Jan 14 Apr 14 Jul 14 Oct 14 Jan 15 Apr 15 Jul 15
The number of Android malware samples more than doubled in the first half of 2015.
Top Android malware
Table 1 shows the top 25 Android malware infections detected in H2 2014 in the networks where the
Motive solution is deployed.
Table 1. Top 25 Android malware detected in H2 2014
NAME LEVEL % PREVIOUS
Android.MobileSpyware.Kasandra High 31.30 New
Android.Adware.Uapush.A Moderate 28.82 1
Android.Trojan.SmsTracker High 22.36 3
Android.MobileSpyware.Gappusin High 2.86 New
Android.MobileSpyware.SpyMob.a High 2.05 5
Android.Trojan.FakeFlash High 1.46 7
Android.MobileSpyware.CellSpy High 0.98 New
Android.MobileSpyware.Tekwon.A High 0.87 16
Android.Trojan.Wapsx High 0.86 8
Android.Bot.Notcompatible High 0.77 6
Android.Trojan.SMSreg.gc High 0.74 41
Android.MobileSpyware.Phonerec High 0.55 15
Android.Trojan.Qdplugin High 0.54 10
Android.ScareWare.SLocker.A High 0.52 New
Android.MobileSpyware.GinMaste High 0.47 9
7. 7
Motive Security Labs Malware Report – H1 2015
Alcatel-Lucent
NAME LEVEL % PREVIOUS
Android.MobileSpyware.Spyoo.C High 0.39 27
Android.Backdoor.Agent.bz High 0.34 New
Android.Downloader.Stew.a High 0.29 New
Android.MobileSpyware.FakeDoc High 0.28 21
Android.ScareWare.Koler.C High 0.26 13
Android.Adware.Kuguo.A Moderate 0.22 18
Android.Backdoor.Advulna High 0.21 14
Android.MobileSpyware.SpyBubbl High 0.2 13
Android.Backdoor.Opfake.a High 0.17 34
Android.Trojan.Cajino High 0.15 New
Cybercriminals are quick to take advantage of opportunities that are unique to the mobile ecosystem.
Ten of the top 25 are in the mobile spyware category. These are apps that are used to spy on the
phone’s owner. They track the phone’s location and monitor ingoing and outgoing calls and text
messages. These are functions that are unique to the mobile environment. Similarly the SMS Trojans
that make their living by sending text messages to premium SMS numbers are unique to the mobile
space. Two of the top 25 fall into this category.
However, there is also a cross-over from the traditional Windows/PC malware space. For example the
top 25 includes:
• A variety of scare-ware apps that try to extort money by claiming to have encrypted the phone’s data
• Identity theft apps that steal personal information from the device
• Malicious adware that uses personal information without consent to provide annoying targeted ads
• A web proxy app that allows hackers to anonymously browse the web through an infected phone (at
the owner’s expense)
Examples of mobile threats
Kasandra.B is a high-threat-level Android remote-access Trojan. It is packaged to look like Kaspersky’s
Security for Mobile, but is actually a Trojan that gives the attacker unrestricted access to sensitive
details such as Short Message Service (SMS) messages, contact lists, call logs, browser history (including
banking credentials), and GPS location data stored in Android devices. It stores all the data in an
“adaptive multi-rate file on the SD card” to later upload them to a remote command and control (C&C)
server. It is also known as SandroRAT.
Figure 5. Kasandra.B summary
MAP: ANDROID.MOBILESPYWARE.KASANDRA.B
Name: Android.MobileSpyware.Kasandra.B
Signature State: Active
Type: MobileSpyware
Class: Cybercrime
Level: High
30000
20000
10000
May 16 Jun 01 Jun 16 Jul 01 Jul 16 Aug 01
May 16 Jun 01 Jun 16 Jul 01 Jul 16 Aug 01
0
1000
750
500
250
0
Signature hits
Infections
8. 8
Motive Security Labs Malware Report – H1 2015
Alcatel-Lucent
Uapush.A is an Android adware Trojan with a moderate threat level; it also sends SMS messages and
steals personal information from the compromised device. The malware has its web-based C&C site
located in China.
Figure 6. Uapush.A summary
Name: Android.Adware.Uapush.A
Signature State: Active
Type: Adware
Class: Spyware
Level: Moderate
30000
20000
10000
May 16 Jun 01 Jun 16 Jul 01 Jul 16 Aug 01
May 16 Jun 01 Jun 16 Jul 01 Jul 16 Aug 01
0
1000
750
500
250
0
Signature hits
Infections
MAP: ANDROID.ADWARE.UAPUSH.A
SMSTracker is an Android spyphone app that provides a complete remote phone tracking and
monitoring system for Android phones. It allows the attacker to remotely track and monitor all SMS,
Multimedia Messaging Service (MMS), text messages, voice calls, GPS locations and browser history. This
is also known as Android.Monitor.Gizmo.A.
Figure 7. SMSTracker summary
Name: Android.MobileSpyware.SMSTracker
Signature ID: 2807732
Signature State: Active
Type: Mobile Spyware
Class: Identity Theft
Level: High
30000
20000
10000
May 16 Jun 01 Jun 16 Jul 01 Jul 16 Aug 01
May 16 Jun 01 Jun 16 Jul 01 Jul 16 Aug 01
0
1000
750
500
250
0
Signature hits
Infections
MAP: ANDROID.TROJAN.SMSTRACKER
SpyMob.A is a commercial monitoring tool that collects information pertaining to SMS messages, contact
list, call log and GPS location of a targeted device. These details are later uploaded to Spy2Mobile
servers and can be viewed by logging in to the user’s account at Spy2Mobile.com. For more details on
its capabilities and features, see http://spytomobile.com/en.
9. 9
Motive Security Labs Malware Report – H1 2015
Alcatel-Lucent
Figure 8. SpyMob.A summary
Name: Android.MobileSpyware.SpyMob.A
Signature State: Active
Type: MobileSpyware
Class: Cybercrime
Level: High
30000
20000
10000
May 16 Jun 01 Jun 16 Jul 01 Jul 16 Aug 01
May 16 Jun 01 Jun 16 Jul 01 Jul 16 Aug 01
0
1000
750
500
250
0
Signature hits
Infections
MAP: ANDROID.MOBILESPYWARE.SPYMOB.A
NotCompatible is an Android bot that uses the infected phone to provide anonymous proxy web
browsing services. This can consume large amounts of bandwidth and airtime, as the phone serves as a
proxy for illicit web browsing activity. The C&C is located in Germany and Holland. The C&C protocol is
the same as that of a Windows-based web proxy bot.
Figure 9. NotCompatible summary
Name: Android.Bot.NotCompatible
Signature State: Active
Type: Bot
Class: Cybercrime
Level: High
30000
20000
10000
May 16 Jun 01 Jun 16 Jul 01 Jul 16 Aug 01
May 16 Jun 01 Jun 16 Jul 01 Jul 16 Aug 01
0
1000
750
500
250
0
Signature hits
Infections
MAP: ANDROID.BOT.NOTCOMPATIBLE
Koler is an Android scareware Trojan that claims it has encrypted all the data on your phone and
demands a ransom to restore the data. The victims are usually visitors to Internet-based pornographic
sites, who are duped into downloading and installing a “premium access video player.” The malware
“lock-screen” is customized depending on the location of the phone.
Figure 10. Koler summary
Name: Android.Scareware.Koler
Signature State: Active
Type: Scareware
Class: Cybercrime
Level: High
30000
20000
10000
May 16 Jun 01 Jun 16 Jul 01 Jul 16 Aug 01
May 16 Jun 01 Jun 16 Jul 01 Jul 16 Aug 01
0
1000
750
500
250
0
Signature hits
Infections
MAP: ANDROID.SCAREWARE.KOLER.C
10. 10
Motive Security Labs Malware Report – H1 2015
Alcatel-Lucent
Malware in fixed residential networks
In 2014 the infection rate in residential networks rose significantly, as can be seen the chart in Figure
11. However the increase was almost entirely due to moderate-threat-level “adware” infections. This
dropped off somewhat in the first half of 2015, while high-threat-level infections remained fairly level.
Figure 11. Residential infection rate
2012
Q1
Residential infection rate (%)
2012
Q2
2012
Q3
2012
Q4
2013
Q3
2013
Q4
2014
Q1
2014
Q2
2014
Q3
2014
Q4
2015
Q1
2015
Q2
2013
Q1
2013
Q2
TotalHighModerate
2
0
4
6
8
10
12
14
16
18
20
In Q1 2015, 15.7% of residences had some sort of malware infection. Of these, 6.6% had a high-threat-
level infection and 10.8% had a moderate infection. In Q2 2015, the overall infection rate dropped to
13.1%, with 6.0% high-threat-level infections and 8.8% moderate.
Top 20 residential network infections
Table 2 shows the top home network infections detected in Motive deployments. The results are
aggregated and the order is based on the number of infections detected over the six-month period
of this report.
Table 2. Top 20 home network infections
NAME THREAT LEVEL % PREVIOUS
Win32.Adware.PullUpdate Moderate 8.33 20
Win32.Trojan.Poweliks.A High 6.41 New
Win32.Adware.BrowseFox.G Moderate 6.07 6
Win32.Adware.ShopperPro.AR Moderate 5.71 29
Win32.AdWare.AddLyrics.T Moderate 5.58 4
Win32.Adware.MarketScore Moderate 5.29 12
Win32.Adware.Wysotot Moderate 4.74 2
Win32.Adware.iBryte Moderate 4.33 1
Win32.Adware.Eorezo Moderate 3.74 3
Win32.Downloader.Obvod.K High 3.37 35
Win32.Adware.Megasearch Moderate 2.68 8
Win32.Downloader.WinOptimizer High 2.42 New
Win32.Adware.OptimizerPro Moderate 2.4 22
11. 11
Motive Security Labs Malware Report – H1 2015
Alcatel-Lucent
NAME THREAT LEVEL % PREVIOUS
Win32.Bot.ZeroAccess2 High 1.65 15
Win32.Adware.Bundlore Moderate 1.62 17
Win32.Trojan.Bunitu.B High 1.37 27
Win32.Adware.InstallMonetizer Moderate 1.36 19
Win32.Trackware.Binder High 1.28 9
Android.MobileSpyware.Kasandra High 1.16 New
Win32.ScareWare.Crowti.A High 1.06 New
In 2015 moderate-threat-level adware continued to dominate. Of the top 20 threats in the first half of
2015, 12 are adware. The activity of high-threat-level bots has declined somewhat, with the exception
of bots associated with DDoS, which have remained the same. It could be that cybercriminals now find
it more cost effective to rent cloud-based computing power for spam and phishing activity.
Top 20 high-threat-level infections
Table 3 shows the top 20 high-threat-level malware infections that lead to identity theft, cybercrime or
other online attacks.
Table 3. Top 20 high-threat-level infections
NAME % PREVIOUS
Win32.Trojan.Poweliks.A 18.7 35
Win32.Downloader.Obvod.K 9.84 12
Win32.Downloader.WinOptimizer 7.05 New
Win32.Bot.ZeroAccess2 4.82 3
Win32.Trojan.Bunitu.B 3.99 7
Android.MobileSpyware.Kasandra 3.38 New
Win32.ScareWare.Crowti.A 3.1 New
Win32.Trojan.Malagent 3.03 8
Win32.Downloader.Banload.AUN 1.6 19
Win32.Trojan.Comine.M 1.33 36
Win32.Trojan.Pesut.A 1.21 44
Win32.Trojan.Usinec.A 1.14 37
Win32.Trojan.Googost.A 1.13 84
Win32.Trojan.Zeprox.A 1.1 55
Win32.Trojan.Clicker 1.1 20
Win32.Downloader.DownloadAssis 1.1 25
Indep.Bot.DNSAmplification 1.07 1
Win32.Trojan.CI.A 0.96 5
Win32.Downloader.Ramnit.J 0.94 47
Win32.Worm.Koobface.gen.B 0.84 10
The top 20 list contains the usual suspects from previous reports with bots, downloaders, banking
Trojans, and password stealers.
12. 12
Motive Security Labs Malware Report – H1 2015
Alcatel-Lucent
Top 25 most prolific threats
Figure 12 shows the top 20 most prolific malware infections found on the Internet. The order is based
on the number of distinct samples we have captured from the Internet at large. Finding a large number
of samples indicates that the malware distribution is extensive and that the malware author is making
a serious attempt to evade detection by antivirus products.
Figure 12. Most prolific malware
Most prolific malware
Worm:Win32/Allaple.A
Worm.Win32/Soltern.L
Virus:Win32/Elkern.B
Worm:Win32/Vobfus.EK
Trojan:Win32/Beaugrit.gen!AAA
Virus:Win32/Nabucur.D
SoftwareBundler:Win32/InstalleRex
Virus:Win32/Ramnit.A
Virus:Win32/Virut.BN
Virus:Win32/Sality.AT
Virus:Win32/Virut.BR
TrojanDownloader:Win32/Upatre.AA
Virus:Win32/Parite.B
Virus:Win32/Mikcer.B
Virus:Win32/Expiro.CD
TrojanSpy:Win32/Lydra.gen!A
Virus:Win32/Virut.EPO
TrojanDownloader:Win32/Upatre
TrojanDownloader:Win32/Tugspay.A
Virus:Win32/Virut.BO
0% 1% 2% 3% 4% 5% 6% 8% 9%7%
2015 so far
Stagefright
Stagefright was the major story at the end of Q2 2015. It is a series of vulnerabilities in Android’s media
display software that provides attackers with complete control of the phone by simply sending it an MMS
message with a specially crafted media attachment. When the message is received, Android automatically
tries to open the attachment and the device is infected without any interaction from the user. So far
there is no known malware in the wild that exploits this vulnerability, but a proof-of-concept exploit that
provided remote root access to the phone was demonstrated at the Black Hat USA conference in August
2015. Google has pointed out that the Android’s built in “Address Space Layout Randomization” feature
will make it difficult for attackers to exploit this vulnerability. I guess we’ll find out.
What’s so remarkable about the Stagefright vulnerability is that the sheer number of potentially affected
mobile devices is estimated to be close to 1 billion. While the scale of the exposure is unprecedented in
the mobile device landscape, the really scary part is that the attacker can take complete control of the
phone by simply sending it an MMS message, bypassing any on-device security solutions.
Patches are available, but the real question is how to get them deployed. One positive aspect of
Stagefright is that it has forced Google, Android phone manufacturers and the mobile carriers to take
a serious look at how to improve the ability to get security patches deployed in the field. Updates
are now available for Google’s Nexus line and Samsung, HTC, LG, Sony and Motorola all have updates
available. One interim solution is to disable automatic processing of multimedia attachments.
13. 13
Motive Security Labs Malware Report – H1 2015
Alcatel-Lucent
Stagefright is not the only vulnerability discovered in 2015. Security researchers have been fairly busy
so far this year. Researchers at MWR discovered a flaw in the Google Admin app that could be used by
a malicious app to “break into the app’s sandbox environment and read its files.” Trend Micro reported
another vulnerability in the media display software that can be used in a similar manner to Stagefright.
IBM researchers also demonstrated an Android deserialization flaw that allows code execution in the
system server process.
Despite the reduction in Android infections in the first half of 2015, vulnerabilities like Stagefright
remind us that the potential for a major infection event is always a possibility. We have also noticed that
smartphone malware is becoming more sophisticated in both its C&C and its persistence on the device.
For the first time we recently witnessed Android malware that was able to survive a factory reset.
Encrypted command and control
Motive Security Guardian detects malware infections by looking for known C&C exchanges in the
network traffic. So how can we detect malware if the C&C traffic is encrypted? This is an excellent
question that has been made more relevant by the fact that over the past year the use of Secure
Sockets Layer (SSL) encryption for web applications has increased significantly. The assumption
is that as more regular apps move to SSL, so will the malware C&C.
So we reviewed some stats from our malware analysis lab. Only 2.6% of active malware families
used encrypted C&C protocols and most of those could be detected by inspecting the traffic. Often
encrypted C&C traffic can be identified by characteristics in the initial handshake between the bot and
its controller, key exchanges, file downloads, exploit attempts and scanning activity. This can include
specific packet content, port numbers, packet lengths and packet sequences. In some cases it is very
easy to identify the bot. For example:
• Malware that uses its own home-grown cryptography is usually the easiest to detect due to its use
of fixed keys that result in fixed binary content, use of specific ports, or use of an easily recognizable
key exchange sequence.
• Malware that spreads by means of a network vulnerability can be detected from the use of that
vulnerability, which is something that can’t be encrypted.
• Malware that generates other network activity, such as DDoS, spam or scanning can be identified
by that activity even although the C&C is secure.
Malware that uses standard cryptography such as SSL is more difficult, but in these cases we can often
use the certificate exchange, which is done in clear text, to identify the malware. In cases where this
is not possible, we can often accurately identify the malware using IP or Domain Name System (DNS)
blacklists.
In the first half of this year we have analyzed network traffic from 332 unique malware families.
We were unable to develop detection rules for only four of those due to encryption.
Scanning, DDoS and NAT
A lot of scanning is taking place out there on the Internet. Most of it is due to cybercriminals (or
security researchers) looking for vulnerable hosts. In mobile networks this can have an unexpected side
effect. When a mobile device establishes a data connection, it is assigned an IP address and provided
with connectivity to the Internet. Although the Internet connection will remain logically established, the
actual radio connection to the local cell is typically timed out after 10 to 20 seconds of inactivity and
the device is moved to an idle state. If someone on the Internet sends an IP packet to an idle device, the
radio connection must be re-established via a mechanism called paging in order to deliver the packet.
This paging process uses significant radio resources. Since many devices will typically be in the idle
state, scanning through an IP subnet can cause a “paging storm” and overload limited radio resources.
14. 14
Motive Security Labs Malware Report – H1 2015
Alcatel-Lucent
We commonly see scans looking for hosts that will participate (unwillingly) in DDoS amplification
attacks. We have seen this for both DNS and Network Time Protocol (NTP) amplification attacks. For
example, it is quite common in mobile networks to have mobile Wi-Fi hotspots that act as recursive
DNS servers and can be leveraged to participate in a DNS DDoS attack. Here the mobile operator has
double jeopardy. The scanning causes “paging storms” and the actual DDoS attack puts a huge stress on
the mobile carrier’s DNS infrastructure.
Both the scanning and DDoS problems are not an issue if network address translation (NAT) is used.
Since many mobile carriers use NAT, they are not currently vulnerable to these problems. However
if they migrate to Internet-accessible IPv6 addresses, their mobile devices will become visible to the
Internet and they will have to worry about scanning and DDoS activities.
New adware
Adware has definitely been on the increase in 2015 with the ads themselves becoming more sinister.
One of interest is called BetterSurf. This is moderate-threat-level Windows adware. This malware arrives
with software bundlers that offer free applications or games. When installed, it adds a plugin to the
Internet Explorer, Firefox and Chrome browsers that injects popup ads into web pages. So far it looks
like regular, run-of-the-mill adware; however the ads themselves are dangerous.
Many are phishing attempts that redirect the browser to web sites that attempt to install additional
unwanted applications on the infected device. Some of the ads are full screen popups that are designed
to look like instructions from Microsoft asking you to download and install the latest security patch.
One popup looked like a “blue screen error” with instructions to call a 1-800 number for technical
support. When you call the numbers you are taken to a “help desk” that immediately asks for remote
access to your computer and then charges exorbitant rates for bogus technical support for non-existent
problems. The screen shot is shown in Figure 13.
Figure 13. Example of BetterSurf adware infection
15. 15
Motive Security Labs Malware Report – H1 2015
Alcatel-Lucent
Mobile spyware
In the mobile space the use of commercial spyphone apps has really taken off. These apps allow you
to track the movements of the phone’s owner, their phone calls, text messages, e-mails and browsing
habits. Often these are used for reasonable activities, like keeping track of your children, but there are
also far more sinister uses for these types of applications.
The modern smartphone also presents the perfect platform for cyber-espionage. First, it can be used
simply as a tool that the owner (spy) can use to photograph, film, record audio, scan networks and send
the results immediately through the air to a safe site for analysis. In the “bring your own device” (BYOD)
context it makes a perfect target for advanced persistent threat (APT) attacks. A smartphone infected
with professional mobile spyware allows the attacker to:
• Monitor the victim’s location
• Monitor phone calls and text message
• Monitor e-mail and contacts
• Access data on the phone
• Take pictures and video
• Record conversations
• Scan and probe the local corporate network
• Exfiltrate data through the air, bypassing corporate firewalls
Summary and conclusion
On the fixed residential side, the overall malware infection rate rose to 15.7% in Q1 and then dropped
to 13.1% in Q2. The biggest factor in these changes was moderate-threat-level adware. The infection
rate for high-threat-level infections increased in 2015. Currently 6% of homes monitored by Motive
Security Guardian are infected with a high-threat-level variety of malware such as a bots, rootkits or
banking Trojans.
On the mobile front, infection levels rose to 0.75% in Q2 2015 from 0.68% in December 2014. However
the increase was due to infections on Windows/PCs and laptops connected to the mobile network via
phones, dongles and mobile Wi-Fi hotspots. Android infection rates actually fell in 2015. Less than 1%
of the infections are from other devices such as iPhones, BlackBerry smartphones and Windows Phones.
The number of Android malware samples in our database more than doubled in the first half of 2015.
Despite the reduction in Android infections in the first half of 2015, vulnerabilities like Stagefright
remind us that the potential for a major infection event is always a possibility. We have also noticed that
smartphone malware is becoming more sophisticated in both its C&C and its persistence on the device.
For the first time we recently witnessed Android malware that was able to survive a factory reset.
In terms of malware trends, on the mobile side we have seen an increase in the area of mobile spyware
that tracks the victim’s calls, text messages and location. On the residential side, we have seen a
significant increase in adware with 14 out of the top 20 being in that category.
16. 16
Motive Security Labs Malware Report – H1 2015
Alcatel-Lucent
Terminology and definitions
This section defines some of the terminology used in the report.
TERM DEFINITION
Advanced persistent threat (APT) A targeted cyber-attack launched against a company or government
department by professional hackers using state-of-the-art tools, usually
with information theft as the main motivation
Infection vector The mechanism used to infect a computer or network device. For example,
in computers running the Windows operating system, the most popular
infection vector is a web-based exploit kit, whereas on the Android phone
it is a Trojanized application.
Bot An infected computer that is part of a botnet. A botnet is a network of
infected computers that are controlled remotely via the Internet by cyber-
criminals. Botnets are used for sending spam email, ad-click fraud, DDoS
attacks, distributing additional malware, Bitcoin mining and a variety of
other purposes.
Rootkit A malware component that compromises the computer’s operating system
software for the purposes of concealing the malware from antivirus and
other detection technologies
Trojan Computer program or application that looks fine on the surface, but
actually contains malware hidden inside. From the term Trojan Horse.
High/moderate threat level We split malware into high and moderate threat levels. High is any
threat that does damage, steals personal information or steals money. A
moderate threat is one that does no serious damage, but will be perceived
by most as annoying and disruptive.
Ad-click fraud Advertisers pay money, typically a few cents, when someone clicks on
a web-based advertisement. Ad-click fraud occurs when someone uses
software to fake these ad clicks and collects money from the advertisers
for the fake clicks. Typically the ad-click software is packaged as malware
and distributed through a botnet that is controlled by cyber-criminals who
make money from the ad-click fraud.
Bitcoin mining Bitcoins are a form of virtual cyber-currency that can be created through
complex arithmetic calculations that take a lot of computing power to
perform. The process of executing these calculations to generate new
Bitcoins is referred to as Bitcoin mining. Cyber-criminals use large botnets
to efficiently generate new Bitcoins.
