Intel Security has released its McAfee Labs Threats Report: June 2016.
The report identified that cybercriminals are manipulating two or more apps to orchestrate attacks capable of exfiltrating user data, inspecting files, sending fake SMS messages, loading additional apps without user consent, and sending user location information to control servers.
McAfee Labs has observed such behavior across more than 5,000 versions of 21 apps designed to provide useful user services such as mobile video streaming, health monitoring, and travel planning.
The failure of users to regularly implement essential software updates to these 21 mobile apps raises the possibility that older versions could be commandeered for malicious activity.
Colluding mobile apps carry out harmful activity together by leveraging interapp communication capabilities common to mobile operating systems. These operating systems incorporate many techniques to isolate apps in sandboxes, restrict their capabilities, and control which permissions they have at a fairly granular level.
Mobile platforms include fully documented ways for apps to communicate with each other across sandbox boundaries. Working together, colluding apps can leverage these interapp communication capabilities for malicious purposes.
Mobile app collusion requires at least one app with permission to access the restricted information or service, one app without that permission but with access outside the device, and the capability to communicate with each other.
Either app could be collaborating on purpose or unintentionally due to accidental data leakage or inclusion of a malicious library or software development kit. Such apps may use a shared space (files readable by all) to exchange information about granted privileges and to determine which one is optimally positioned to serve as an entry point for remote commands.
“Improved detection drives greater efforts at deception,” said Vincent Weafer, vice president of Intel Security’s McAfee Labs group. “It should not come as a surprise that adversaries have responded to mobile security efforts with new threats that attempt to hide in plain sight.”
This quarter’s report also documents the return of the W32/Pinkslipbot Trojan (also known as Qakbot, Akbot, QBot). This backdoor Trojan with worm-like abilities initially launched in 2007 and quickly earned a reputation for being a damaging, high-impact malware family capable of stealing banking credentials, email passwords, and digital certificates.
The Pinkslipbot malware reemerged in late 2015 with improved features such as anti-analysis and multi-layered encryption abilities to thwart malware researchers’ efforts to dissect and reverse engineer it. The report also provides details about the Trojan’s self-update and data exfiltration mechanism, and McAfee Labs’ effort to monitor Pinkslipbot infections and credential theft in real-time.
Q1 2016 Threat Statistics
New ransomware samples rose 24 percent this quarter due to the continued entry of relatively low-skilled criminals into the ransomware cybercrime community. This trend is the result of widespread adoption of exploit kits to deploy the malware.
New mobile malware samples grew 17 percent quarter over quarter in Q1 2016. Total mobile malware samples grew 23 percent quarter over quarter and 113 percent over the last four quarters.
Mac OS malware. Mac OS malware grew quickly in Q1, primarily due to an increase in VSearch adware. While the absolute number of Mac OS samples is still low, the total number of samples has increased 68 percent quarter over quarter and 559 percent over the last four quarters.
Macro malware. Macro malware continues on the growth trajectory begun in 2015 with a 42 percent quarter over quarter increase in new macro malware samples. The new breed of macro malware continues to attack corporate networks primarily through sophisticated spam campaigns that leverage information gathered through social engineering to appear legitimate.
Gamut botnet. The Gamut botnet became the most productive spam botnet in Q1, increasing its volume nearly 50 percent. Prevalent spam campaigns offer get-rich-quick schemes and knockoff pharmaceutical supplies. Kelihos, the most prolific spamming botnet during Q4 2015 and a malware distributor, slipped to fourth place.