Sifting through endless Virustotal scans, you realize that it’s not easy at all to define what exactly mobile malware is. Literally 90% of antivirus-reported malware APKs are nothing but trivial or repackaged apps with some annoying adware library slapped on top of it that doesn’t even do anything really bad. Why exactly is mobile malware so elusive and not as clear-cut as the good old desktop viruses? A couple of things come to mind:
- The juicy parts often stay remote: unlike the classic desktop viruses and rootkits, a lot of mobile functionality remains on the server. So an app collects your banking password and sends it to server, that’s bad, right? Not if it’s a Bank of America server. What if it’s an Akamai or an EC2 server? What if it’s a Mint finance app server? This gets blurry really fast. Same with location apps – when an app constantly sends your location to a server, it’s cool if it’s your own account, and it’s suddenly not cool at all when someone else has access to that information on the server. Hard to automatically tell that just by looking at the mobile app tip of that iceberg. That’s why AV vendors came up with a euphemistic label “surveillanceware”, which means, “I have no idea if this app is bad or not, you have to look at it in your own context”.
- No need to get sophisticated: most of what’s labeled as mobile malware are small-time scams. In the mobile world, there is no such thing as a multi-million dollar botnet industry commercially used for:
- running spam
- staging DOS attacks
- collecting and laundering information
I guess mobile can be useful only for the last point right now, we’ve yet to see the first two on mobile. So no need to build autonomous sophisticated botnet clients that pack tons of revealing functionality and patterns with them. Consequently, a lot of mobile scams look rather plain and not very different from regular apps.
- No silent infections: it’s pointless to do port scanning and hard to use drive-by browser exploits on mobile. Combined with no incentive to make things complicated, the main vectors to get into someone’s phone are social engineering and brand abuse. Both of those are difficult to detect automatically, leaving a huge gray zone. Even the SMS scams: lots of legitimate apps have “share via SMS” functionality, good luck telling that from malware propagating itself via SMS, or sending messages to paid numbers that only become plaintext right before the message is sent.
So this leaves the traditional antivirus vendors especially helpless on mobile, best they can do so far is to report noisy adware or a few true malicious outliers that get outside the gray zone.