p. 86 Symantec Corporation Internet Security Threat Report <strong>2013</strong> :: Volume 18 ThREAT ACTIVITy TRENDS Figure A.23. Documented Mobile Vulnerabilities, 2012 Source: Symantec 140 120 100 80 60 40 20 0 9 JAN 46 FEB 121 MAR 18 APR MAY JUN JUL AUG Platform Documented Vulnerabilities % Apple iOs/iPhone/iPad 387 93.3% Android 13 3.1% BlackBerry 13 3.1% nokia 0 0% WebOs 0 0% Windows Mobile 2 0.5% TOTAL 415 36 23 72 1 77 SEP 4 5 3 OCT NOV DEC
p. 87 Symantec Corporation Internet Security Threat Report <strong>2013</strong> :: Volume 18 ThREAT ACTIVITy TRENDS The following are specific definitions of each subcategory: • Collects Device Data gathers information that is specific to the functionality of the device, such as IMEI, IMSI, operating system, and phone configuration data. • Spies on User intentionally gathers information from the device to keep monitor a user, such as phone logs and SMS messages, and sends them to a remote source. • Sends Premium SMS sends SMS messages to premium-rate numbers that are charged to the user’s mobile account. • Downloader can download other risks on to the compromised device. • Back door opens a back door on the compromised device, allowing attackers to perform arbitrary actions. • Tracks Location gathers GPS information from the device specifically to track the user’s location. • Modifies Settings changes configuration settings on the compromised device. • Spam sends spam email messages from the compromised device. • Steals Media sends media, such as pictures, to a remote source. • Elevates Privileges attempts to gain privileges beyond those laid out when installing the app bundled with the risk. • Banking Trojan monitors the device for banking transactions, gathering the sensitive details for further malicious actions. • SEO Poisoning periodically sends the phone’s browser to predetermined URLs in order to boost search rankings. • Adware/Annoyance contains mobile adware that uses techniques to place advertising in the device’s photo albums and calender entries, and may push messages to the notification bar. It may even replace the default ringtone with an ad. Apps with malicious intentions can present serious risks to users of mobile devices. These metrics show the different functions that these bad mobile apps performed during the year. The data was compiled by analyzing the key functionality of malicious mobile apps. Symantec has identified five primary mobile risk types: • Collect Data. Most common among bad mobile apps was the collection of data from the compromised device. This was typically done with the intent to carry out further malicious activities, in much the way an information-stealing Trojan might. This includes both device- and user-specific data, ranging from configuration data to banking details. This information can be used in a number of ways, but for the most part, it is fairly innocuous with IMEI 7 and IMSI 8 numbers taken by attackers as a way to uniquely identify a device. More concerning is data gathered about the device software, such as operating system (OS) version or applications installed, to carry out further attacks (say, by exploiting a software vulnerability). Rarer, but of greatest concern is when user-specific data, such as banking details, is gathered in an attempt to make unauthorized transactions. While this category covers a broad range of data, the distinction between device and user data is given in more detail in the subcategories below. • Track User. The next most common purpose was to track a user’s personal behavior and actions. These risks take data specifically to spy on the individual using the phone. This is done by gathering up various communication data, such as SMS messages and phone call logs, and sending them to another computer or device. In some instances they may even record phone calls. In other cases these risks track GPS coordinates, essentially keeping tabs on the location of the device (and their user) at any given time. Gathering pictures taken with the phone also falls into this category. • Send Content. The third-largest group of risks is bad apps that send out content. These risks are different from the first two categories because their direct intent is to make money for the attacker. Most of these risks will send a text message to a premium SMS number, ultimately appearing on the mobile bill of the device’s owner. Also within this category are risks that can be used as email spam relays, controlled by the attackers and sending unwanted emails from addresses registered to the device. One threat in this category constantly sent HTTP requests in the hopes of bumping certain pages within search rankings. • Traditional Threats. The fourth group contains more traditional threats, such as back doors and downloaders. Attackers often port these types of risks from PCs to mobile devices. • Change Settings. Finally, there are a small number of risks that focus on making configuration changes. These types attempt to elevate privileges or simply modify various settings within the operating system. The goal for this final group seems to be to perform further actions on the compromised devices.