2014 marks the 10th anniversary of Cabir, the world’s first mobile phone malware.

From Cabir to FakeDefend, the last decade has seen the number of mobile malware explode. Mobile malware incidentally has followed the same evolution as PC malware, but at a much faster pace.

Widespread adoption of smartphones and the fact that they can easily access a payment system (premium rate phone numbers) make them easy targets. And like PC malware, mobile malware quickly evolved into an effective and efficient way of generating a cash stream, supporting a wide range of business models.

In 2013, Fortinet’s FortiGuard Labs saw more than 1,300 new malicious applications per day and is currently tracking over 300 Android malware families and over 4 lakh malicious Android applications.

The Lab took a stroll down memory lane to examine the evolution and significance of mobile threats over the last decade.

It recalled the first attempt in 2004, when Cabir - the world’s first mobile worm- designed to infect the Nokia Series 60, resulted in the word « Caribe » appearing on the screen of infected phones. The worm then spread itself by seeking other devices (phones, printers, game consoles…) close to it using the phone’s Bluetooth capability.

CommWarrior was discovered a year later. It picked up where Cabir left by propagating itself using both Bluetooth and MMS. The use of MMS as a propagation method had an economic impact; the phone owner incurred a charge for every MMS sent. Some operators went on record stating that up to 3.5% of their traffic was the result of CommWarrior.

After the demonstrated success of Cabir and CommWarrior, a Trojan - RedBrowser was detected in 2006. It was designed to infect a phone via the Java 2 Micro Edition (J2ME) platform and leverage premium rate SMS services. The use of J2ME as an attack vector was an important milestone during this period, as was the use of SMS as a cash generation mechanism.

Then came a period of transition – Though there was stagnation in the evolution of mobile threats for almost two years (2007- 08), the number of malware that accessed premium rate services without the device owner’s knowledge soared

In early 2009, Fortinet discovered Yxes (anagram of « Sexy »), a malware which is behind the seemingly legitimate « Sexy View » application. The spread of Yxes was largely limited to Asia. Incidentally, this was the first malware to send an SMS and access the Internet without the mobile user’s knowledge, which was a technological innovation in malware. And the hybrid model that it used to propagate itself and communicate with a remote server, seemed as if it was a forewarning for a new kind of virus- botnets on mobile phones.

The year 2010 marked the beginning of the era of industrialisation of mobile malware with attackers realising that they could make pots of money and decided to exploit more intensely.

With attacks on Android platforms intensifying, 2011 saw the emergence of DroidKungFu, which even today is considered one of the most technologically advanced viruses.

FakeDefend, marked the arrival of first ransomware for Android mobile phones in 2013. It locks the phone and requires the victim to pay a ransom in order to retrieve the contents of the device. However, paying the ransom does nothing for the phone which must be reset to factory settings in order to restore functionality.

What Next? In the area of cybercrime, it is always difficult to predict what will happen next year. But the most likely target for cybercriminals is The Internet of Things (IoT).

While it can be extremely difficult to forecast the number of connected objects on the market in the next 5 years, Gartner estimates that 30 billion objects will be connected in 2020 whereas IDC estimates that market to be 212 billion. As more and more manufacturers and service providers capitalize on the business opportunity presented by these objects, it’s reasonable to assume that security has not yet been taken into account in the development process of these new products.

Does this mean IoT be "The Next Big Thing" for the cybercriminal? It remains to be seen.

Related Topics