Mobile Malware: Request for Field Reports

Published: 2012-12-03
Last Updated: 2012-12-03 16:15:04 UTC
by Kevin Liston (Version: 1)
8 comment(s)

At my last two speaking engagements, I asked a simple question: "'Have you, or anyone you know been infected with malware on you smartphone?"  So far, no one has raised their hand.

I'd like to ask the same question here, since there's a much wider audience of people who have the skills/instinct to notice such an infection.

If you, or someone you know (no friend of a friend reports, please) have witnessed a mobile malware infection in the wild please leave a comment below or send in a report via our contact page.

Keywords: malware mobile
8 comment(s)


I do not think I have been infected, but how would I know? How about a few pointers as to what to check for?
Good point Kenneth. I worry when I hear customers who are extremely confident none of their users were infected "because no one complained". How can we detect Malware on Smart Phones and Blackberries? Are there any tools or techniques out there?
The most obvious clue would be (assuming one is allowing phones to connect via wifi) IPs assigned to phones triggering alerts in various network intrusion detection sensors (snort, FireEye, etc). Of course that presupposes that the malware is using WiFi and not restricting itself to using the cell service.
I haven't personally been infected, however I can see infected Android devices that get on our wireless guestnet trying to communicate back to a C2 server.
I think mobile malware is another scam by the antivirus companies for making money. Almost every report of some new malware only affected Russian or Chinese phone services.

So with that note...if you live in other countries, and suddenly you see Text/Phone calls going to foreign countries, then your phone may be infected.

Just my 2-cents
I have seen one Android device on my network that triggered the IDS system. The "interesting" part for me, was that this was a personal device connected to the network on a rogue AP! We shutdown the AP asap, and informed the employee that their phone may be compromised (and slapped them on the wrist for the AP!!)
Every month or so we see an iPhone with the rickroll worm.

And we had a case where it was suspected that the rooted android did laek sensitive mails or passwords ...
I got hit with a drive-by download on my Nexus 7 (didn't install - default settings prohibited install due to its untrusted origin). Turns out it is basically a wrapper for a browser instance that makes a call via an IFRAME to hxxp:// . The package is setup to allow usage of pretty much everything that can be accessed by an A
ndroid app - GPS, camera, contacts, etc. It also includes a JS API library (Apache Cordova) that can access these functions via the Webview. All in all its a neat little setup that could potentially allow a bad to tailor functionality on the fly as long as the Android device has Internet connectivity (and the app is running).

Diary Archives