Threat of Mobile Malware Continues to Grow as ‘HummingBad’ Attacks Move Up Check Point Research Rankings
April 2016 by Check Point
At the company’s annual customer event, the Check Point Customer Experience (CPX), Check Point® Software Technologies Ltd. announced the most prevalent malware families being used to attack organizations’ networks and mobile devices globally in March 2016.
Following its entry into the top ten for the time in February 2016, mobile agent HummingBad was the sixth most common type of malware attack worldwide in March. It has also entered the top ten index for the entire first quarter of 2016, despite it only being discovered by Check Point researchers in February, indicating that attacks against Android mobile devices using this previously unknown malware family are growing rapidly.
Check Point identified 1,300 unique malware families during March, a slight decrease on the previous month. This highlights the fact that cyber criminals do not need to develop entirely new malware to launch damaging attacks; they simply need to make small changes to existing families to enable the updated variant to bypass traditional security measures. It also reinforces the need for advanced threat prevention measures on networks, endpoints and mobiles to stop malware at the pre-infection stage, such as Check Point’s SandBlast and Mobile Threat Prevention solutions.
In March, Conficker was the most prominent family with 20% of the recognized attacks; Sality was responsible for 9.5%, and Cutwail for 4% of the recognized attacks. The top ten families were responsible for over half of all recognized attacks.
1. ↔ Conficker - Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
2. ↔ Sality - Virus that allows remote operations and downloads of additional malware to infected systems by its operator. Its main goal is to persist in a system and provide means for remote control and installing further malware.
3. ↑ Cutwail - Botnet mostly involved in sending spam e-mails, as well as some DDOS attacks. Once installed, the bots connect directly to the command and control server, and receive instructions about the emails they should send. After they are done with their task, the bots report back to the spammer exact statistics regarding their operation.
The top three mobile families all targeted Android devices:
1. ↔ HummingBad - Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and enables additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
2. ↔ AndroRAT - Malware that is able to pack itself with a legitimate mobile application and install without the user’s knowledge, allowing a hacker full remote control of an Android device.
3. ↑ Iop - Android malware that installs applications and displays excessive advertising by using root access on the mobile device. The amount of ads and installed apps makes it difficult for the user to continue using the device as usual.
Nathan Shuchami, Head of Threat Prevention at Check Point said: “Following its surprise entry into the top ten malware families worldwide in February, attacks using HummingBad are continuing to grow in volume. The fact that this previously unknown threat is already in the top ten global malware families for the entire first quarter of 2016 indicates just how real, and fast- growing the mobile malware danger is. Organizations’ dependence on mobile devices grows every day, but mobile security still lags a long way behind network security. The need to apply effective protection to enterprise mobiles is now more urgent than ever.”
Check Point’s threat index is based on threat intelligence drawn from its ThreatCloud World Cyber Threat Map, which tracks how and where cyberattacks are taking place worldwide in real time. The Threat Map is powered by Check Point’s ThreatCloudTM intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, over 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.