The accelerated pace of new platforms entering the market also accounts for a rise in malware. This also leads to a shorter lifecycle for malware and malware development. The current lifecycle, bolstered by more means of revenue generation(ads, in-app purchasing, premium services, etc.), now results in malware chasing a user's money rather than their computer resources.
The mobile malware lifecycle can be seen below:
Stage 1: R&D
The initial stage is the Research and Development stage. Here due to the similarity of legitimate and malicious software development the processes followed are the same. A developer will acquire an SDK(Software Development Kit), other development tools, and as much documentation as they can find. After an initial 'Hello World" program is written, the developer will attempt to recreate functionality on the new platform that existed on a previous one. In the case of Android, one would attempt to launch a web browser with http://www.google.com; similar to how they were able to on Windows Mobile. A malware author skilled in developing worms, trojan horses and viruses will figure out ways to achieve the same with the new SDK.
This first stage is about the exploration of new capabilities and for acquiring knowledge. As with legitimate development, this is where malware authors also share their hard won knowledge with others. Unlike previous generations though, the need for revenue will sometimes encourage the authors to move straight to the Profit-Taking stage.
Stage 2: Reuse
Generally after the first stage is passed, a move is made to evade detection. On the most basic level, where script kiddies and under-skilled malware developers lay, evasion takes the form of simple cosmetic changes(strings, colors, filenames, etc.). This can lead to a flood of very similar variants where only the message displayed to the user is altered("You are hacked by: Skr1pt K1dd1e!").
The Resue stage can benefit from source code developed and released during the R&D stage. One of the first mobile worms, SymbOS/Cabir, had its source released by its author in the computer virus zine 29A. Though this was a release of the worm's original source code it did not result in as many modified variants as would be expected. This was due to the timing of its release and a separate,earlier reverse engineering of the source code by developer Marcos Velasco. Malware developers were able to take the Velasco code and once again through primarily cosmetic changes, recompile and create dozens of Cabir-like variants,
In some cases, as with legitimate developers, malware authors may take the source code as a starting point or example for implementing new functionality for their own productions. As with the R & D stage, the Reuse stage can be affected by the monetary needs of malware authors. Instead of producing new variants, simply adding fucntionality that steals money from users(e.g. Premium Rate SMS, unauthorized in-app purchases,stealing bank account information, etc.) may be the priority for malware authors.
Stage 3: Profit-Taking
The Profit-Taking stage is the most mature stage and can lead to the most interesting(at least for malware analysts and reverse engineers) malware. Evasion of anti-virus/anti-malware software is still a priority but it's also more necessary for other opponents. As methods of earning revenue from victims increases, infected devices become more valuable. On prior Operating Systems a malware author only needed to defeat the Anti-Virus software to survive in the ecosystem. Now if a malware author is successful in running a botnet, they now face competition and attack from other malware authors and organized crime.
This stage has its low hanging fruit in the malware that sends out Premium Rate SMS. These trojans are simple and guarantee a smaller amunt of money to the attacker. Evasion here involves encrypting the SMS numbers and shortcodes from Antimalware software.
More complex attacks involving botnet infections that can deliver false ad-clicks(draining a competitor's ad budget) or fake reveiws(driving up installs for a client's buggy app) make tempting targets. An opponent can take over the command channel of a botnet from the botmaster and redirect the adclicks or re-transfer stolen money.
This competition then leads malware authors to invest funds in countering competition and Antivirus/Antimalware. Profits drive research into new evasion techniques and offensive capabilities(e.g. removing/deleting Antimalware from a device). It also drives attackers to investigate new platforms, which starts the malware lifecycle all over again.
No comments:
Post a Comment