Motivations of Recent Android Malware

Introduction Every year for the last decade, the security industry has predicted a flood of mobile malware; however, only a trickle of mobile malware has emerged. The most widespread threats were SymbOS.Cabir and SymbOS.Commwarrior in 2004 and 2005. For most they represented a nuisance and affected a very small fraction of the phone population. Three factors are needed before an increase of mobile malware will occur: an open platform, a ubiquitous platform, and attacker motivation—which is usually monetary. The first has been fulfilled most recently with the advent of Android. It is probably also the most likely open platform to achieve the second condition of being ubiquitous. Given that Android is now the most prolific smart-phone operating system (43% of worldwide smart phone market in the second quarter of 2011 according to Gartner), the continued rise in market share seems all but inevitable, at the very least due to the adoption of smartphones in general over regular phones. The most uncertain condition is the third, an ability to mone-tize the platform via malware. This paper discusses some of the monetization schemes seen in a recent spate of Android mal-ware and also schemes we're likely to see in the future. Only if these monetization schemes succeed do we expect attackers to continue to invest in the creation of Android malware. In this scenario, attackers set up and register a premium rate number. Typically, these are " short codes " , which are shorter than usual phone numbers. Each country and carrier regulates short codes differently, but usually an oversight body issues the short codes for a fee. In the United States for example, a dedicated short code may cost $1500 USD to set up and then $1000 per month. A shared short code where the message must be preceded by a keyword can be obtained for as low as $50 per month. When calling or sending an SMS to a short code, the caller is billed a premium rate above the normal cost of an SMS or phone call. The revenue is then shared by the attacker, carrier, and the SMS aggregator. The attacker receives 30-70% of the premium rate charge depending on the carrier, amount charged per message , and number of messages received. Most carriers allow a premium rate of up to $10.00 per message , but some carriers will allow charges in excess of $50.00 per message. If …