Research

Mobile threats – myth or reality?

As regular readers of viruslist will have noticed, we’ve been tracking the evolution of mobile malware with interest. This, naturally, includes collecting statistical data on the prevalence of individual threats. Of course, malicious code for mobile devices is relatively new, and there’s been a lot of discussion about whether or not it poses a real threat.

Data we’ve collected shows some interesting trends. For instance, the number of infected MMS messages is already close to the amount of malicious code found in mail traffic: 0.5% – 1.5% of MMS traffic is made up of infected messages.

Of course, it’s difficult to monitor mail traffic for malicious code across the whole web. In contrast, scanning mobile traffic for malicious content can make a real difference.

Six months ago, BeeLine, the biggest Russian mobile network operator, implemented protection for MMS messages. Since then, the number of infected messages has fallen from 1.46% of MMS traffic to a record low of 0.46% at the end of October.

It’s also been interesting to track the ups and downs in the number of infected MMSs – for instance, at the end of the summer holidays, there was a sharp, though shortlived, rise in the number of infected messages to 1.72%, following by an equally sharp drop.

The vast majority of infected messages are due to Worm.SymbOS.Comwar.a and Worm.SymbOS.Comwar.c, although of course there are quite a lot of other programs circulating as well.

It’s clear from these statistics that mobile malware is a real threat. It’s equally clear that it’s a threat that can be tackled successfully.

Mobile threats – myth or reality?

Your email address will not be published. Required fields are marked *

 

Reports

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox