Smartphone malware: Infections will hit one in 20, study predicts

A recent study by security vendor Trusteer predicts there will be about 56,000 infections for every million smartphone users in the coming year.

One in 20 Android smartphones and iPhones will be infected by financial smartphone malware and Trojans within the next 12 months, predicts a security vendor used by many of the UK’s leading banks.

There is a high level of rogue AV for the PC, so if the fraudsters shift from PC to Android, then infections could be higher.

Mickey Boodaei, CEO, Trusteer

The warning comes from Trusteer, whose Rapport browser-based security product protects online customers at RBS, Nationwide, Santander, Smile and several other UK financial institutions.

The company analysed global traffic from nearly 30 million people who downloaded Rapport from their banks, and found that, on every day during June 2010, one in 1,500 PC users (Rapport currently only works on PCs) accessed a website infected by the BlackHole exploit kit. BlackHole is widely used by hackers to automate the delivery of malware to devices visiting infected sites. 

In reaching its prediction, Trusteer extrapolated from those PC numbers based on the expected rise in the use of smartphones for applications such as online banking, and the assumption that fraudsters will begin integrating zero-day mobile vulnerabilities into leading exploit kits. The company also assumed the following when conducting its calculations:

  • 667 of every million users (one in 1500) access an infected website each day.
  • There will be four zero-day exploits for Android or iOS per year.
  • It will take Apple or Google one week to fix the zero-day vulnerabilities.
  • Users will take two weeks to update their operating systems.

This computes to 56,000 infections for every million users, which Trusteer CEO Mickey Boodaei insisted is a conservative prediction.

Boodaei said both Google's Android and Apple's iOS will become targets. Even though Apple’s tight control of iOS apps is generally regarded as being more secure than Android’s unregulated apps market, an attack in early July showed Apple could be cracked. That attack came from, which published an exploit that was able to jailbreak any iPhone or iPad that visited a specially created website. It made use of a zero-day PDF vulnerability and a further vulnerability in the iOS kernel that Apple has yet to fix. Once the Apple device is jailbroken, it becomes much easier to infect.

“If BlackHole starts serving Android or iPhone vulnerabilities, such as the one we saw last week, we will get this level of infections, assuming we have four vulnerabilities a year, which is a reasonable assumption,” Boodaei said.

“It could even be worse, because we did not take into account all the rogue applications on the Android market. There is a high level of rogue AV for the PC, so if the fraudsters shift from PC to Android, then infections could be higher.”

Boodaei said Trusteer has produced a new version of Rapport to run on iOS and Android, and several banks, including UK banks, will be launching it to their customers within the next month.

The product, he said, works at two levels: Initially it tries  to prevent infection by analysing the HTML traffic and looking for signs of exploit kits. It also creates a secure tunnel between the bank and the mobile device to protect out-of-band, one-time passcodes from being stolen by malware as they are sent from the bank.

“The banks understand the threats. Especially in the UK, the banks adopt security solutions very quickly. They are usually early adopters of fraud prevention solutions,” Boodaei said.

However, as if to illustrate the scale of the problem, some hackers have begun exploiting the reputation of Trusteer to plant malware. The SecureList blog from Kaspersky Labs reports that a new version of the Zeus banking Trojan has been produced for the Android platform, which passes itself off as Trusteer’s Rapport. Any user thinking he or she is downloading a security tool will become infected, and any SMS messages the user receives from his or her bank will be sent to a remote Web server operated by hackers.

Read more on Hackers and cybercrime prevention