Java exploits jump, Android malware emerges outside app stores

A continued rise in exploit-based attacks, particularly against Java, and an increasing sophistication in mobile threats characterized the first half of 2013, which saw its share of interesting developments in the world of digital security. According to F-Secure’s new threat report, nearly 60% of F-Secure’s top ten detections in the first half of 2013 were exploits.

The high percentage of detected exploits is a good thing, according to Sean Sullivan, Security Advisor at F-Secure Labs. “The fact that the majority of our top ten detections are blocking exploits rather than dealing with payloads – that means we’re doing a good job of making sure the malware itself doesn’t even get the chance to enter the machine,” he says.

Users in the US saw the most vulnerability-related attacks, with 78 out of every 1000 users encountering an exploit attempt. Germany and Belgium followed with 60 out of 1000 encountering exploit attempts. Java-targeted exploits lead the pack of exploits as a whole, making up almost half of the top ten detections, up from a third the previous half-year.

Exploits are programs, but they are simply another vehicle for getting malware onto a machine, like an infected USB drive or email. Usually attacking via malicious or compromised websites, they take advantage of flaws in the code of a computer’s installed applications to access the computer and infect it with malware that can spy on the user, steal passwords or other sensitive data, or allow cybercriminals to take control of the machine.

358 new families and variants of Android malware were discovered by F-Secure Labs in H1, nearly doubling the total number the Labs has ever discovered to 793. (The number of Android samples found in H1 was 405,140 including spyware and adware; malware samples alone numbered 257,443.) Symbian followed with 16 new families and variants. No new families or variants were discovered other mobile platforms.

Android malware isn’t just distributed by app stores anymore, either. The first half of 2013 saw distribution by malvertising and by drive-by downloads while visiting a compromised site. Malvertising, or advertisements that lead users to malicious products, is increasingly being used to distribute mobile malware, due in part to its wide reach.

While still less sophisticated on a mobile than on a PC, drive-by downloads are expected to continue as an attack vector. Mobile drive-bys use a notification message asking if the user wants to install the app, making them more obvious than PC drive-bys, with the option to circumvent them.

Stels, an Android trojan that serves multiple purposes from building up botnets to stealing mobile Transaction Authentication Numbers (mTANs) as a banking trojan, uses methods that are usually characteristic of Windows malware, such as spam as a distribution method. This serves as evidence that Android malware is advancing closer to reaching the highly developed level of Windows threats.