2011 Threats Predictions, Android Malware, and a Bit of Déjà Vu

McAfee Labs recently released our 2011 Threats Predictions. In this report we dust off the crystal ball, put on our battered Mr. Wizard hat, and speculate about potential threats for the coming year.

The threats landscape changed considerably in 2010. We saw marked increases in malware sophistication and targeting as well as a continued increase in the overall volume of daily malware threats. We have also begun to see some very significant changes in the types of threats that target Apple iPhones and other mobile devices. As our use of technology evolves, so do threats. It’s a darn good read and worth the time. Download the report here.

We detail predictions for the new year across eight areas:

  • Exploiting Social Media
  • Mobile
  • Apple
  • Applications
  • Sophistication Mimics Legitimacy
  • Botnet Survival
  • Hacktivism
  • Advanced Persistent Threats


With the report in mind, I found the recent Trojan horse for the Android platform rather interesting. I thought to myself, “Self, in one piece of malware, two of our predictions have come true! We are so smart!” Then I started looking at the malware itself–its functionality and what it was targeting–and I realized a few things. First, it actually fulfills more than two of the predictions and, second, it started giving me a sense of déjà vu. Something in this Android malware seemed very familiar.

I noticed the following strings output from one of the four Trojan variants:

as well as…

It then occurred to me why I was getting that sense of having seen this before. This is pretty much the same kind of information a PC-based Trojan would go after. Granted some of it is mobile specific–carrier info, SIM info, subscriber ID, and IMEI number–but the similarities are striking. What the malware does with the data is also typical. It uploads information to a drop site and can receive commands as if it were part of a botnet.

What does this similarity in function mean? It means that malware is pretty much malware regardless of platform. It means that many of the current classes of threats will simply shift to new technologies and platforms and that the bad guys do not have to recreate the wheel. They simply have to modify that wheel (threat) to suit their new needs or targets. The point is proven: We can have threats and malware on any platform and any operating system.

The question I ask is this: Why would anyone not expect to see malware and cybercrime focus on mobile platforms? If users engage in the usual behaviors and are more tethered to these new platforms, then the threats will follow. This is only logical.

To sum up, this Android Trojan horse satisfies the following predictions:

  • Exploiting Social Media: It grabs password and GPS coordinates
  • Mobile: It targets the Android platform
  • Applications: It comes disguised within a game through a third-party app store
  • Sophistication Mimics Legitimacy: It is actually signed with a development certificate
  • Botnet Survival: It is a new method of establishing and controlling bots


We can certainly expect more of this throughout 2011. Keep informed, keep updated, and keep your data safe!

Leave a Comment

1 × three =