MOBILE THREATS, MADE TO MEASURE
THE SPECIALIZATION OF MOBILE THREATS
AROUND THE WORLD

What global trends and patterns defined mobile security threats in 2013? To answer this
question, Lookout analyzed the threats encountered by more than 50 million Lookout users
around the world. We categorized mobile threats into three distinct app-based threat categories:
adware, chargeware, and malware.
2013 stood out as the year when mobile threat campaigns became increasingly targeted by
region as the criminals adapted their practices to maximize profit and minimize detectability. In
regions where regulation is stringent, attackers favored alternate ways to operate, often dropping
traditional monetization strategies like premium rate SMS fraud in favor of “grey area” tactics like
deceptive, if legal, in-app billing practices.
We also examined how user behavior impacts their exposure to mobile threats. If a mobile user
has rooted their phone, for example, how might that affect their chance of encountering a trojan
in the future? In short, this report contains a comprehensive overview of the current, global state
of app-based threats. We hope the security insights presented in this report may serve to help
educate individuals and businesses on how to better protect their mobile devices from threats in
a highly networked, globalized age.
1

To prepare this report Lookout analyzed security detections from its dataset of more than 50
million users around the world who were active from January 1, 2013 - December 31, 2013. The
encounter rate calculation referenced in this report measures how many devices encounter a
given threat, and it is a weighted calculation that normalizes the differences between the life
cycles of users.
It should be noted that encounter rates are not additive since devices may be counted multiple
times. Lookout excluded countries from this report where representative sample sets of users
could not be achieved. Lastly, app-based threats in this analysis were separated into three
categories: (a) Adware (b) Malware (c) Chargeware. These app-based threat categories are
defined in the glossary at the end of the report.
2
© 2014 Lookout

●
●
●
●
●
3
The diversification of app-based threats by region is readily apparent. 2013 stood out as
the year when mobile threat campaigns became increasingly targeted by geographic
region as the criminals adapted their practices to maximize profit and minimize
detectability.
Financial gain continues to dominate the mobile threat landscape, with premium rate SMS
fraud being the primary type of malware affecting people across the globe.
○ In 2013, hundreds of thousands of Lookout users encountered chargeware - apps
with hard-to-read EULAs that deceptively bill victims, often after luring them in with
racy photos (porn). The encounter rate of chargeware is 13% in France, 20% in the
UK and 5% in the U.S.
○ In Russia and China, premium rate SMS fraud continues to be a massive problem
where regulation isn’t as stringent.
Adware is the most prevalent threat facing consumers. People are five times more likely to
encounter adware than malware. Allowed to spread largely unchecked, adware reached a
pinnacle in 2013, and reached every corner of the globe. (The average encounter rate
ranges from 20-30% depending on the country: U.S. 25%, UK 23%, Germany 27%,
France 31%, Spain 30%).
The encounter rate of malware drastically changes depending on the region. Specifically,
in the U.S. it is only 4%, while in Russia and China it is 63% and 28% respectively.
Risky behavior begets other risky behavior. Having a trojan on your phone means you’re
seven times more likely to download another app with a trojan.
© 2014 Lookout

GLOBAL THREATS

In 2013 mobile threats were clearly a global problem, but Asia, Russia and parts of Eastern
Europe and Africa continue to stand out with higher levels of risk.
5
© 2014 Lookout

In 2013 encounter rates remained low in the US and Western Europe, while regions such as Asia
and Eastern Europe continued to be “hot zones” for mobile malware, largely due to the popularity
of unregulated 3rd party app stores and low risk monetization paths like premium rate SMS fraud
(a prime example being ActSpat, a premium SMS trojan). Also, Lookout’s 2013 ‘Dragon Lady’
investigation uncovered an entire mobile malware industry in Russia.
6
© 2014 Lookout

In the first half of 2013 very little curbed the spread of adware and so it was evenly distributed,
with fairly similar encounter rates in almost every country. Lookout called out adware in June
2013 and Google started taking steps that September to remove adware that violated its policies.
One of the primary adware SDKs was operated by a company called Leadbolt, which has since
changed their ad SDK to comply with Google policies.
7
© 2014 Lookout

In 2013, chargeware (apps that charge users without clear notification) was especially prevalent
in Western & Eastern Europe and South East Asia. Pornograhic apps with deceptive charging
practices made up the most prevalent forms of chargeware in 2013, with one campaign “SMS
Capers” representing more than 50% of the risk in the UK.
8
© 2014 Lookout

NORTH AMERICA

The United States and Canada have comparable threat encounter rates while mobile users
in Mexico have an elevated risk of encountering adware.
10
© 2014 Lookout

The mobile malware encounter rate is low and consistent across North American countries:
mobile users in these countries tend to download apps from trusted app stores where the
likelihood of encountering malware is much lower. Encounters occur nonetheless and the
threats are real: NotCompatible, a trojan that turns devices into proxies for 3rd party traffic,
was the most prevalent threat in the U.S.
11
© 2014 Lookout

EUROPE

The total encounter rate is relatively even across Europe and comparable to the US.
Germany has lower levels of risk in all categories, but especially chargeware and adware,
while Spain has an elevated risk of chargeware and malware.
13
© 2014 Lookout

The encounter rates of UK and France are elevated due to the large volume of chargeware
in both regions. The UK is especially high to due to the emergence of one chargeware
campaign - SMScapers, a pornographic app which makes up more than 50% of the total
encounter risk in the UK.
14
© 2014 Lookout

ASIA

Japan has the lowest encounter rates in all categories, while China and Russia have the
highest malware encounter rates out of any country in the world. The bulk of the threats in
this part of the world are made up from malware rather than adware (like in the US and
Western Europe).
16
© 2014 Lookout

17
Japan has the lowest malware encounter rate due to its strict regulatory environment, while
China and Russia have the highest malware encounter rates in the world. Russia is
particularly high as the ease with which malware authors are able to monetize drives the
creation of new families. RuPaidMarket, a premium SMS fraud trojan, was the most
prevalent family in Russia in 2013.
© 2014 Lookout

MOBILE THREAT
CORRELATIONS

19
© 2014 Lookout

QUARTERLY
MOBILE THREAT ANALYSIS

Apart from a slight dip in Q2, malware maintained a constant presence in China but overall
was dwarfed by the volume of malware in Russia. The apparent drop in malware in Russia
actually represents the tail-end of a couple of incredibly prolific malware campaigns in the
RuPaidMarket family (a family of trojans that commit premium SMS fraud).
21
© 2014 Lookout

22
Prior to June 2013 no industry guidelines defined adware. In June 2013 Lookout published
its own guidelines and in September 2013 Google updated its policies and removed as
many as 36,000 infringing apps from the Play Store. The increase from Q2 to Q3 reflects
Lookout’s implementation of more comprehensive adware detection policies. The drop
from Q3 to Q4 reflects apps removing offending ad networks or getting removed
themselves.
© 2014 Lookout

Chargeware is highly geographic and campaign-based and this slide shows this clearly.
What we see here is the rise and fall of the pornographic chargeware campaigns “SMS
Capers” and “Plus TV” which primarily hit the UK and France.
23
© 2014 Lookout

The diversification of app-based threats by region is readily apparent. Regulation varies by country
and a criminal enterprise that might be highly profitable and difficult to prosecute in one part of the
world is often explicitly forbidden and easy to prosecute in another. This regulatory variation
produces a state of natural selection in which criminals evolve to exhibit attack strategies that are
best suited for their environment.
When it comes to malware, people who use trusted, mainstream app stores (as the bulk of users in
the US and Western Europe do) are less likely to encounter malware. By contrast, users in Eastern
Europe, Russia and Asia face a risk of encountering malware that is as much as 20 times higher due
to the widespread use of high-risk third-party stores. This increased risk is also driven in part by more
robust malware development activities in these regions as evidenced by Lookout’s 2013 Dragon
Lady investigation, which uncovered organized groups of Android malware developers in Russia who
operated like startups, with real organizational structures and affiliate programs.
Chargeware too is a highly country specific threat because it relies on mobile charging practices,
which can vary on a per country (or even per carrier) basis. In 2013 chargeware emerged as the
most lucrative method of monetizing in Western Europe for this reason, where country encounter
rates (13% - France, 20% - UK, 23% - Spain) are two to four times higher than those seen in North
America and up to twenty times higher than those seen in Asia. Most of these chargeware threats
are pornographic in nature, as was the case with SMSCapers in the UK and PlusTV in France (the
two most prolific instances of chargeware in each country).
24

Adware went largely unchecked for the first half of 2013 and encounter rates were high, ranging from
20-30% globally. In Q3 2013 companies such as Lookout and Google implemented detection policies
that flagged the presence of adware to developers and adware encounter rates began to fall. These
policy changes forced apps to remove adware and forced adware developers to modify their
advertising SDKs to bring their practices in line.
Risky mobile behavior begets risky behavior - a rather self-evident, but nonetheless sobering
observation when you consider that risky activities like downloading malware once increases your
likelihood of encountering another piece of malware by seven times.
Moving into 2014 we expect criminals and shady actors to continue to take advantage of the “Grey
area” and use people (and their devices) as a means to an end to pull off their schemes. New
monetization methods may appear, but as long as premium rate SMS fraud continues to be a
successful business model in certain regions around the world, we don’t expect it to go away.
As BYOD becomes more common in the workplace, rather than attacking traditional, heavily
monitored network services, we expect criminals to evolve once again and turn to mobile devices as
an easier way to get into the enterprise and access valuable data. With the recent news of both ad
SDKs and mobile apps leaking device data, businesses are more aware than ever of the need to
implement solutions that minimize mobile data leakage and loss.
The strongest defence against app-based threats comes from a three part strategy of (1) only
downloading apps from trusted marketplaces, (2) exercising common sense and avoiding risky
behavior (like rooting a mobile device), and (3) downloading a mobile security application like
Lookout that can flag and protect against these threats in real time.
25

ADWARE
Adware is an SDK whose primary purpose is to serve obtrusive or unexpected ads on compromised
devices.
CHARGEWARE
Chargeware is an app where the user is charged for a service without clear notification and the
opportunity to provide informed consent.
ENCOUNTER RATE
Encounter rates in this report measure how many devices encounter a given mobile threat during a
specific time period, as a percentage of all devices that have connected to Lookout during that
period.
With this calculation we are measuring how many devices encounter a threat and it should be noted
that encounter rates are not additive since devices may be counted multiple times. Additionally,
encounter rates do not necessarily mean that that percentage of users were actually infected or
would be infected without Lookout.
MALWARE
For the purposes of this report malware includes viruses, trojans, worms, and spyware and excludes
chargeware.
MOBILE THREATS
Mobile threats in this report describe the composite threat of malware, chargeware, and adware.
26