Malware: Reporting vs. threat perception

Silobreaker’s Time Series tool

Silobreaker gives users the power to spot developing trends early and separate valuable information from hyperbole. Three stories have hit the headlines over the last four days, each receiving different amounts of attention.

What can we learn about these threats from Silobreaker’s Time Series?

First off, it’s important to note that the amount of airtime dedicated to such stories is rarely proportionate to the danger they actually pose.

Most media outlets focus on three aspects of malware when they report it:

1) Is it new?

2) Is it (potentially) scary?

3) Is it already gaining traction?

Now, the media aren’t misguided in prioritising in such a way, however, such chatter can serve to stifle discussion about serious threats by inflating the danger of more ‘interesting’ malware.

Case in point: Mazar Bot.

Mazar Bot roots Android phones. It can read and send texts, download additional apps or wipe storage. It sends a text to an Iranian phone number confirming infection, but is probably run by a Russian gang.

All very exciting.

Yet it’s relatively difficult for Mazar to successfully infect victims.

Targeted users first have to follow a link received from an unknown contact and then install a downloaded .apk file. The file, like most mobile apps we use, will ask for wide ranging permissions to function. Only after giving Mazar these permissions will users be compromised.

So, it’s more than likely that those who get infected are either distracted or have little concept of cyber security. Yet the deluge of news about Mazar Bot over the past few days has been unending and at points, hysterical.

Meanwhile, the APT behind the Dridex banking malware was experimenting with new attack vectors.

Only when interest in Mazar Bot began to wane was it reported that the Dridex group were distributing tidal waves of spam laced with a new ransomware known as Locky.

In fact, news of Locky had appeared days earlier, just as Mazar Bot was being widely reported.

Reports state that Mazar Bot has infected 100,000 individuals in Denmark, but Locky has already hit hundreds of computers across the world.

Visibility is obviously higher on ransomware infections than data theft, but we already know how vulnerable employees are to attachments marked ‘Invoice’ or ‘CV’.

Forewarned is forearmed

While not as flashy as android malware that can wipe your drive, ransomware is more easily distributable and far more compromising – just talk to anyone at Hollywood’s Presbyterian Hospital.

The Silobreaker Team

This website uses cookies.
See our privacy policy at