An Ethical Hackers View On The Dangers Of Mobile Malware

Mobile Malware

The mobile phone is unrecognisable in comparison to its original ‘brick’ form of the 80s. Instead of a ‘yuppie’ status symbol, now it’s considered by many as a necessity with practically every handbag and pocket hiding these modern miracles of technology.

While battery life used to be considered the key feature, today it’s a heady mix of memory capacity, browser speeds, megapixels, touch screen quality, HD ability, playback, sleek design and available apps. Hardly anyone thinks about how secure the device is when making that all important decision between Apple, Blackberry or Android.

As our handsets become more than just a way to make and receive phone calls, their appeal to criminals also increases. Of course, having the physical device stolen is a major inconvenience, but that is just one way criminals are monetising mobiles. Mobile malware, once theoretical, is now very much a reality and a growing threat.

For the business user, accessing the corporate network and viewing emails using their mobile devices, criminals might have access to data that can prove lucrative in the right hands. For VIPs it could be a little more personal as the little devils broadcast their locations via GPS. Even for the man on the street, with the introduction of mobile payments apps, there’s more to lose than just the contact list and photos.

Malware on smartphones is used by criminals to make money. They steal information – contact details, emails, personal data or even financial information; they hijack browser sessions – interfering with online banking transactions and circumventing one time password (OTP) security procedures; even certain apps can have a malicious undertone for example sending SMS messages to premium rate numbers.

A worrying trend is that, increasingly, attacks are becoming more targeted and it’s executives that are firmly in the criminals’ sights due to the valuable data they’re carrying on their phones. Using a combination of SMS and social engineering tactics, hackers can spoof the phone number of a friend or a colleague to send an SMS asking the victim to click on a suspicious link etc, and opening up the phone to attack.

Malware Infections Rising

To prevent malware spreading, we’re seeing a number of approaches from some of the mobile operating systems. Apple and Blackberry have introduced security protocols, in tandem with a meticulous acceptance process for apps offered via their stores.

The picture is less secure for Android. Perhaps because it currently has the highest market share, the mobile operating system provides attractive returns for criminals. Another theory is that due to the openness of the platform and the existence of other markets from which to download apps, it’s easier to infiltrate. Whatever the reason, the stark reality is that it attracts the most malware.

That said, as market share moves and rogue programmers perfect their code, it would be foolish to think that any particular operating system will remain infallible indefinitely.

Prevention Better than Cure

The most successful form of attack against malware is a defensive stance and in this everyone has a function to perform. As they’re on the front line, phone users themselves must understand the risks, and the criminals’ tactics, if they’re to practice safe phone use:

1. Are you already infected

It can be difficult for the end user to know if they do have any malware on their phones, but there are a few basic factors that can be indicative. Users should regularly check which apps are actually running on their phones. Anything suspicious should be deleted. Indicators that malware is present can also include decreased battery life (because there is something running in the background on the phone) or an increase in data use (as the malware transmits data from the phone).

2. Block activity

To prevent premium rate number scams, it is important to check your bill regularly for anything out of the ordinary or, better still, contact your provider and block this type of number.

3. Prevent infection

There are a number of elements to this that, while not a guarantee, will help minimise malware when used together.

  • Antivirus software for mobile phones is available to download, however it is argued that they can be ineffective
  • Settings on the phone can be changed to prevent installation of content that isn’t from trusted sources
  • Just like spam mail, be careful following links sent from contacts within the address book
  • Only use bona fide marketplaces, such as the Google marketplace, to purchase and download apps. Of course the free ones, while attractive, could offer more than you bargained for
  • Check the apps permissions before its downloaded and ensure you restrict them from conducting any unwanted activity.

Regardless of whether the handset is corporate or personally owned, organisations should encourage their workforce to practice the security steps above.

For businesses issuing staff with phones, they should also consider:

  • Installing anti-virus software as standard
  • Look for, and deploy, tools that can manage mobile devices in much the same way as traditional PCs
  • Think about device encryption capabilities to avoid data leakages resulting from device loss or left, and perhaps a solution that can remotely locate and destroy AWOL devices
  • Where possible, restrict and control what can and can’t be done on the phones
  • If you can’t stop it then create and communicate security policies that govern what data can, and can’t, be accessed and stored. It is also essential that users understand why this is so important

Unlike viral desktop programs, phones aren’t spreading infections from one to another or to other devices, so the spread of the threat is reduced. You have to either download a rogue app, or click on a bad link, to inject malware onto the phone. But that could change. If we don’t get a grip on malware now, tomorrow we could be facing an epidemic as it’s only a matter of time before criminals create malware that can and does jump between devices. Today, while we still have the power to stop mobile malware, let’s work harder and smarter to unmask the secret assassin.

Ask anyone about Jaime Blasco and they'll say he's the man you want on your side when it comes to a hack – the Sherlock Holmes of the Internet. At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on Web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching. When he's not hunting down the bad guys, and alerting the good ones, he's a guest speaker or lecturer at hacking conferences such as Rooted Con, OWASP. Recently he ran a Cyber Warfare conference for the Head of Defence in Spain demonstrating attacks in real time and showing how to defend against them. He's also a regular contributor to Hakin9 and InSecure magazine. Jaime also advises government on emerging threats.