Report identifies ‘compound threats’ as biggest mobile security risk

AdaptiveMobile’s 2011 Global Security Insights in Mobile report reveals the shift towards a new, more sophisticated type of threat facing mobile subscribers and network operators – the ‘compound threat’ – which uses multiple attack vectors (SMS/MMS/email/Web/voice) to compromise different aspects of a handset simultaneously.

These threats are built with the primary aim of extracting money, with a secondary knock-on effect for the mobile networks of damaged reputations and a loss of trust.

With mobile subscriptions hitting 5 billion, cyber criminals – usually part of highly organised global gangs – are shifting their focus away from traditional PC-based scams towards the mobile world, according to the report.

As such, the report looks at the rise of the Smartphone market – now at 20% penetration globally and set to hit 37% in Europe and 44% in the US by 2012. It identifies key trends that predicts will have the greatest impact on the market over the coming year and analyses the impact and consequences of the four types of compound threat to surface to date:

1. Advanced Mobile Malware: One of the most dangerous types of compound threats to emerge to date, the first occurrence of which was identified in October last year. Monitoring users’ access to banking sites, it harvests log-in details through a combination of routes. It is an evolution of existing PC spyware that has been redesigned specifically to record or forward conversations on Smartphones.

2. Converged Messaging Spam: These are 411-type spam attacks that are on the rise globally where users receive an SMS prompting a reply in response. In the most coordinated of such attacks, users also received a matching email from fraudsters further validating the scam.

3. IP Reputation: A growing type of compound threat that is becoming increasingly problematic for operators – devices sending email spam over mobile networks. This results in mobile devices becoming infected with PC malware and severely impacts the IP reputation of the operator’s network.

4. Credit Attacks: Threats that seek to trick or stealthily make the subscriber dial a premium rate number. The compound nature is apparent in the parallel use of malware, SMS and voice calls to monetise the attacks.

“The past year, more than any other, Smartphone threats, viruses and privacy concerns have hit the headlines,” says Gareth Maclachlan, COO, AdaptiveMobile. “However there’s still a lot of confusion amongst consumer and enterprise subscribers as to where the real threats lie and what can be done to combat them – particularly as the threats and handsets are becoming more sophisticated and therefore complex.”

The findings of the report provide a stark warning to mobile users, network operators and the wider ecosystem. Whereas historically mobile threats have been crude and designed to reap big returns quickly, this new breed of compound threats are intelligent and built to go unnoticed for as long as possible.

As such, mobile security is rising in prominence as a business issue with threats starting to have more serious consequences for network reputation, performance and subscriber trust.

It seems traditional approaches to protecting subscribers can no longer provide adequate protection. Trying to tackle mobile security in a piecemeal fashion by protecting individual services – such as SMSC or email filters – cannot suffice when what we’re now seeing are multi-bearer threats that requires a much broader approach to network protection.

With the next generation of attacks continuing to emerge, so does the need for an intelligent approach to mobile security – keeping the industry one step ahead of the criminals to ensure that such threats do not reach mobile users in the first place.

Christian Harris is editor and publisher of BCW. Christian has over 20 years' publishing experience and in that time has contributed to most major IT magazines and Web sites in the UK. He launched BCW in 2009 as he felt there was a need for honest and personal commentary on a wide range of business computing issues. Christian has a BA (Hons) in Publishing from the London College of Communication.