Smart target: Mobile malware

Smartphones may soon become a preferred platform for cybercrime, reports Angela Moscaritolo.

Some smartphone users were baffled earlier this year when their phones suddenly started making calls to unknown numbers.

One user, describing the unnerving incident in a message board post, said he was shaken out of a deep sleep by a repetitive voice coming from his phone stating “international dialing is not currently permitted for this device.” Checking his call history, the user found that his phone made a number of calls starting at around 2:30 a.m. to various international numbers.

“I have absolutely no idea who or what these numbers are for,” the user wrote.

It was later discovered that the odd calls resulted from a trojan that made its way onto the user's device via an infected game.

Researchers discovered that a Russian malware author uploaded a trojan-laden version of a popular 3-D shooting game to several Windows Mobile download sites. Once downloaded, malicious code embedded within the game initiated phone calls from an affected user's phone to international, attacker-owned, premium-rate numbers in Antarctica, Somalia and several other countries, resulting in money being transferred from a user's account to the cybercriminals.

It was, experts say, the first time money-making malware targeting smartphones was identified.

Researchers have warned for some time that smartphones – because of their popularity, vast storage capabilities and computing power – are an attractive target for cybercriminals. Many from the anti-virus community have predicted that mobile malware will soon become a major problem. In fact, they say, smartphones could become the platform of choice among cybercriminals in the future. Others, however, say that these long-predicted warnings have not yet materialized and, because of security advances made by smartphone vendors, mobile malware may never become a serious issue for users.

Stephen Northcutt, president of the SANS Technology Institute, says that right now cybercriminals are not hugely focused on the mobile platform because it does not have much value to them. But, he adds, it is an “absolute guarantee” that organized cybercriminal gangs will more heavily target smartphones in the future due to their growing ubiquity and the invention of mobile payment methods, which allow consumers to pay for goods and services from their mobile devices.

According to marketing and advertising research company Nielsen, smartphone adoption is predicted to surpass traditional mobile phones by 2011. Moreover, the market for mobile applications is also exploding as smartphone users take advantage of the scores of apps available at their fingertips. The number of mobile app downloads is expected to increase from more than seven billion in 2009 to almost 50 billion by 2012, according to technology and strategy firm Chetan Sharma Consulting.

Perfect storm

Winn Schwartau (left), a 20-year veteran of the information security industry, sees a parallel between the early days of computer security and what's happening with smartphones now.

In the late 80s, believe it or not, skeptics often questioned why anyone would ever want to use a computer to commit a crime, says Schwartau, chairman of smartphone security provider M.A.D. Partners. These days, replace “computer” with “phone” and he's giving the same answer: why would they not?

Because, these days, a phone is often no longer just a phone, he says.

“They are computers that happen to have voice communication,” Schwartau says. “People are missing that point.”

With hundreds of millions of potential victims and what he calls a fundamentally insecure infrastructure, Schwartau says that smartphone security is brewing into a “perfect storm.”

From a threat perspective, the worst case scenario would be that attackers discovered a remotely exploitable vulnerability in a popular mobile operating system, says Hugh Thompson, program committee chair for the RSA Conferences.

“With every device providers sell, the motivation for attackers to look hard for these types of vulnerabilities increases,” he says.

In fact, a hack released online in August made use of two previously unknown vulnerabilities in Apple's mobile operating system, iOS, to jailbreak iPhone, iPad and iPod Touch devices, which allowed users to install unapproved applications. The hack was not malicious and Apple has subsequently fixed the flaws, but at the time, researchers warned that the same vulnerabilities could be leveraged to remotely install malware on users' devices.
As evidenced by the infected shooting game targeting Windows Mobile devices earlier this year, mobile apps also can provide an entryway for malware to get onto smartphones. The growing popularity of mobile apps coupled with smartphone vendors' lax app review policies provides attackers with “the best hostile code delivery system every invented,” Schwartau says.

But, as in the early 80s, not everyone agrees that the threat is so dire. Andrew Jaquith (left), senior analyst at Forrester Research, says smartphones do pose some security concerns, but, he says, the threat of mobile malware has so far been “overblown.” Moreover, mobile malware is not likely to become a “pandemic” anytime soon – or probably ever, he adds.

“The apocalypse is not here already,” Jaquith says. “Saying anything different is fear-mongering, plain and simple.”

Ramped up

The first mobile malware was discovered in 2004. At the time, there was a fair amount of cybercriminal activity targeting Nokia's popular Symbian operating system, says Mikko Hypponen (right), chief research officer at F-Secure. Then around 2006, mobile attack activity largely died down and remained low until only recently.

“Over the last six months, I have seen much more activity once again,” Hypponen says.

The mobile malware today is not being created for notoriety purposes or to simply prove it can be done, as was the case in the past, adds John Hering, CEO of mobile security provider Lookout. Now, mobile malware is being created for espionage or profit, he warns.

Smartphones provide attackers with a unique money-making opportunity over computers, Hypponen says. But, unlike computers, phones have a built-in billing system – the phone bill – which allows attackers to easily steal money via malware that takes advantage of premium rate telephone numbers. Often used for adult or horoscope chat lines and other services, premium-rate numbers allow third parties to amend an additional charge on an individual's cellphone bill and receive payment for “provided” services.

As did the trojanized game targeting Windows Mobile users, the first malicious program targeting smartphones running Google's Android OS also took advantage of premium-rate numbers.

The first Android SMS trojan, which was discovered in August, was masquerading as a media player application. Once downloaded, it delivered text messages to premium-rate numbers without the user's consent.
Experts say the impact of the trojan was limited since it only affected Russian users and was not spreading in Android's app marketplace. But mobile malware that takes advantage of premium-rate numbers will likely ramp up, experts warn.

“Those types of attacks are very new to mobile and are a leading indicator of what's to come,” says Lookout's Hering.

However, only about 500 viruses, worms and trojans have so far been identified for mobile platforms, Hypponen says, pointing out that compared to the roughly 40 million pieces of malware targeting the PC environment, the security on mobile platforms can so far be considered a success story.

Organized cybercriminal gangs, which are responsible for the vast majority of attack activity, still favor Windows XP because it predates security mechanisms built into newer versions of Microsoft's desktop software. Subsequently, it still has the largest share of the market. But when people start moving away from XP, mobile devices may become the platform of choice, Hypponen warns.

“Some of these moneymaking gangs will look around and consider whether to move attacks to Windows 7 or more lucrative platforms like smartphones,” he says. “It is easier to steal money from smartphones than computers.”

Another issue that may contribute to an increase in mobile attacks is consumerization, experts say. A growing number of companies are allowing their employees to use personal smartphones to access corporate email, says RSA Conferences‘ Thompson. This makes smartphones a more interesting attack target because they represent an entryway into the enterprise.

According to a recent RSA Conference survey, information security professionals are concerned about consumerization, but most have not experienced a serious incident as a result of employee-owned mobile devices.

More than 93 percent of IT security professionals surveyed said they believed that allowing employees to connect their personal mobile devices to the corporate network poses a security threat to their organization. However, only 1.8 percent of respondents said their organization has experienced a serious incident as a result of employee's mobile device use.

“These survey results tell us that enterprises are thinking about mobile security risks,“ Thompson says. “What we don't know yet is what the primary risks and attacks will look like.”

Beyond potential vulnerabilities in the smartphone OS or from malicious applications, there may be other risks on the horizon that are not fully understood yet, he says.

“People tend to use mobile phones differently than they use laptops,” Thompson says. “They may pass a smartphone around a dinner table. The device may pass through many more hands than a laptop.”

Also, employees may inadvertently reveal information, such as business travel habits, through smartphone geo-location leakage, he says. Some say that right now, a bigger issue than mobile malware is the threat of spyware apps, which may harvest a user's information.

A simple wallpaper app, for example, may attempt to “phone home” overseas with the contents of a user's address book, says Forrester's Jaquith, who agrees that spyware is a primary smartphone security concern today.

Locked down
Some say that despite the increased threat landscape and potential for future attacks, smartphone users may never need third-party security software because the devices were built in a post-PC era, allowing vendors to learn from and improve on past security mistakes.

“Microsoft designed Windows at a time when the industry was a bit naïve about how much built-in security a desktop OS really needed,” Jaquith says. “Twenty years later, we now know the answer: a lot more than we got originally.”

As a result, several major smartphone vendors – such as Apple, maker of the iPhone, and Research in Motion (RIM), which makes BlackBerry devices – have taken on the responsibility of securing their mobile platforms building many security features into their mobile operating systems, he adds. These companies aim to build their devices and operating systems so that a user does not need third-party security products.

“They are closed systems and deliberately so – and far more locked down than general purpose PC operating systems,” he says.

Apple CEO Steve Jobs has discussed the importance of securing the iPhone since at least 2007.

“We're trying to do two diametrically opposed things at once — provide an advanced and open platform to developers, while at the same time protect iPhone users from viruses, malware, privacy attacks,” Jobs wrote in a 2007 news release.

Microsoft also says its new smartphone platform, Windows Phone 7, was architected to limit security threats.
“We think about security holistically with Windows Phone 7 and we are addressing it across the following areas: operating system, access to the device, file system and apps, data transmission, marketplace and malware threat,” a Microsoft spokesperson says.

In addition, all applications and games available in the Windows Phone Marketplace are tested and certified for quality and performance before being made available to consumers, Microsoft says. Similarly, Apple says it reviews every app and checks the identities of every app developer. If it finds anything malicious, the developer is removed from Apple's iPhone developer program and their apps removed from the App Store.

But Schwartau warns that even though smartphone vendors say they review apps, threats can still make their way into app stores. That's because vendors typically only conduct operational reviews to ensure the app does not interfere with the phone's processes or break any rules they have specified with which apps must comply to run on the device, he says. They do not conduct code reviews to check the validity and accuracy of an app's code – something that would require examining every line of code to figure out how it works and if it does anything unwanted.

However, consumers should not have to worry about any major malware outbreaks on these devices if smartphone makers continue to harden their mobile operating systems against exploits and quickly fix any security flaws that are found, Jaquith says. To keep mobile malware at bay, smartphone vendors must also continue to screen apps offered through their respective app stores to ensure they do not purposely or inadvertently steal customer data, as well as be able to quickly remove malware or spyware that has slipped through the screening process.

“Should customers ever need a third-party product to help keep their iPhone or BlackBerry devices safe from malware, it means that Apple or RIM have royally screwed up,” Jaquith says. “But customers won't be happy with this. No consumer wants to install a third-party product that will slow down their phone and reduce their battery life by half.”

[Sidebar 1]

Exposure: Greater concerns

Right now, mobile malware is not the first or even the second biggest smartphone security concern, says Stephen Northcutt, president of the SANS Technology Institute. The main threat is data exposure due to lost or stolen smartphones, he adds. Secondly, it is harder to maintain compliance on most smartphones to the same extent that can be done on a PC or Mac.

Enterprises that allow employees to use personal devices to connect to corporate email and other services generally require the devices support enterprise-initiated remote wipe, says Hugh Thompson, program committee chair for the RSA Conferences. Some devices allow enterprises to enforce finer-grained security policies, but many corporations are still struggling with how they should restrict, manage and monitor them.

“Regulators haven't picked up on it yet, but I imagine that within a year or two they will,” Northcutt says. “We are lucky they haven't focused on it, which gives us time.” – AM

[Sidebar 2]

Android: An Outlier?

While the responsibility for securing the smartphone platform generally rests on vendors' shoulders, phones running Google's Android mobile OS are different, says Andrew Jaquith, senior analyst at Forrester Research. Much of the responsibility for securing the Android platform is delegated to the various handset manufacturers, which can choose to install applications from sources other than Google's Android Market and even install unsigned applications, he says.

With Android, the customer also shares a responsibility for security, Jaquith says. When installing an app, customers are prompted to grant permissions to the apps they install. Essentially, they need to “choose security” to stay secure.

“I am withholding judgment about Android for now,” Jaquith says. “Right now, I am not willing to put it in the same class as iOS [Apple's mobile operating system] or the BlackBerry.” – AM

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.