Is the industry a breath away from the next major mobile malware fiasco?
For years, mobile security vendors have claimed that a tidal wave of mobile malware will compromise consumer phones, threaten corporate security and create public relations nightmares for mobile operators. There have been isolated security problems reported, which have been relatively tame compared to the PC world. But a new generation of open software platforms could usher in a new era of mobile threats.
“Today the computing power of phones is at the level of a low-end Pentium that lets you run third-party apps. This has led to viruses, Trojan horses and even apparent rootkits,” said Jamz Yaneza, project manager at security vendor Trend Micro.
A recent report from the SANS Institute, a computer security research cooperative, described “Mobile Phone Threats, Especially Against iPhones And Android-Based Phones,” as one of the top 10 security threats in 2008. The group noted, “A truly open mobile platform will usher in completely unforeseen security nightmares. The developer toolkits provide easy access for hackers. And hackers are taking note.”
At the moment, the number of reported new malware variants is relatively small. As of March 2008, McAfee had seen only 457, while F-Secure counted 401. This is only a fraction of the 640,000 threats that F-Secure has seen for PCs.
“The only reason they have not gone after mobile is they can make more money hacking PCs rather than mobile phones,” said Jan Volzke, head of global marketing for McAfee Mobile.
In a few rare cases, hackers in China and Russia have created malware for either extorting users or dialing premium numbers. In other cases, the malware simply renders the phone inoperable or slows it down. One widely reported Apple Trojan horse in the U.K. was simply the result of a young programmer who wrote a buggy application, Yaneza said.
Another major threat looming on the horizon is the loss of corporate data resulting from a lost or stolen phone. Philippe Winthrop, an Aberdeen Group analyst, said, “By the end of this year, I would not be surprised to see an announcement of a major security breach, such as the loss of a store of social security numbers that was originated or partly caused by a mobile device.”
PARTNERING WITH CARRIERS
Malware poses a direct threat to carriers’ reputation and can result in significant costs to fix problems when they occur, noted Volzke. In many cases, users might not even be aware of an infection, and just notice that their phones are malfunctioning. He said it can cost a carrier anywhere from $100 to $400 to troubleshoot these problems in customer care, lost billing and network problems for a single customer. In some cases, it might seem easiest to just replace the phone, although having a system to remotely disinfect the device is far less expensive.
The first sign of trouble might be a consumer calling in to complain that his bill is 80% higher, and that he did not send out 15 picture messages at midnight. In other cases, the carrier has to reach out to customers and convince them there is something wrong with their phones.
“Carriers would like to have the problem solved as effectively and silently as possible,” said Volzke. “If things go wrong, they are the ones that face the issue. It would be difficult to roll out a mobile payment service if there was a major breakout a year before.”
To help reduce this problem, security vendors such as McAfee, F-Secure, Trend Micro and Symantec have developed mobile security platforms for carriers. These can help reduce the spread of malware through the network before they have occurred, and then reduce the cost of disinfecting phones after a problem has been discovered.
ENTERPRISE CONCERNS
Enterprises and government organizations also need to come to grips with the security hole in their networks.
“Why are organizations, particularly with smartphones with Wi-Fi not doing what they do on the laptop? Because they are not cognizant of the fact that these are microcomputers that make phone calls,” said Winthrop.
Last November, the Aberdeen group completed a study on enterprise mobile security revealing that only 25% of companies were deploying antivirus software on their mobile devices.
“That is a huge issue. When you have files that you can transfer to and from mobile devices and attachments, this lack of security poses an absolute threat that is not being addressed well enough,” Winthrop explained.
Even if a lost phone is used to compromise enterprise security, it is possible the data loss would not even be discovered. Jack Gold, president of consultancy J. Gold Associates, explained, “There is very little tracking and discovery capability available for these systems as compared to the PC and server infrastructure. Many devices are not encrypted/locked, so such data leakage presents a significant exposure to enterprises.”
Security vendors such as Symantec and Bluefire have developed Network Access Control (NAC) products that are designed to enable virtual private network access to corporate networks, and to lock out devices when they have become infected. But these have limitations. Paul Miller, Symantec’s director of mobile and wireless, said, “While Symantec’s products allow the lock-out of configuration changes, mobile phones do not yet reliably block users from deleting applications, creating unprotected data folders and resetting devices. We have been requested to expand the mobile NAC functionality to provide additional alerts when the host integrity check fails.”
CALM IN THE STORM?
At the moment, it would appear that mobile security has the upper hand against hackers. The most targeted platform has traditionally been the Symbian S60 because of its popularity, but improvements in S60 Version 3 appear to have slowed new malware.
Patrick Runald, security response manager at F-Secure, noted, “Out of the 401 reported malware threats, 390 of those are targeting Symbian. As Symbian too steps to implement better signing and file formatting, the threat is going away.”
Hackers might just be silently waiting to target other platforms. Most attacks have relied on social engineer techniques that require the user to install something, click somewhere or play a video. But buffer overflow weaknesses have been reported on the iPhone and older versions of Windows Mobile, which could allow malware to run without any interaction from the user.
There also are concerns that higher-level applications such as Web browsers and IM clients could be attacked. As Gold noted, “We will see attacks in the near future, especially on the popular devices like iPhones because hackers have something to prove and see the challenge laid out in front of them. It is one thing to say the OS is secure and another to sustain a real-world attack. And, perhaps more importantly, once hackers go after higher-level app code like browsers and IM clients, which already have access to the OS, can the devices sustain and survive an attack?”
In the meantime, phone makers, carriers and security vendors are working to ensure that the mobile world does not undergo the same fate as the PC.
“Hackers are making enough money on PCs that the mobile landscape is unexplored,” said Runald. “The good thing with talking about it now is that we can prepare for it.”
| Malware Primer |
There are three primary types of mobile malware and three primary vectors. Many of the more sophisticated implementations blend together these components for more effective spreading. Other vectors like worms transmitted via Wi-Fi and stolen phones being used to access sensitive data have not been reported, but pose a security risk.
TYPE
- Virus: Software that is transmitted to the phone without any effort by the user.
- Trojan Horse: Malware that piggybacks alongside seemingly legitimate applications that users install.
- Worm: Malware that moves from device to device on its own.
VECTORS
- Bluetooth: Software is automatically pushed from infected device to another.
- Smishing (SMS Phishing): A malware link or application is sent to victim within the body of an MMS, SMS, or email message. In some cases, the phone then sends messages to numbers in its contact list.
- Memory Card: Malware resides in memory card and is activated when placed in a phone.
|