Mobile Malware & the Looming Security Storm
A combination of factors mean spammers are finding it easier than ever before to make money off wireless scams, prompting all kinds of headaches for IT administrators.
Admittedly, the amount of mobile malware circulating around the Internet is relatively minor compared to the hordes of viruses attacking Windows computers around 2005.
As Sean Sullivan, security advisor at F Secure Labs, puts it: “Compared to Windows, the real threat to people’s phones is the toilet.” As in, dropping them there.
Still, that doesn’t mean consumers and businesses can afford to ignore mobile security. Smartphones contain information about work, bank accounts, children, credit cards, e-mail, location data and more.
With many smartphones being equipped with the computing power of old laptops, security is becoming an increasingly important part of the wireless landscape as hackers and spammers turn their attention to mobile.
Gareth Maclachlan, COO of security firm Adaptive Mobile, says mobile has become increasingly fruitful ground for criminal hacking organizations.
The first of the reasons is obvious: Smartphones have proliferated. Before the smartphone boom, the wireless space wasn’t attractive to spammers because there were too few high-powered devices on the market for mobile spam attacks to be profitable. The rise of iPhone and Android has helped change that. To use business jargon, spammers have seen a substantial increase in their total addressable market.
Along with that, operating systems became increasingly open and developer-friendly, increasing the talent pool of people with the technical know-how to hack into phones and launch sophisticated spam attacks.
It’s also become much cheaper. “It’s now as cheap to send out SMS spam as e-mail spam,” Maclachlan says. “The investment a criminal organization would have to make has disappeared almost entirely over the past 12 to 18 months.”
Combine that with consumers’ increased willingness to jailbreak their phones and download apps from sometimes questionable thirdparty providers – apps that haven’t been vetted for the viruses that fuel premium SMS spam – and you have all the right ingredients for a rise in mobile malware.
“We’ve gotten to that perfect crossing point where all of the things which have prevented criminals from leaping into the wireless space have been eroded,” Maclachlan says.
The bottom line: It’s now easier than ever for spammers to make money off wireless devices.
Maclachlan lays out a possible scenario. “If I can infect your device by getting you to download an app, or push you to a link that cracks your phone and infects your OS, I can get your phone to make extra calls to a premium rate number which I own, or send an premium SMS or short code I’m renting through a shell company, and start taking money out of your pocket,” he says.
Criminal groups release malicious apps that get devices to send out calls and texts to premium numbers without the user’s knowledge. The charges may go unnoticed or a customer may contest the fees and the operator has to eat the charge, leaving the spammers with a neat profit.
ANDROID VS. IOS
Many argue Android is less secure because it’s open source, and indeed, Android appears to have had more problems on the malware front than Apple. Lookout Mobile Security estimated in an August report that Android users are now two-and-a-half times more likely to encounter malware than they were six months earlier.
Last March, a flood of apps carrying the Droid Dream virus poured into the Android Market and some third-party app stores. In all, more than 50 apps were found to have been infected with the virus.
The apps looked legitimate, except they carried malicious code that gleaned sensitive information including a user’s IMEI and IMSI numbers, device model and the version of Android installed on their phone. That information was used to open a back door into the device which allowed hackers to install a second malicious app capable of silently installing more applications and obtaining additional sensitive information.
Google said it removed the apps from Android Market “within minutes of becoming aware” of the problem, but by some estimates, 260,000 users were affected by the attack.
The attack was an embarrassment to Google, especially as it pushed its phones to security-conscious enterprise customers. The company has since stepped up its safeguards against malware.
On the operating system level, Google performs security design and code reviews prior to releasing new versions of Android to make sure it’s safe. It also relies on its open source community to spot any vulnerabilities. On the application level, Google scans new Android apps for malware, privacy protections and copyright infringement before publication. The company also has a rapid response team that can quickly remove malicious apps from Android Market and wipe them off phones.
The past year’s security breaches have some questioning the security of the Android operating system itself, not just its applications. Does the fact that it’s open source make it inherently less secure? Well, yes and no.
Back at F Secure labs, Sullivan says the real problem with Android is its applications, not the platform.
“The Android OS is technically very secure in that if you want to do something that could harm somebody, you have to ask them to submit to that,” Sullivan says, referring to the prompts that come up when an app is installed asking for permission to do things like collect data. “But that’s really kind of the catch. The prompts that the apps ask you for are too much for the average user to understand the warnings, and they just approve it.”
Basically, Android Market is the Achilles’ heel of the Android operating system. Users don’t read the fine print when they install apps and give malicious applications the permission they need to exploit the phone. No matter what protections are built into the operating system itself, it won’t matter if a user unwittingly gives an app permission to do them harm.
Because Apple took the walled garden approach with its iOS platform, it has earned a reputation as being more secure than Android. Anecdotally this appears to be true, since iOS has been hit by far fewer exploits than its open source rival.
“The walled garden, their security model, is a little more rigorous on the iOS side,” says John Engels, principal product manager for Symantec’s enterprise mobility group.
Apple controls what applications are available on the App Store, and even businesses that want to develop their own applications for internal use still must obtain a certificate from Apple.
“The walls they put up to block access to somebody building iOS apps and distributing them really cuts down on the number of opportunities that hackers have to go in and create malicious apps,” Engels says.
Not everyone agrees that iOS is always more secure than Android, however. Mobile Active Defense argues that Android can actually be made more secure than iOS because it’s open, allowing the platform’s security to be reinforced at the most basic levels of its code. The company has come up with technology that secures the Android kernel, the software layer that talks to the hardware and lies underneath the operating system. If the hardware is the concrete slab for your house, think of the kernel as the concrete walls.
“It offers the ability to do a kind of lockdown that gives you a stronger hold over the device,” says Erik Green, director of business development at Mobile Active Defense.
For instance, administrators can use the company’s technology to block employees from using Wi-Fi or Bluetooth connections, which are more vulnerable to security threats than cellular networks.
Of course, most consumers aren’t going to be interested in recoding the kernel of their phone to make it more secure. Mobile Active Defense’s technology is targeted at high-security applications, such as the government and military.
SECURITY IN THE ENTERPRISE
What’s keeping CIOs up at night? It’s not premium SMS malware. “I’ve heard horror stories of CEOs that lost their iPad and didn’t report it stolen for three weeks,” says Joey Peloquin, director of mobile security at FishNet Security. “It could have been autowiped after one day.”
The enterprise sector’s top priority is making sure the sensitive corporate data on employee’s personal devices doesn’t leak into the wrong hands.
This task has become increasingly difficult as more workers begin using their own smartphones and tablets for work. IT departments find themselves trying to enforce security policies across a dizzying array of wireless devices. Where fragmentation makes things difficult for application developers, it also makes things difficult for IT departments.
Today’s mobile environment is very different from the days when the only devices IT administrators had to worry about were desktops and laptops. “The security profile of these phones changes frequently because they’re consumer devices and so it’s very different from the laptop world,” says Ojas Rege, vice president of products and marketing at MobileIron.
Back then, laptops were buttoned down by IT administrators. They imaged them, knew exactly what programs were on them, controlled every single operating system update and actually owned the device. Wireless couldn’t be more different.
“Now, none of those things hold,” Rege says. “I can’t image these phones, I can’t control items on the phones, I can’t control operating system updates on the phones because the user does that, and many times I don’t even own them.”
According to IDC, within two years the number of smartphones owned by employees will exceed the number of smartphones shipped to businesses. That trend, known in industry circles as the “consumerization of IT,” has major implications for how businesses manage security, Rege says.
“IT administrators have different roles now that these things have changed, and that means that the mindset that IT has also needs to change pretty fundamentally,” he says. “It’s a security partnership between IT and the user. It’s not just the IT department setting policies. A lot of these remediations and actions need to be taken by the user.”
Devices need to have passwords and encryption that makes data stored on the device unreadable to unauthorized individuals or applications. A virtual private network connection, or VPN, is another fundamental of mobile security. IT administrators should also be able to determine the “posture” of a device – whether it’s jailbroken or rooted, whether its security policy is out of date and whether it has the most recent version of an operating system.
Administrators also want to be able to wipe a device that gets lost or falls out of compliance with the security policy. But the fact that personal information is being stored alongside corporate data makes this task a bit more complicated – employees are likely to complain if photos of their children are wiped from their device. This has led to the development of technologies that have different silos for enterprise data and personal content, allowing administrators to selectively wipe corporate information from a device while leaving a user’s personal data intact.
For all its recent troubles in the consumer space, Research In Motion’s BlackBerry smartphones are still the gold standard for enterprise-grade mobile security. In fact, the BlackBerry Enterprise Server does such a good job of encryption that foreign governments have threated to block BlackBerry phones because they cannot break the encryption code to monitor communications.
Scott Totzke, senior vice president of BlackBerry security at RIM, says that’s because security is a top priority at every stage of the platform, from the operating system itself to the device and the applications that run on it.
“If the OS is able to be compromised, then no third-party software is going to be effective at protecting your data,” Totzke says. “We’ve seen this for a couple of decades now in the PC industry, where software protecting software hasn’t been enough. Fundamental flaws in the OS lead to ways around software mitigation mechanisms.”
DON’T FORGET THE FUNDAMENTALS
For all their technological prowess, mobile security solutions won’t do one iota of good if users fail to take basic precautions. For instance, FishNet Security estimates that up to 70 percent of the cell phones sold on eBay still contain their previous owner’s personal information.
In the end, the failure to take basic precautions could be the most worrisome part of mobile security. “A lot of people still look at smartphones as if they’re just a phone,” Totzke says. “That thought process belittles the threat that exists. I still run into people that are somewhat dismissive of it.”
Totzke’s observations were echoed by a recent report from the U.S. Computer Emergency Readiness Team (CERT), the operational arm of National Cyber Security Division at the Department of Homeland Security. Security measures like firewalls, antivirus software and encryption remain uncommon on most cell phones despite the amount of sensitive information held on the devices, and security updates for mobile operating systems are less frequent for smartphones as they are for personal computers, CERT found.
“Unfortunately, many smartphone users do not recognize these security shortcomings,” researchers from CERT wrote in a recent advisory manual. “Many users fail to enable the security software that comes with their phones, and they believe that surfing the Internet on their phones is as safe as or safer than surfing on their computers.”