Information Security Today Home

New Books

Mano Paul, The 7 Qualities of Highly Secure Software, ISBN 978-1-4398-1446-8
Mobile Device Security: A Comprehensive Guide to Securing Your Information in a Moving World
Security Strategy: From Requirements to Reality
Investigations in the Workplace, Second Edition by Eugene F  Ferraro, ISBN 978-1-4398-1480-2, $79 95
Asset Protection through Security Awareness by Tyler Justin Speed, ISBN 978-1-4398-0982-2, $69.95

An Ethical Hacker's View on the Dangers of Mobile Malware and What Steps to Take to Stop It

by Jaime Blasco, Head of Labs at AlienVault

The mobile phone is unrecognizable in comparison to its original 'brick' form of the 80s. Instead of a 'yuppie' status symbol, now it's considered by many as a necessity with practically every handbag and pocket hiding these modern miracles of technology. While battery life used to be considered the key feature, today it's a heady mix of memory capacity, browser speeds, megapixels, touch screen quality, HD ability, playback, sleek design, and available apps. Hardly anyone thinks about how secure the device is when making that all important decision between Apple, Blackberry or Android.

As our handsets become more than just a way to make and receive phone calls, their appeal to criminals also increases. Of course, having the physical device stolen is a major inconvenience, but that is just one way criminals are monetizing mobiles. Mobile malware, once theoretical, is now very much a reality and a growing threat.

For the business user, who accesses the corporate network and views emails using his mobile devices, criminals might have access to data that can prove lucrative in the right hands. For VIPs it could be a little more personal as the little devils broadcast their locations via GPS. Even for the man on the street, with the introduction of mobile payments apps, there's more to lose than just the contact list and photos.

Malware on smartphones is used by criminals to make money. They steal information - contact details, emails, personal data, or even financial information; they hijack browser sessions, interfering with online banking transactions and circumventing one time password (OTP) security procedures; even certain apps can have a malicious undertone for example sending SMS messages to premium rate numbers.

A worrying trend is that, increasingly, attacks are becoming more targeted and it's executives that are firmly in the criminals' sights due to the valuable data they're carrying on their phones. Using a combination of SMS and social engineering tactics, hackers can spoof the phone number of a friend or a colleague to send an SMS asking the victim to click on a suspicious link, and opening up the phone to attack.

Malware Infections Rising
To prevent malware spreading, we're seeing a number of approaches from some of the mobile operating systems. Apple and Blackberry have introduced security protocols, in tandem with a meticulous acceptance process for apps offered via their stores.

The picture is less secure for Android. Perhaps because it currently has the highest market share, the mobile operating system provides attractive returns for criminals. Another theory is that due to the openness of the platform and the existence of other markets from which to download apps, it's easier to infiltrate. Whatever the reason, the stark reality is that it attracts the most malware.

That said, as market share moves and rogue programmers perfect their code, it would be foolish to think that any particular operating system will remain infallible indefinitely.

Prevention Better than Cure
The most successful form of attack against malware is a defensive stance and in this everyone has a function to perform. As they're on the front line, phone users themselves must understand the risks, and the criminals' tactics, if they're to practice safe phone use:

  • Step One - Are You Already Infected
    It can be difficult for end users to know if they have any malware on their phone, but there are a few basic factors that can be indicative. Users should regularly check which apps are actually running on their phones. Anything suspicious should be deleted. Indicators that malware is present can also include decreased battery life, because there is something running in the background on the phone, or an increase in data use as the malware transmits data from the phone.
  • Step Two - Block Activity
    To prevent premium rate number scams, it is important to check your bill regularly for anything out of the ordinary or, better still, contact your provider and block this type of number.
  • Step Three - Prevent Infection
    There are a number of elements to this that, while not a guarantee, will help minimize malware when used together.
    • Antivirus software for mobile phones is available to download. However, some argue that it can be ineffective
    • Settings on the phone can be changed to prevent installation of content that isn't from trusted sources
    • Just like spam mail, be careful following links sent from contacts within the address book
    • Only use bona fide marketplaces, such as the Google marketplace, to purchase and download apps. The free ones, while attractive, could offer more than you bargained for
    • Check the apps permissions before its downloaded and ensure you restrict them from conducting any unwanted activity

Regardless of whether the handset is corporate or personally owned, organisations should encourage their workforce to practice the security steps above.

Businesses issuing staff with phones should also consider:

  • Installing anti-virus software as standard
  • Look for, and deploy, tools that can manage mobile devices in much the same way as traditional PCs
  • Think about device encryption capabilities to avoid data leakages resulting from device loss or left, and perhaps a solution that can remotely locate and destroy AWOL devices
  • Where possible, restrict and control what can and can't be done on the phones
  • If you can't stop it then create and communicate security policies that govern what data can, and can't, be accessed and stored. It is also essential that users understand why this is so important

Unlike viral desktop programs, phones aren't spreading infections from one to another or to other devices, so the spread of the threat is reduced. You have to either download a rogue app, or click on a bad link, to inject malware onto the phone. But that could change. If we don't get a grip on malware now, tomorrow we could be facing an epidemic as it's only a matter of time before criminals create malware that can and does jump between devices.

Today, while we still have the power to stop mobile malware, let's work harder and smarter to unmask the secret assassin.


Related Reading

Protecting Mobile Data: When Is Enough, Enough?

Convenience over Security: Creating Effective Mobile Security Policies


 
Subscribe to Information Security Today





Powered by VerticalResponse

Share This Article


© Copyright 2012 Auerbach Publications