By Jaime Blasco, head of labs at AlienVault
The mobile phone is unrecognisable in comparison to its original 'brick' form of the 1980s. Instead of a yuppie status symbol, now it's considered by many as a necessity, with practically every handbag and pocket hiding these modern miracles of technology.
While battery life used to be considered the key feature, today it's a heady mix of memory capacity, browser speeds, megapixels, touch screen quality, HD ability, playback, sleek design and available apps. Hardly anyone thinks about how secure the device is when making that all important decision between Apple, Blackberry or Android.
As our handsets become more than just a way to make and receive phone calls, their appeal to criminals also increases. Of course, having the physical device stolen is a major inconvenience, but that is just one way criminals are monetising mobiles. Mobile malware, once theoretical, is now very much a reality and a growing threat.
For the business user, accessing the corporate network and viewing emails using their mobile devices, criminals might have access to data that can prove lucrative in the right hands. For VIPs it could be a little more personal as the little devils broadcast their locations via GPS. Even for the man on the street, with the introduction of mobile payments apps, there's more to lose than just the contact list and photos.Money making malwareMalware on smartphones is used by criminals to make money. They steal information such as contact details, emails, personal data or even financial information; they hijack browser sessions, interfering with online banking transactions and circumventing one time password (OTP) security procedures; even certain apps can have a malicious undertone, for example sending SMS messages to premium rate numbers.
A worrying trend is that, increasingly, attacks are becoming more targeted and it's executives that are firmly in the criminals' sights due to the valuable data they're carrying on their phones. Using a combination of SMS and social engineering tactics, hackers can spoof the phone number of a friend or a colleague to send an SMS asking the victim to click on a suspicious link, opening up the phone to attack. To prevent malware spreading, we're seeing a number of approaches from some of the mobile operating systems. Apple and Blackberry have introduced security protocols, in tandem with a meticulous acceptance process for apps offered via their stores.
The picture is less secure for Android. Perhaps because it currently has the highest marketshare, the mobile operating system provides attractive returns for criminals. Another theory is that due to the openness of the platform and the existence of other markets from which to download apps, it's easier to infiltrate. Whatever the reason, the stark reality is that it attracts the most malware.
That said, as marketshare moves and rogue programmers perfect their code, it would be foolish to think that any particular operating system will remain infallible indefinitely.
Prevention better than cureThe most successful form of attack against malware is a defensive stance and in this everyone has a function to perform.
As they're on the front line, phone users themselves must understand the risks, and the criminals' tactics, if they're to practice safe phone use:
Step one – are you already infected?It can be difficult for the end user to know if they do have any malware on their phones, but there are a few basic factors that can be indicative. Users should regularly check which apps are actually running on their phones. Anything suspicious should be deleted. Indicators that malware is present can also include decreased battery life (because there is something running in the background on the phone) or an increase in data use (as the malware transmits data from the phone).
Step two – block activityTo prevent premium rate number scams, it is important to check your bill regularly for anything out of the ordinary or, better still, contact your provider and block this type of number.
Step three – get a gripThere are a number of elements to this that, while not a guarantee, will help minimise malware when used together: antivirus software for mobile phones is available to download, however it is argued that they can be ineffective; settings on the phone can be changed to prevent installation of content that isn't from trusted sources; just like spam mail, be careful following links sent from contacts within the address book; only use bona fide marketplaces, such as the Google marketplace, to purchase and download apps. Of course the free ones, while attractive, could offer more than you bargained for; check the apps permissions before its downloaded and ensure you restrict them from conducting any unwanted activity. Regardless of whether the handset is corporate or personally owned, organisations should encourage their workforce to practice the security steps above. For businesses issuing staff with phones, they should also consider: installing anti-virus software as standard; look for, and deploy, tools that can manage mobile devices in much the same way as traditional PCs; think about device encryption capabilities to avoid data leakages resulting from device loss or left, and perhaps a solution that can remotely locate and destroy AWOL devices; where possible, restrict and control what can and can't be done on the phones; if you can't stop it then create and communicate security policies that govern what data can, and can't, be accessed and stored. It is also essential that users understand why this is so important.
Unlike viral desktop programs, phones aren't spreading infections from one to another or to other devices, so the spread of the threat is reduced. You have to either download a rogue app, or click on a bad link, to inject malware onto the phone. But that could change. If we don't get a grip on malware now, tomorrow we could be facing an epidemic as it's only a matter of time before criminals create malware that can and does jump between devices.
Today, while we still have the power to stop mobile malware, let's work harder and smarter to unmask the secret assassin.
AlienVault is the creator of OSSIM, the de facto standard open source SIEM, which powers the AlienVault Unified Security Management(TM) (AV-USM) Platform. AV-USM has five essential security capabilities built in – asset discovery, vulnerability assessment, threat detection, behavioral monitoring and security intelligence – to dramatically reduce the cost of visibility that is required for regulatory compliance and effective threat management.