Smartphone security: The growing threat of mobile malware

Smartphone and PDA threats on the rise
Mobile malware infections are still rare when compared to their Win32 counterparts. Fewer than 500 unique mobile operating system viruses, worms and Trojans have been found to date. Most cause relatively modest damage: file wipes, hard resets and unintended toll charges.

Unfortunately, the barriers that have long inhibited more pernicious attacks are falling. For starters, the mobile device population is growing at a rapid pace. Business use of hot new consumer-grade devices like Apple Inc.'s iPhone and HTC Corp.'s Android G1 may finally tip the balance by...

BROWSE BY TAG Network Security Tactics,   Wireless Network Security: Setup and Tools,   Enterprise Network Security,   Handheld and Mobile Device Security Best Practices,   Malware, Viruses, Trojans and Spyware,   Information Security Threats,   Emerging Information Security Threats,   Smartphone and PDA Viruses and Threats,   VIEW ALL TAGS

RELATED CONTENT Network Security Tactics What to do with network penetration test results How to use TrueCrypt for disk encryption Protecting enterprise networks from new mobile application downloads Maintaining security after a cloud computing implementation Preparing the network for a cloud computing implementation PuTTY configuration tips: How to connect to remote network systems A guide to internal and external network security auditing How to keep networks secure when deploying an 802.11n upgrade Screencast: Find rogue wireless access points with Vistumbler How to provide access to Web content (while ensuring network security) Handheld and Mobile Device Security Best Practices Protecting enterprise networks from new mobile application downloads Screencast: Find rogue wireless access points with Vistumbler Secure your remote users in 2010 Researchers find thousands of flawed embedded devices Best Mobile Data Security Products Should Windows Mobile updates come from Microsoft? MMS messaging spoof hack could have global ramifications How to prevent mobile phone spying Unified communications: Securing a converged infrastructure RIM patches serious BlackBerry Attachment Service flaws Handheld and Mobile Device Security Best Practices Research Malware, Viruses, Trojans and Spyware Malware in Google attacks uses spaghetti code Preparing for future security threats, evolving malware Facebook attacks prompt investments in social networking security Another PDF attack targets Adobe zero-day vulnerability Security report finds rise in banking Trojans, adware, fewer viruses How to prevent rogue antivirus programs in the enterprise How to stop keylogging malware with more than basic antivirus software, firewalls Conficker-infected machines now number 7 million, Shadowserver finds FBI estimates rogue antivirus losses exceeding $150 million Security researchers continue hunt for Conficker authors

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

creating a large and sufficiently lucrative target to lure serious malware developers.

Moreover, contemporary smartphones are no longer constrained by short wireless ranges, simplistic operating systems or meager memory. Near-ubiquitous 3G and Wi-Fi connectivity have simplified over-the-air malware propagation, while multi-gigabyte storage has increased the availability of sensitive data. Traditional malware delivery vectors like email and Web surfing have grown more viable on mobile devices as users perform those tasks more often, complemented by new conduits like short messaging services (SMS) and multimedia messaging services (MMS).

The final block to fall may be the absence of an easily compromised mobile mono-culture. In the past, malware writers were discouraged by diverse, closed environments: The most frequently attacked mobile platform was the developer-friendly Symbian Software Ltd. Series 60. Today, Android and Linux are creating open system development platforms, while iPhone and Windows Mobile harbor potential for MacOS and Win32 malware porting.

Smartphone and PDA security software
Fortunately, as mobile devices have grown more capable, mobile OS security models and third-party security programs have also evolved. Employers that manage mobile smartphones and PDAs can tap these on-board defenses to detect and inhibit the installation and execution of mobile malware.

Start by checking all mobile software executables and installers for digital signatures issued by certification programs like Symbian Signed, Microsoft Mobile2Market or Research In Motion Ltd.'s Controlled APIs for BlackBerry. Prevent users from self-installing mobile malware by managing packages with a mobile device manager like BlackBerry Enterprise Server or Sybase Inc.'s Afaria iAnywhere. Alternatively, create mobile software white lists and black lists, and educate users about how and why to avoid unsigned code.

Next, leverage mobile OS access controls to stop malware file-tampering and sensitive function invocation. For example, Symbian 9 Capability Management policies can restrict program access to system and/or user files and network interfaces, while data caging can compartmentalize data into private folders hidden from untrusted programs. Configuring such access control policies can help to deter spyware data theft and Trojan back-channels.

Finally, unlike laptops, mobile handhelds are not factory-equipped with firewalls, virus scanners or spam filters. Consider filling these holes with device-resident mobile security programs. For example, antivirus and SMS antispam programs are available for all popular mobile operating systems from sources like AirScanner, F-Secure Corp., McAfee Inc., Symantec Corp., SMobile Systems, Trend Micro Inc., and Sophos plc. These programs can excel at battling mobile-specific threats, like detecting mobile OS Trojans and filtering SMS messages that don't otherwise pass through enterprise servers.

Network defense
Employers that don't manage mobile devices can still defend their networks from mobile malware by safeguarding "touch points" like enterprise mail servers, mobile application gateways, remote access concentrators and Web portals.

For example, most enterprises already filter email messages to discard spam and phishing URLs before they reach end users. Whether antispam measures are applied at an enterprise mail server or by a hosted mail provider, they can benefit mobile devices as well. However, it may be necessary to take steps to ensure that all mobile email passes through these filters; one strategy would be blocking corporate mail forwarding to personal POP mailboxes.

When mobile devices access corporate networks through an application gateway or remote access concentrator, malware propagation may be detered by device finger-printing and/or content inspection. For example, try to limit access to devices with known equipment identifiers or supported OS/browser types. Relay all tunneled traffic through a network antivirus, intrusion prevention system (IPS) or unified threat management (UTM) platform to drop suspicious messages. These measures are not fool-proof; existing network antivirus systems may detect Win32 worms, but not those geared toward Windows Mobile. However, they can help to insulate a network from threats that might otherwise use unprotected mobile devices to bypass your desktop/laptop defenses.

One sure-fire way to stop corporate data from being stolen by mobile malware is to prevent sensitive data from being stored on mobile devices in the first place. Consider enabling mobile application and data access using read-only portals. For example, present application content in image (not text) format and block file and attachment downloads. Decide which kinds of content should and should not be synchronized onto mobile devices, balancing mobile usability against business risk.

The future of PDA and smartphone security
In the long run, many employers will combine mobile endpoint and network-based defenses, treating smartphones and PDAs like notebooks and tablets. However, high-speed wireless WAN connectivity is likely to promote further security outsourcing.

For example, some carriers can already provide email and SMS filtering for all mobile devices, independent on OS type. This "in the cloud" approach could prove simpler than maintaining device-resident antimalware programs for smartphones and notebooks. Going forward, enterprises should look for new opportunities to leverage secure wireless WAN services, thereby reducing their exposure to all forms of malware.

About the author:
Lisa Phifer is vice president of Core Competence Inc. She has been involved in the design, implementation and evaluation of networking, security and management products for more than 25 years, and has advised companies large and small regarding security needs, product assessment, and the use of emerging technologies and best practices.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.