Manage Learn to apply best practices and optimize your operations.

Smartphone malware pre-installed: The next security threat

Pre-installed smartphone malware is a growing problem and security pros need to be aware of how this malware could creep into your organization.

I recently read that security researchers discovered some smartphones had malware pre-installed on them -- a threat smartphone security experts have warned about in the past. Now that it seems like this is actually happening, how should our organization ensure the mobile device platforms we put into the field (or allow onto our network) are malware-free?
The problem of smartphones and other mobile devices being pre-installed with malware is a growing threat affecting many different product lines. In Europe, for example, several checkout card readers delivered to supermarkets, including Wal-Mart's subsidiary in Britain, Asda, arrived with sniffers built into them. During production they had been implanted with additional hardware that transmitted credit and debit card data via the mobile phone network to criminals in Pakistan. It was impossible to know they'd been compromised from the outside, and some stores ended up having to weigh the readers to see if they had been tampered with because bugged machines were three to four ounces heavier.

Another related problem is foreign intelligence services approaching businessmen at trade fairs and exhibitions with the offer of "gifts." The gifts -- cameras and memory sticks, etc. -- have been found to contain electronic Trojan bugs, which provide remote access to users' computers. Like the checkout card reader attack mentioned above, you can't easily tell the device has been tampered with.

Products that have been infected prior to purchase have the potential to quickly destroy customer confidence in the product and the vendor. Any company building or commissioning IT equipment needs to ensure those devices are fundamentally secure from the moment they are created all the way through to delivery and installation. They need to be handled securely to prevent tampering or need to be switched to ensure the integrity of their products. I know some companies that only allow their employees to use BlackBerrys because they are made entirely in Mexico or Canada and many feel they have tighter control of their supply chain than the iPhone, which contains components manufactured all around the world including China, which is currently at the top of the list when it comes to cyberespionage.

Depending on the nature of your mobile workers' requirements, you may want to consider using devices developed for the National Security Agency's Secure Mobile Environment Portable Electronic Device (SME PED) program, such as the Sectéra Edge. Such devices are certified to protect wireless voice communications classified "top secret" as well as email and websites classified "secret."

Unless you are using a specialist device or software I would never assume that voice calls are secure, so like fax and email, never discuss confidential or sensitive issues on a mobile phone. For each mobile device which purchase, I would suggest that you run a test to see if it tries to make unusual connections via any of the network protocols it can use and review the traffic to ensure data is not being unintentionally sent from the phone. Thankfully, the actual number of software-based attacks on smartphones and PDAs is relatively low, and the few vulnerabilities discovered on smartphone operating systems tend to be fixed quickly. This is probably due to the intense completion among vendors in the enterprise market, where device security and avoiding being victimized by smartphone malware is becoming a key issue.

This was last published in March 2010

Dig Deeper on Mobile security threats and prevention

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.