With the exponential boom of those flocking to obtain the latest smartphone, experts say it’s only a matter of time before cybercriminals flock there as well. And they say the sophistication of the mobile phone security threats being launched that took decades for malware authors to achieve on the desktop is now appearing to take mere months on the mobile platform.
There are likely other bigger risks in your enterprise … but I think enterprises should be wary of smartphones.
Pete Lindstrom, research director, Spire Security
With the right attack, cybercriminals can access corporate data and emails containing that corporate data via a mobile device, said Toralv Dirro, EMEA security strategist at McAfee Inc.
“Many companies don’t have the technology means and policies for the security of these mobile devices,” Dirro said. “These are uncharted waters.”
Security companies are quickly claiming that although 2011 has been the year of the mobile threat, at this rate, 2012 may be crowned with that title. Researchers at security provider M86 Security Inc. say that in 2012, mobile malware will be “one of the most concerning areas for cybercriminals to exploit.” According to an M86 report, “Threats Predictions of 2012” (.pdf), mobile malware in the wild was originally estimated to be more than 2,500 samples in 2011. However, that number quickly exceeded to more than 7,500 samples.
“Based on what we’ve seen in 2011, this is kind of the year of the Android malware,” said Patrik Runald, senior manager of security research at San Diego, Calif.-based Websense Inc. “It’s a pretty safe prediction that that’s going to continue in 2012.”
Reports from Websense, McAfee, Symantec and other security vendors reflect the same theme: Smartphones are a rapidly growing target.
Experts say the Google Android open application distribution model makes it a more attractive target to attackers. With this model, users are allowed to download applications from a variety of sources. On top of that, “Android is now claiming 500,000 activations every day,” Runald said. “It’s too good of an opportunity for the bad guys to let go by.”
On the other hand, the other prominent smartphone platform is Apple’s iOS, which is close source. All applications of iOS are submitted to developers and go through a manual review process with restrictions based on certain policies. Although this is often seen as a more secure platform because it prevents users from loading apps from sources other than Apple’s App Store, users can jailbreak the device.
While it’s still a relatively low percentage of overall malware, the mobile malware danger is increasing. Through mobile malware, attackers can carry out certain actions without the user’s knowledge, such as charging the bill of the victim, sending messages to the contact list, or even giving an attacker remote control over the device.
“The type of [mobile] malware has changed quite a bit,” Dirro said. “A year ago it was basically viruses written by kids in the school yard.”
According to McAfee’s recent Threat Report, premium-rate SMS Trojans continue to be attractive to malware writers. Newer versions of these Trojans, such as the Android/Wapaxy, Android/LoveTrp and Android/HippoSMS families, often sign up victims to subscriptions services and then “cleverly deletes all subscription confirmation messages received so the victim remains unaware of the activity and the attacker makes more money,” the report said.
Spyware, however, is quickly gaining popularity. With this, attackers have access to and can collect victims’ phone call history, text messages, location, browser history, contact list, email and even camera pictures. Android/PJApp sends SMS messages, but it collects this sensitive information as well. Phone calls can also be recorded and then forwarded to the attacker. Android/NickiSpy.A and Android/GoldenEagle.A are two examples of spyware that can successfully do this.
Another application-based threat deals with vulnerable apps, apps that aren’t particularly malicious, but have software vulnerabilities that can be exploited for malicious reasons. McAfee's Dirro added that application-based threats are an “immediate way to make money and they can usually get away with that money easily.”
Other experts caution that mobile malware hasn’t yet made a big enough problem to warrant an enterprise’s full attention. Pete Lindstrom, research director at security research firm Spire Security, explains that it’s “a heck of a lot easier to compromise an app on a laptop” than it is on a smartphone. Attackers must first get a malicious app or mobile malware on a targeted device and then figure out a way to bypass security restrictions in the phone's mobile platform.
“There’s no denying that there’s a legitimate concern that these devices, as they play a bigger role, are likely to be thought of by malware writers,” Lindstrom said. “There are likely other bigger risks in your enterprise … but I think enterprises should be wary of smartphones.”
Currently, lost or stolen devices continue to plague enterprises and are their biggest threat, Lindstrom said. Fortunately, security technologies can locate and wipe a device if it falls in the wrong hands.
Websense’s Runald predicts that social engineering and geolocation threats will proliferate. “There’s going to be a way for the bad guys to use more social engineering techniques,” he explained. “Geolocation-based services are becoming a big thing, so why not combine that with something malicious?”
“These are the super early days,” added Runald, predicting that there will be several thousand instances of mobile malware, more than double, in 2012. “Attackers are still learning how to use it, how to spread it most effectively and what they can do with it … It’s not nearly as advanced as it will be.”