Mobile Computing: Be on the Lookout for Mobile Malware

An ethical hacker gives his view on the dangers of mobile malware and the steps you can take to protect your mobile workforce.

Jaime Blasco

The mobile phone of today is virtually unrecognizable when compared to the colossal bricks we used to use in the 1980s. Mobile phones have evolved from an executive status symbol to a ubiquitous necessity. These days, practically every handbag and pocket hides one of these modern miracles of technology.

While battery life used to be considered the key feature, today’s key features include a heady mix of memory capacity, browser speed, megapixels, touchscreen quality, HD capability, playback, sleek design and available apps. Hardly anyone thinks about how secure the device is when making that all-important decision between Windows Phone, Apple iOS, Research In Motion (RIM) BlackBerry and Google Android.

As our mobile devices have become more than just a way to make and receive phone calls, their appeal to criminals has also increased. Stealing the physical device is just one way criminals are gaining illicit profit from mobile devices. Mobile malware, once theoretical, is now very much a reality and a growing threat.

Strictly Business

For the business user, accessing the corporate network and viewing e-mails using mobile devices are everyday functions. These simple activities also open up the network to criminals who can misappropriate that data, which could prove lucrative in the right hands. For VIPs, it could be a little more personal, as their devices broadcast their locations via GPS. Even the man on the street using a mobile payment app has much more to lose than just a contact list and photos.

Criminals use malware on smartphones to make money. They steal information—contact details, e-mails, personal data or even financial information. They hijack browser sessions—interfering with online banking transactions and circumventing one-time password (OTP) security procedures. Certain apps even have malicious missions, such as sending SMS messages to premium rate numbers.

The disturbing trend is that attacks are becoming increasingly targeted. Executives are firmly in the criminals’ sights due to the valuable data they’re carrying on their phones. Using a combination of SMS and social engineering tactics, hackers can spoof the phone number of a friend or colleague to send an SMS asking the victim to click on a suspicious link, thereby opening the phone to attack.

Malware on the Rise

The more widely used mobile OSes have taken a number of approaches to prevent the spread of malware. Windows Phone, Apple Inc. and RIM Ltd. have introduced security protocols in tandem with a meticulous acceptance process for apps offered via the Windows Phone Marketplace, Apple App Store and BlackBerry App World stores.

The picture is less secure for Android. Perhaps because it currently has the highest market share, this mobile OS provides attractive returns for criminals. Another theory is that due to the openness of the platform and the existence of other markets from which to download apps, it’s easier to infiltrate. Whatever the reason, the stark reality is that Android attracts the most malware. That said, as market share moves and rogue programmers perfect their code, it would be foolish to think that any particular OS will remain infallible indefinitely.

The most successful way to fight malware is a defensive stance, where  everyone has a function to perform. Because they’re on the front line, if they’re to practice safe phone use, phone users themselves must understand the risks and the criminals’ tactics. Here’s a simple procedural outline to follow:

Step 1. Identify Infections

It can be difficult for a mobile device user to know if they do indeed have any malware on their phone, but there are a few basic factors that can be indicative of an infection. Users should regularly check which apps are actually running on their phones, and delete anything suspicious or unfamiliar. Other signs that malware is present and running include decreased battery life (because something is always running in the background) or an increase in data use (as the malware transmits data from the phone).

Step 2. Block Activity

To prevent premium-rate number scams, it’s important to check your bill regularly for anything out of the ordinary. Better still, contact your provider and block this type of number. 

Step 3. Prevent Infection

Prevention is always better than a cure. While not a guaranteed defense against malware, these steps can help minimize malware infections:

  • Download antivirus software for mobile phones, even though some of it might not be as effective as possible.
  • Change the settings on your phone to prevent installing content from mistrusted sources.
  • Be careful following links sent from contacts within your address book, just as you would be with spam e-mail.
  • Only use bona fide marketplaces to purchase and download apps. While they may seem attractive, free apps could offer more than you bargained for.
  • Check the apps’ permissions before downloading and ensure you’ve restricted them from conducting any unwanted activity.

Regardless of whether the handset is owned by the user or a corporation, organizations should encourage their workforce to practice these security steps. Businesses issuing phones to their staff should also consider taking the following actions:

  • Install antivirus software.
  • Deploy tools that can manage mobile devices in much the same way as traditional PCs.
  • Think about device encryption capabilities to avoid data leakage resulting from device loss or left. Also, consider a solution that can remotely locate and destroy AWOL devices.
  • Restrict and control what can and can’t be done on the phones, whenever possible.
  • If you can’t stop it, then create and communicate security policies that govern what data can and can’t be accessed and stored. It’s also essential that users understand why this is so important.

Unlike viral desktop programs, phones don’t spread infections from one to another, so the spread of the threat is reduced. You have to either download a rogue app or click on a bad link to inject malware onto the phone—but that dynamic could change.

If you don’t get a grip on malware now, tomorrow you could be facing an epidemic. It’s only a matter of time before criminals create malware that can jump between devices. While you still have the power to stop mobile malware, you need to work harder and smarter to unmask and disable the secret assassin of mobile malware.

Jaime Blasco

Jaime Blasco is the head of labs at AlienVault Inc., managing the lab and running the Vulnerability Research Team. Prior to working for AlienVault, he founded a couple of startups focused on Web application security, source code analysis and incident response. His background is in vulnerability management, malware analysis and security researching.