Mobile malware, often distributed through applications, is increasing in scope and sophistication. Are you ready, asks Dan Kaplan.

Sometimes, the forecasters guess correctly. That appears to be the case with the myriad statements in 2010 and 2011 that predicted a precipitous rise in malware targeting mobile devices.

According to a McAfee report in February 2011, the number of new mobile malware variants totalled 55,000 in 2010, a rather large spike of 46 per cent on 2009. Clearly, the threat landscape has come a long way since 2004, when the first-ever malware for the mobile phone, known as Cabir, was sent to a number of anti-virus firms for inspection. The worm, written for Symbian-feature phones, was merely an innocuous ‘proof of concept' – it was designed to display the word “Caribe” on-screen and spread to other devices over Bluetooth – but its arrival certainly proved prescient.

A couple of years later, in 2006, Kaspersky Lab identified what it called the first piece of mobile malware designed to steal money – a virus that targeted devices running Java. Dubbed RedBrowser, the virus sent text messages to premium-rate numbers without the user realising it.

Fast forward to 2012 and it appears the tipping point is upon us. According to Nielsen, the number of smartphones in the US, such as the iPhone, BlackBerry and Android, would overtake the number of ‘feature phones' in 2011. This steady ascension, from handhelds that provide few capabilities beyond calling and texting to phones with functionality that resembles a traditional computer, has of course piqued the interest of the malware community.

After years of test runs that largely affected mobile phone users overseas, cyber criminals are now rolling up their sleeves and readying their wares to resemble what malware victims are used to seeing on their desktop or laptop computer.

“Smartphones have all the components you would expect of a traditional PC,” says Andy Chou, co-founder and chief scientist of Coverity, a software integrity firm based in San Francisco. “They are capable and complex. They have operating systems and applications that run on top of them.”

Hackers traditionally have written most of their malware for Symbian and Windows Mobile devices because they are the oldest and most researched. But that all seems to be changing.

According to a Juniper report released in May 2011, malware samples targeting Google Android devices jumped 400 per cent between June 2010 and January 2011. This should come as no surprise, though. After all, market share usually dictates malware targets.

A series of surveys conducted by Nielsen between January and March 2011 found that 31 per cent of consumers planning to purchase a new smartphone now prefer Android, compared with 30 per cent who would choose an iPhone and 11 per cent who would opt for a BlackBerry. Twenty per cent are unsure what they would buy next.

Within enterprises, while BlackBerry is considered the gold standard for enterprise security functionality because of its management and encryption capabilities, many workers prefer the bells and whistles that the Android and iPhone provide.

Most experts agree that what makes the Android platform a particularly ripe attack vector compared with other mobile operating systems is its ever-expanding application marketplace. According to Lookout Mobile Security, the number of apps available in the Android Market climbed 127 per cent between August 2010 and February 2011, while Apple's App Store grew 44 per cent.

The latest figures show that the Android Market contains close to 300,000 applications for download. The problem is, in some cases these applications are nefarious in nature, customised to install malware on the phone or gain access to sensitive information.

“It is the main delivery mechanism to get on the phone right now,” says Chris Wysopal, co-founder and CTO of Veracode, an application security firm. “Android has gone with the more open model, and they allow developers to sign their own apps and put them up for download in the marketplace.”

While security vendors admit that the lion's share of malware currently is being written for the more lucrative PC environment, that hasn't stopped authors from fashioning their code to penetrate the mobile landscape. And chances are, they would be effective, considering the fact that 85 per cent of smartphone users do not use anti-virus, according to Juniper, citing an informal poll conducted by the SANS Institute.

Rogue applications are growing in sophistication. In August 2010, according to Juniper, the first Android Trojan appeared in the form of an application that mimics a media player and sends text messages to Russia-based premium-rate telephone numbers.

When the calendar flipped to 2011, it quickly became evident that mobile malware writers were getting slick in a hurry. One Android Trojan that arrived on the scene, dubbed Geinimi, contained botnet-like capabilities. Three months later, Google was compelled to remove more than 50 apps from its Android Market because they contained malware, known as “DroidDream”, capable of gaining root access to a device, harvesting data and installing additional malicious code.

“The business of mobile malware is still in the development stage,” says Kevin Mahaffey, CTO of Lookout Mobile Security. “Attackers are still figuring out what the revenue model is. With each new piece of mobile malware, there is a different take on what the likely model is.”

Too many privileges
The predominant shady apps are what security experts refer to as ‘greynets', those programs that are not necessarily malicious in intent, but request unnecessary permissions – such as access to hardware, settings and user data – to perform their functions. This opens the door for data leakage and privacy concerns.

In May 2011, researchers at the University of California at Berkeley revealed that one-third of the 940 apps they tested request too many privileges. They also said that developers, in most cases, are not up to anything villainous, but fail to obtain ‘least privilege' due to API documentation errors and a general lack of understanding.

There are, however, some apps, considered spyware, that request such permissions for a purpose, such as tracking spouses suspected of cheating. Users must be mindful of all the applications installed on their phone and should ensure they understand why a certain program is requesting permissions, says Veracode's Wysopal. Unfortunately, most people pay little heed to this – they just want the app.

Additionally, end-users must worry about another class of application: legitimate ones that may have been built without security in mind, says Lookout's Mahaffey. For example, in July 2010, Citigroup was compelled to release an update to its iPhone banking application after it was discovered that the previous version, unbeknown to users, saved confidential account information in a hidden file on their devices.

Even apps that come as standard on the phone can sometimes be vulnerable. German researchers, in May 2011, disclosed that Android's calendar and contact apps contain a flaw that could allow an attacker to eavesdrop in public Wi-Fi networks and steal a token that could be used to access private data.

Market watch
So far, Android has been the Mecca of malicious applications. Some experts blame its open model. Meanwhile, Apple – the other main app provider – has avoided similar problems, except on ‘jailbroken' devices.

“When an [Apple] developer uploads an app, it goes through an approval process,” Wysopal says. “The app gets signed with a key issued by Apple. When the app goes to execute on the iPhone, the signature is checked. Unless the key is issued by Apple, that key won't run at all. You know only good, known apps are able to run on the device.”

That is not to say that one model is better than the other, Mahaffey argues – many developers and consumers prefer Google's community-based approach, where users flag things as malicious and apply ratings. “We're always balancing security and user experience,” he says. “Apple's App Store is designed to be a safe place where you don't have to worry about security, but Android is saying, ‘Hey, we want this to be a safe community place.' One isn't necessarily better than the other, they're just different.”

Businesses, however, should be concerned about malicious apps making their way onto employee-owned devices, Wysopal says. As a result, they should consider a mobile-device management solution, as well as ensure that all enterprise-level mobile apps, such as for document-sharing, meet security specifications prior to purchasing them.

Of course, today's smartphones are complex, and therefore apps can't be blamed for all that goes wrong. After all, in some cases, malicious apps must take advantage of an underlying platform vulnerability in order to be successful.

“[Apps are] the most visible concern,” says Coverity's Chou. “[But] in terms of the volume of the software on these phones, there's still a humongous amount that is below that level and that you don't get to see and interact with visually.” For example, Chou cites the drivers for Bluetooth and 4G connectivity, as well as the library layer, which is responsible for web browser rendering, as components that can be leveraged to spread malware by, for example, tricking a victim into opening a corrupted PDF file.

Still, Chou believes that from an architecture and software control standpoint, mobile platforms have learned many lessons from their predecessors. Even applications, while the preferred vehicle to spread attacks, are tightly restricted at best or, at worst, require the user to approve permission requests.

“The original version of the PC wasn't really designed with security in mind,” Chou says. “Software that is now being put into phones, [many developers] are definitely aware of the core, fundamental problems.”

And there may be one other saving grace for mobile that will stave off hackers, in the near term at least: operating system heterogeneity. Criminals have less incentive to research something when there is no clear-cut market share bellwether.

“There is no operating system leader, like Windows [is on the PC],” says Denis Maslennikov, a senior malware analyst at Kaspersky Lab. “Diversity helps with different security issues.”

Mobile strategy: Tips for businesses

  • Use anti-malware solutions and firewalls to protect against malicious applications.
  • Implement SSL VPN clients to protect data in transit.
  • Leverage centralised tracking, wiping and backup for lost/stolen devices.
  • Deploy centralised administration to enforce and report on security policies.
  • Control applications that employees may wish to install.
  • Monitor device activity for data leakage and inappropriate use.
Source: Juniper Networks

This article originally appeared in the US edition of SC Magazine.