For many years now there has been no escaping the mobile phone, whether it was for ringtone adverts with the Crazy Frog or for BlackBerry usage in conferences.
However as ownership of the smartphone has risen, this has become a target for cyber criminals to spread malware even further and wider – and to a potential new demographic. When Apple cleared its app store of anything that was mildly adult-focused, I remember reading a comment that while the iPhone would now be free from adult material, it can still be accessed via the Safari browser.
So think about this from a computer perspective, you sit at a desk with an email client and a web browser among other applications. What about your smartphone, is there much difference?
Mikko Hypponen, CTO at F-Secure, claimed that a particular problem lies with phishing that arrives by email, as it can be spread by reading email on your smartphone.
He said: “The difference is you have anti-virus on your computer but not on your phone so you will end up on a phishing site if you get an email, and the attackers don't understand how it is so successful.”
I recently met with Simeon Coney, vice president of business development and strategy at AdaptiveMobile, who provide a range of anti-virus solutions for mobile phones that sits at the network layer, and have a smart line in parental controls too.
He claimed that mobile networks are worried about the amount of spam traffic coming in, and Adaptive Mobile was finding that about 65 per cent of spam email gets blocked through blacklisting.
Coney said: "The security challenges enterprises face in the mobile world are many and diverse. If they are to protect themselves, their data and their staff, a three-pronged strategy is recommended to IT managers to protect their business for their mobile workforce: content control (management of what can be accessed when and by who); device security (protecting hardware from external threats such as malware and spyware); and clean connectivity (scanning inbound and outbound activity)."
So it seems that spam can get through the network and does end up in your email and on your phone. Cloudmark CEO Hugh McCartney said that it is seeing mobile spam and it is worrying, but one of the causes is the lack of trust in the device.
He said: “We know it is a problem and we have informed our customers and showed them the generic abuse and the types of that are the most prevalent. We are prepared to work together with the providers and share information, so we provide feedback and will provide the backend.”
Neil Cook, head of technology services EMEA at Cloudmark, claimed that spam does cause dissatisfaction, primarily as the operator does not have a handle on it and they need a way of controlling the data.
So what types of attacks are being seen on the mobile phone network and against the end-user? Cook said: “We see attacks via social engineering with email to visit a website and it is the same on a mobile phone as it will go to a website and install a virus. It gives us a way to aggregate data and get information back to and from the networks.”
He claimed that a concern is that ‘there is trust in phones' and it could be argued that this is both a physical trust (do I have my keys, wallet and phone?), along with the personal security of knowing that the user is able to contact friends and family. However the trust of the phone in an IT security sense could be another challenge for mobile providers, particularly if the user assumes that malware cannot hit the device and that they are protected.
Cook said: “It is hard to keep up to date with spammers as they are tactical and strategic so it does depend, but they are very good at getting round high tempo attacks, it is an arms race.”
So what sort of malware is there, and just how dangerous can it be? Hypponen said that one variant detected, currently only active in Russia and China, will make calls or send SMS messages to a premium rate number and the user will be left with a £9 a minute bill.
“It is a small problem and anything can be done to prevent it becoming out of hand. It is country specific as premium rates don't work from country to country.”
In recent conversations the subject of mobile malware has come up, from the specifics with AdaptiveMobile and Cloudmark, to SecureWorks CTO Jon Ramsey claiming that it was a ‘serious problem' to Eugene Kaspersky claiming that the shift to mobile usage away from desktop could reduce threats.
Perhaps a poignant comment came from Don Smith, vice-president of engineering and technology at SecureWorks, who claimed that it is something that companies ‘have got no endpoint control over, but there are risks everywhere'. Reducing the risk may be one challenge, but this may be a case of educating users to the realisation that the modern smartphone really is a smaller version of the PC, and should be treated as such.