An ethical hacker gives his view on the dangers of mobile malware and the steps you can take to protect your mobile workforce.
The mobile phone of today is virtually unrecognizable when compared to the colossal bricks we used to use in the 1980s. Mobile phones have evolved from an executive status symbol to a ubiquitous necessity. These days, practically every handbag and pocket hides one of these modern miracles of technology.
While battery life used to be considered the key feature, today’s key features include a heady mix of memory capacity, browser speed, megapixels, touchscreen quality, HD capability, playback, sleek design and available apps. Hardly anyone thinks about how secure the device is when making that all-important decision between Windows Phone, Apple iOS, Research In Motion (RIM) BlackBerry and Google Android.
As our mobile devices have become more than just a way to make and receive phone calls, their appeal to criminals has also increased. Stealing the physical device is just one way criminals are gaining illicit profit from mobile devices. Mobile malware, once theoretical, is now very much a reality and a growing threat.
For the business user, accessing the corporate network and viewing e-mails using mobile devices are everyday functions. These simple activities also open up the network to criminals who can misappropriate that data, which could prove lucrative in the right hands. For VIPs, it could be a little more personal, as their devices broadcast their locations via GPS. Even the man on the street using a mobile payment app has much more to lose than just a contact list and photos.
Criminals use malware on smartphones to make money. They steal information—contact details, e-mails, personal data or even financial information. They hijack browser sessions—interfering with online banking transactions and circumventing one-time password (OTP) security procedures. Certain apps even have malicious missions, such as sending SMS messages to premium rate numbers.
The disturbing trend is that attacks are becoming increasingly targeted. Executives are firmly in the criminals’ sights due to the valuable data they’re carrying on their phones. Using a combination of SMS and social engineering tactics, hackers can spoof the phone number of a friend or colleague to send an SMS asking the victim to click on a suspicious link, thereby opening the phone to attack.
The more widely used mobile OSes have taken a number of approaches to prevent the spread of malware. Windows Phone, Apple Inc. and RIM Ltd. have introduced security protocols in tandem with a meticulous acceptance process for apps offered via the Windows Phone Marketplace, Apple App Store and BlackBerry App World stores.
The picture is less secure for Android. Perhaps because it currently has the highest market share, this mobile OS provides attractive returns for criminals. Another theory is that due to the openness of the platform and the existence of other markets from which to download apps, it’s easier to infiltrate. Whatever the reason, the stark reality is that Android attracts the most malware. That said, as market share moves and rogue programmers perfect their code, it would be foolish to think that any particular OS will remain infallible indefinitely.
The most successful way to fight malware is a defensive stance, where everyone has a function to perform. Because they’re on the front line, if they’re to practice safe phone use, phone users themselves must understand the risks and the criminals’ tactics. Here’s a simple procedural outline to follow:
Step 1. Identify Infections
It can be difficult for a mobile device user to know if they do indeed have any malware on their phone, but there are a few basic factors that can be indicative of an infection. Users should regularly check which apps are actually running on their phones, and delete anything suspicious or unfamiliar. Other signs that malware is present and running include decreased battery life (because something is always running in the background) or an increase in data use (as the malware transmits data from the phone).
Step 2. Block Activity
To prevent premium-rate number scams, it’s important to check your bill regularly for anything out of the ordinary. Better still, contact your provider and block this type of number.
Step 3. Prevent Infection
Prevention is always better than a cure. While not a guaranteed defense against malware, these steps can help minimize malware infections:
Regardless of whether the handset is owned by the user or a corporation, organizations should encourage their workforce to practice these security steps. Businesses issuing phones to their staff should also consider taking the following actions:
Unlike viral desktop programs, phones don’t spread infections from one to another, so the spread of the threat is reduced. You have to either download a rogue app or click on a bad link to inject malware onto the phone—but that dynamic could change.
If you don’t get a grip on malware now, tomorrow you could be facing an epidemic. It’s only a matter of time before criminals create malware that can jump between devices. While you still have the power to stop mobile malware, you need to work harder and smarter to unmask and disable the secret assassin of mobile malware.