Sometimes, the forecasters guess correctly. That appears to be the case with the myriad statements entering 2010 and 2011 that forecasted a precipitous rise in malware targeting mobile devices.
According to a McAfee report released in February, the number of new mobile malware variants totalled 55,000 last year, a rather large spike of 46 percent compared to 2009. Clearly, the threat landscape has come a long way since 2004, when the first-ever malware for the mobile phone, known as Cabir, was sent to a number of anti-virus firms for inspection. The worm, written for Symbian feature phones, was merely an innocuous proof-of-concept – it was designed to display the word “Caribe” on the phone's display and spread to other devices using Bluetooth signals – but its arrival certainly proved prescient.
A couple of years later, in 2006, Kaspersky Lab identified what it called the first piece of mobile malware designed to steal money – a virus that targets devices running Java. Dubbed RedBrowser, the virus sent text messages to premium-rate numbers without the user even realising it.
Fast forward to 2011 and it appears the tipping point is near. According to Nielsen, the number of smart phones in the United States, such as the iPhone, BlackBerry and Android, is expected this year to overtake the number of feature phones. This steady ascension, from handhelds that provide few capabilities beyond calling and texting to phones with functionality that resembles a traditional computer, has of course piqued the interest of the malware community.
After years of test runs that largely affected mobile phone users overseas, cyber criminals are now rolling up their sleeves and readying their wares to resemble what malware victims are used to seeing on their desktop or laptop computer.
“Smart phones have all the components you would expect of a traditional PC,” says Andy Chou, co-founder and chief scientist of Coverity, a software integrity firm. “They are capable and complex. They have operating systems and applications that run on top of them.”
Hackers traditionally have written most of their malware for Symbian and Windows Mobile devices because they are the oldest and most researched. But that all seems to be changing.
According to a Juniper report released in May, malware samples targeting Google Android devices jumped 400 percent between June 2010 and January 2011. This should come as no surprise, though. After all, market share usually dictates malware targets.
A series of surveys conducted by Nielsen between January and March found that 31 percent of consumers planning to purchase a new smartphone now prefer Android, compared to 30 percent who would choose an iPhone and 11 percent who would opt for a BlackBerry. Twenty percent are unsure what they would buy next.
Within enterprises, while BlackBerry is considered the “gold standard” for enterprise security functionality because of its management and encryption capabilities, many workers prefer the bells and whistles that the Android and iPhone provide.
Most experts agree that what makes the Android platform a particularly ripe attack vector compared to other mobile operating systems is its ever-expanding application marketplace. According to Lookout Mobile Security, the number of apps available in the Android Market climbed 127 percent from August 2010 to February 2011, while Apple's App Store grew 44 percent.
The latest figures show that the Android Market contains close to 300,000 applications for download. The problem is, in some cases, these applications are nefarious in nature, customised to install malware on the phone or gain access to sensitive information.
“It is the main delivery mechanism to get on the phone right now,” says Chris Wysopal, co-founder and CTO of Veracode, an application security firm. “Android has gone with the more open model, and they allow developers to sign their own apps and put them up for download in the marketplace.”
While security vendors admit that the lion's share of malware currently is being written for the more lucrative PC environment, that hasn't stopped authors from fashioning their code to penetrate the mobile landscape. And chances are, they'd be effective, considering 85 percent of smartphone users do not use anti-virus, according to Juniper, citing an informal poll conducted by the SANS Institute.
Rogue applications are growing in sophistication. In August 2010, according to Juniper, the first Android trojan appeared in the form of an application that mimics a media player and sends text messages to Russian-based premium-rate numbers at $6 a pop.
When the calendar flipped to 2011, it quickly became evident that mobile malware writers were getting slick in a hurry. One Android trojan that arrived on the scene, dubbed Geinimi, contained botnet-like capabilities. Three months later, Google was forced to remove more than 50 apps from its Android Market because they contained malware, known as “DroidDream,” capable of gaining root access to a device, harvesting data and installing additional malicious code.
“The business of mobile malware is still in the development stage,” says Kevin Mahaffey, CTO of Lookout Mobile Security. “Attackers are still figuring out what the revenue model is. With each new piece of mobile malware, there is a different take on what their likely model is.”
Too many privileges
Still, the predominant shady apps are what security experts refer to as “greynets,” those programs that are not necessarily malicious in intent, but request unnecessary permissions – such as access to hardware, settings and user data – to perform their functions. This opens the door for data leakage and privacy concerns.
In fact, a May 12 whitepaper from five researchers in the Electrical Engineering and Computer Sciences Department at the University of California at Berkeley revealed that one-third of 940 apps they tested request too many privileges.
The paper also concludes that developers, in most cases, are not up to anything villainous, but fail to obtain least privilege due to API documentation errors and a general lack of understanding.
There are, however, some apps, considered spyware, that request such permissions for a purpose, such as tracking spouses suspected of cheating.
Users must be mindful of all the applications installed on their phone and should ensure they understand why a certain program is requesting permissions, Wysopal says. Unfortunately, most people pay little mind – they just want the app.
Additionally, end-users must worry about another class of applications: legitimate ones that may have been built without security in mind, Mahaffey says. For example, last July, Citigroup was forced to release an update to its iPhone banking application after it was discovered that the previous version, unbeknownst to users, saved confidential account information in a hidden file on their devices.
Even apps that come standard on the phone can sometimes be vulnerable. German researchers in May disclosed that Android's calendar and contact apps contain a flaw that could allow an attacker to eavesdrop in public Wi-Fi networks and steal a token that could be used to access private data.
So far, Android has been the mecca of malicious applications. Some experts blame its open model. Apple – the other main app provider – has avoided similar problems, except on “jailbroken” devices.
“When an [Apple] developer uploads an app, it goes through an approval process,” Wysopal says. “The app gets signed with a key issued by Apple. When the app goes to execute on the iPhone, the signature is checked. Unless the key is issued by Apple, that key won't run at all. You know only good, known apps are able to run on the device.”
That is not to say one model is better than the other, Mahaffey says. Many developers and consumers prefer Google's community-based approach where users flag things as malicious and apply ratings.
“We're always balancing security and user experience,” he says. “Apple's App Store is designed to be a safe place where you don't have to worry about security, but Android is saying, ‘Hey, we want this to a be safe community place.' One isn't necessarily better than the other. They're just different.”
Businesses, however, should be concerned about malicious apps making their way onto employee-owned devices, Wysopal says. As a result, they should consider a mobile device management solution, as well as ensure that all enterprise-level mobile apps, such as for document-sharing, meet security specifications prior to purchasing them.
Of course, today's smartphones are complex, and therefore apps can't be blamed for all that goes wrong. After all, in some cases, malicious apps must take advantage of an underlying platform vulnerability in order to be successful.
“[Apps are] the most visible concern,” says Coverity's Chou. “[But] in terms of the volume of the software on these phones, there's still a humongous amount that is below that level that you don't get to see and interact with visually.”
For example, lower on the stack are drivers for Bluetooth and 4G connectivity, as well as the library layer, which is responsible for web browser rendering, Chou says. These components can be leveraged to spread malware by, for example, tricking a victim into opening a corrupted PDF file.
Still, Chou believes that from an architecture and software control standpoint, mobile platforms have learned many lessons from their predecessors. Even applications, while the preferred vehicle to spread attacks, are tightly restricted at best or, at worst, require the user to approve permission requests.
“The original version of the PC wasn't really designed with security in mind,” Chou says. “Software that is now being put into phones, [many developers] are definitely aware of the core, fundamental problems.”
And there may be one other saving grace for the mobile world that will stave off hackers, in the near term at least: operating system heterogeneity. Criminals have less incentive to research something when there is no clear-cut market share bellwether.
“There is no operating system leader like Windows [is on the PC],” says Denis Maslennikov, a senior malware analyst with Kaspersky Lab. “Diversity helps with different security issues.”