Security investigate

Mobile malware: Cheat Sheet

Should you be worried about mobile malware? Here's what you need to know and some tips on how to protect yourself from getting infected.

Mobile malware - what's that?

It's bad news for smartphone or tablet owners. Mobile malware is any app that carries out malicious actions on your phone or tablet. That could be text messaging a premium rate number, bombarding your contacts with unwanted messages or carrying out any other detrimental act without your permission. Malware also has a cousin in spyware - where an app gathers data about users without their knowledge and consent. Spyware generally captures information of interest to third parties - the likes of contact lists, phone logs, text messages, location and browser history.

OK I get it, but is it really a threat?

It depends how you measure it. The amount of mobile malware detected each month is growing rapidly. Trend Micro reported a sixfold growth in malicious and potentially dangerous Android apps in just three months this year. But that growth is from a relatively small base and the amount of malware for mobile devices is still relatively trivial compared to that targeting Wintel PCs.

Also, the scale of the threat is often measured by the number of new variants of a particular piece of mobile malware. But the number of variants doesn't correspond to a rise in the actual threat. There can be thousands of instances of one family of malware, but many of those instances will likely be broadly similar.

Should I be worried?

It's worth being aware and prepared as there is mobile malware out there. Of all of the mobile platforms the largest proportion of malware apps is found on Android - security firm F-Secure labs estimates that 66 per cent of mobile malware is targeted at Android. All platforms have some malware but it is less common on Blackberrys, Apple iOS devices like the iPhone and Windows Phone handsets. Even the venerable Symbian platform is still being targeted by malware, with 21 new families and variants discovered in the third quarter of 2012.

Where you live also affects how likely you are to be infected by mobile malware. The amount of mobile malware is rising fast in China and Russia as adoption of Android smartphones takes off in those countries. A recent report by F-Secure said there is a proliferation of third-party app markets in these regions that may act as a source for the rising malware rates in these countries.

What does this mobile malware actually do?

Among the most common type of malware is tollware, where the app surreptitiously sends texts to or silently dials into a premium rate service. Another common type of malware collects information on the user - the likes of contacts etc - that it doesn't have permission to access - often for use in sending out spam.

Malware writers have also started exploiting different aspects of mobile phones, developing apps that secretly record telephone conversations and intercept text messages used to authenticate user identity in online banking.

How is the malware distributed?

A common way is via software downloaded outside official app stores, but there have also been instances of malware spreading via infected web or in-app ads and web and emailed links, as well as instances of apps creeping onto official stores - mostly on Android.

Malicious apps are often disguised as legitimate applications - a study by the Department of Computer Science at North Carolina State University found that 86 per cent of Android mobile-malware payloads are repackaged with legitimate apps and are not standalone.

How secure are each of the major mobile platforms?

Because Android is the mobile platform most targeted by malware writers, Google has taken steps to increase the security of its OS and its official Google Play app store.

In February this year Google introduced automated vetting to the store with Bouncer, a system that analyses apps made available through Google Play for potentially malicious behaviour.

Improvements to the Android platform since the release of Android 4.0 Ice Cream Sandwich have changed the way it manages memory to make it harder to exploit memory corruption vulnerabilities and introduced full disk encryption - allowing devices to perform boot-time encryption and decryption of the application storage area.

Apps that appear in the Apple iPhone and iPad's iOS App Store are vetted and approved. The system keeps the store pretty much malware free but it has been compromised in the past. A security researcher demonstrated a - now patched - vulnerability that allowed apps to download unsigned code not vetted by the App Store's review process and there has been an instance of a Trojan making it onto the app store.

The iOS platform runs apps in a sandbox, limiting the access that a malicious app has to the rest of the system and supports 256-bit, hardware-based encryption for data stored on the device.

Even though iOS locks down apps that can be run on the iPhone and iPad access to underlying system users have still been able to jailbreak the latest versions of the iOS to remove restrictions on how it operates and allow it to run apps that haven't been downloaded from the official store.

RIM's Blackberry is still the smartphone of choice for many enterprises because of the level of security and control it provides over mobile devices. RIM centrally manages all software and updates, has a rigorous quality assurance process for application testing and gives firms granular control over app behaviour and access.

Windows Phone 8 includes several security upgrades over earlier versions of the OS, such as support for encryption throughout the OS and its apps, a SafeBoot feature that makes it difficult for malware or a component to be loaded onto the phone without a recognised digital signature, as well as increased sandboxing of apps.

How can I protect against mobile malware?

For the end user there are some simple precautions to protect against malware infection. A key step is to get apps from trusted sources, that means downloading from official app stores and checking the developer name, reviews and ratings of each app. In particular users should be wary of any app that offers a free version of a piece of software that is typically paid-for.

Also firmware updates often feature security enhancements and vulnerability fixes, and providing there are no early issues are worth downloading as soon as possible. Checking the phone bill for any rogue calls or texts can also provide early warning signs on malware.

There are a variety of anti-malware tools for mobile devices. Anti-malware software is still relatively rare on phones and tablets, analysis house Canalys found only four per cent of smartphones and tablets shipped in 2010 had some form of mobile security downloaded and installed.

How do I protect my staff?

Any firm wanting to support a sizable number of mobile devices, be they corporately issued or privately owned, and that wants to minimise the chances of malware infection or resulting damage should invest in a mobile device management (MDM) system.

MDM's give the company control over what employees do with mobile devices - allowing them to manage what an employee installs on the phone, control how often phones are used, force company policy compliance, remotely wipe a device, detect jailbreaking and remotely locking a device.

Generally it's a good idea to get a system that supports multiple mobile platforms in order to provide flexibility if a firm wants to invest in different types of devices.

Also useful are tools to authenticate applications connecting to the corporate network, although iOS has barriers that make such app-level authentication difficult.

Data leak prevention software can also restrict how a user or an app uses different data, reducing potential for abuse, but implementing it can be tricky on iOS because of limits on inter-app communication.

About

Nick Heath is chief reporter for TechRepublic UK. He writes about the technology that IT-decision makers need to know about, and the latest happenings in the European tech scene.

7 comments
Andrew Huttle
Andrew Huttle

What role do ad networks play in the spread of mobile malware? That's something I would want to read more about. Are the "big boys" like Millennial Media, Admob, Flurry, etc. taking enough steps to keep the spread of malware to a minimum. The one ad network that I know has done a lot to curb mobile malware is Airpush ( http://www.examiner.com/article/airpush-raises-the-bar-on-security-for-mobile-ad-networks ), I just think more should be done, even though this article once again suggests that the threat of mobile malware is overblown. I don't think it is.

jonc2011
jonc2011

The link in the article is to "Seven antivirus solutions for Windows Mobile and Symbian" from May 2010. Maybe a follow up article on current solutions for Android (including earlier versions like Gingerbread) would be useful.

fishcad
fishcad

I'm just old fashion enough to dislike the idea of putting all my contacts "in the cloud" before I can sync them to my phone. For that reason I recently bought another Blackberry because you can still plug it directly into a computer to sync. That and by not adding a bunch of apps I don't need I feel I have better protected my coworkers, friends, and family from hackers and spammers.

alessandro1997
alessandro1997

Well, I wouldn't work for a company which doesn't trust me to be able to use my phone properly, and I would never impose an MDM system to my employees: I'd prefer not giving them a phone at all.

dsrobinson
dsrobinson

Having a system in place to wipe a phone if it's lost or stolen is an imperative in some businesses. Using that system to limit phone calls to non-international makes sense too, if your business has no international needs. To say that an MDM is indicative of a business not trusting its employees, and that they'd be better off not giving them a phone is a little inflammatory, don't you think?

alessandro1997
alessandro1997

I probably exaggerated, and you're right saying that MDMs are useful to some companies. But I still wouldn't like to have my phone controlled by someone else. It's also true that if I don't like the company's policies, then I'm free to go somewhere else, so it's not such a big problem.