Mobile malware – what’s that?

It’s bad news for smartphone or tablet owners. Mobile malware is any app that carries out malicious actions on your phone or tablet. That could be text messaging a premium rate number, bombarding your contacts with unwanted messages or carrying out any other detrimental act without your permission. Malware also has a cousin in spyware – where an app gathers data about users without their knowledge and consent. Spyware generally captures information of interest to third parties – the likes of contact lists, phone logs, text messages, location and browser history.

OK I get it, but is it really a threat?

It depends how you measure it. The amount of mobile malware detected each month is growing rapidly. Trend Micro reported a sixfold growth in malicious and potentially dangerous Android apps in just three months this year. But that growth is from a relatively small base and the amount of malware for mobile devices is still relatively trivial compared to that targeting Wintel PCs.

Also, the scale of the threat is often measured by the number of new variants of a particular piece of mobile malware. But the number of variants doesn’t correspond to a rise in the actual threat. There can be thousands of instances of one family of malware, but many of those instances will likely be broadly similar.

Should I be worried?

It’s worth being aware and prepared as there is mobile malware out there. Of all of the mobile platforms the largest proportion of malware apps is found on Android – security firm F-Secure labs estimates that 66 per cent of mobile malware is targeted at Android. All platforms have some malware but it is less common on Blackberrys, Apple iOS devices like the iPhone and Windows Phone handsets. Even the venerable Symbian platform is still being targeted by malware, with 21 new families and variants discovered in the third quarter of 2012.

Where you live also affects how likely you are to be infected by mobile malware. The amount of mobile malware is rising fast in China and Russia as adoption of Android smartphones takes off in those countries. A recent report by F-Secure said there is a proliferation of third-party app markets in these regions that may act as a source for the rising malware rates in these countries.

What does this mobile malware actually do?

Among the most common type of malware is tollware, where the app surreptitiously sends texts to or silently dials into a premium rate service. Another common type of malware collects information on the user – the likes of contacts etc – that it doesn’t have permission to access – often for use in sending out spam.

Malware writers have also started exploiting different aspects of mobile phones, developing apps that secretly record telephone conversations and intercept text messages used to authenticate user identity in online banking.

How is the malware distributed?

A common way is via software downloaded outside official app stores, but there have also been instances of malware spreading via infected web or in-app ads and web and emailed links, as well as instances of apps creeping onto official stores – mostly on Android.

Malicious apps are often disguised as legitimate applications – a study by the Department of Computer Science at North Carolina State University found that 86 per cent of Android mobile-malware payloads are repackaged with legitimate apps and are not standalone.

How secure are each of the major mobile platforms?

Because Android is the mobile platform most targeted by malware writers, Google has taken steps to increase the security of its OS and its official Google Play app store.

In February this year Google introduced automated vetting to the store with Bouncer, a system that analyses apps made available through Google Play for potentially malicious behaviour.

Improvements to the Android platform since the release of Android 4.0 Ice Cream Sandwich have changed the way it manages memory to make it harder to exploit memory corruption vulnerabilities and introduced full disk encryption – allowing devices to perform boot-time encryption and decryption of the application storage area.

Apps that appear in the Apple iPhone and iPad’s iOS App Store are vetted and approved. The system keeps the store pretty much malware free but it has been compromised in the past. A security researcher demonstrated a – now patched – vulnerability that allowed apps to download unsigned code not vetted by the App Store’s review process and there has been an instance of a Trojan making it onto the app store.

The iOS platform runs apps in a sandbox, limiting the access that a malicious app has to the rest of the system and supports 256-bit, hardware-based encryption for data stored on the device.

Even though iOS locks down apps that can be run on the iPhone and iPad access to underlying system users have still been able to jailbreak the latest versions of the iOS to remove restrictions on how it operates and allow it to run apps that haven’t been downloaded from the official store.

RIM’s Blackberry is still the smartphone of choice for many enterprises because of the level of security and control it provides over mobile devices. RIM centrally manages all software and updates, has a rigorous quality assurance process for application testing and gives firms granular control over app behaviour and access.

Windows Phone 8 includes several security upgrades over earlier versions of the OS, such as support for encryption throughout the OS and its apps, a SafeBoot feature that makes it difficult for malware or a component to be loaded onto the phone without a recognised digital signature, as well as increased sandboxing of apps.

How can I protect against mobile malware?

For the end user there are some simple precautions to protect against malware infection. A key step is to get apps from trusted sources, that means downloading from official app stores and checking the developer name, reviews and ratings of each app. In particular users should be wary of any app that offers a free version of a piece of software that is typically paid-for.

Also firmware updates often feature security enhancements and vulnerability fixes, and providing there are no early issues are worth downloading as soon as possible. Checking the phone bill for any rogue calls or texts can also provide early warning signs on malware.

There are a variety of anti-malware tools for mobile devices. Anti-malware software is still relatively rare on phones and tablets, analysis house Canalys found only four per cent of smartphones and tablets shipped in 2010 had some form of mobile security downloaded and installed.

How do I protect my staff?

Any firm wanting to support a sizable number of mobile devices, be they corporately issued or privately owned, and that wants to minimise the chances of malware infection or resulting damage should invest in a mobile device management (MDM) system.

MDM’s give the company control over what employees do with mobile devices – allowing them to manage what an employee installs on the phone, control how often phones are used, force company policy compliance, remotely wipe a device, detect jailbreaking and remotely locking a device.

Generally it’s a good idea to get a system that supports multiple mobile platforms in order to provide flexibility if a firm wants to invest in different types of devices.

Also useful are tools to authenticate applications connecting to the corporate network, although iOS has barriers that make such app-level authentication difficult.

Data leak prevention software can also restrict how a user or an app uses different data, reducing potential for abuse, but implementing it can be tricky on iOS because of limits on inter-app communication.