Mobile Security Threats Become Aggressive

Since about 2004, when mobile viruses first came onto the scene, the world
has become regrettably accustomed to hearing news about threat attacking their
mobile phones. The appearance of threats on various mobile telecommunications
platforms — Mosquitos on Symbian, RedBrowser on the J2ME, Phage on the Palm OS,
and so on — were, rightfully, 'big news items' and brought a fair amount of
attention to the emergence of malicious programs targeting the mobile phone.
Since then, a constant parade of viruses, worms and Trojans has made “mobile
malware” a fairly well-known phenomenon to the average mobile phone user.

New trends in mobile security

In recent years however, some interesting shifts in the mobile landscape
have occurred. For a start, mobile malware has begun to transition from
passively distributed files  to malware that independently and aggressively
distributes itself. Such was the case in the transition from user-downloaded
games such as Mosquitos or Trojans such as Skulls, to viruses such as
CommWarrior, and the infamous 'Cabir'.

Another interesting development is the increasing ubiquity
of Internet connectivity on 'smartphones'. Similar to how the widespread
adoption of Bluetooth-connectivity around late 2003 soon led to the rise of
Bluetooth-worms and Trojans, the adoption of Internet-connnectivity on a massive
scale may potentially act as a new vector, or pathway that malware authors can
exploit to get their malicious programs onto the phones.

The addition of a potential new vector is also accompanied
by an increase in economic motive for malware authors to exploit it —
specifically, the potential data stored on the mobile phone. As mobile phones
become more and more versatile, resembling their computer counterparts, more
users are using them for sensitive business and official transactions, and even
storing confidential information on them — witness US President Barack Obama's
(specially-encrypted) Blackberry, the first time a sitting president has had
such a tool at his disposal. With the potential wealth of data sitting on the
mobile phone units however, it seems quite likely that malware authors will take
up the challenge of creating malware targetting this portable 'gold mine' of
information.

Venu Palakirti, Country Manager, F-Secure

Another potential 'gold mine' for malware authors is the
increasing prevalence of mobile banking, where certain types of banking services
are performed using the mobile phone. Like its online counterpart however, the
temptation of 'easy' access to a user's bank account is likely to spur malware
authors to creating malicious programs attempting to evade or exploit mobile
banking security.

The Internet comes to the phone

These days, Internet connectivity is becoming a 'must-have' feature for
smartphones, due to the relentless drive among users to perform traditionally
computer-based, Internet-related activities on their phones — activities such as
surfing (potentially malicious) websites, accessing social networking services,
downloading applications and so on. As the smartphone becomes more and more
connected however, there is an increase in the amount of risk a smartphone user
unconsciously assumes.

One of the most significant concerns is that, much like the
introduction of widespread Bluetooth connectivity years earlier, the widespread
adoption of Internet connectivity provides another avenue for attackers to get
their programs onto the smartphone — and there is little doubt that malware
authors are able and willing to exploit any and all vectors available. For
example, soon after Bluetooth connectivity became a widespread feature of mobile
phones around late 2003, malware capable of exploiting the new vector began to
circulate, such as Cabir or Lasco.

This is particularly relevant since the introduction of
Apple's iPhone in 2007. For the first time in mobile phone history, a
significant number of users — an estimated 13 million people  were using the
iPhone as of 2008 — have mobile Internet access. iPhone malware is already a
reality, as a file-deleting Trojan known as "iPhone firmware 1.1.3 prep", or
"113 prep", was found in the wild in January 2008. Fortunately, this first
malware was little more than annoying, but its successors are expected to be
rather more damaging, especially as the Appstore, Apple's online source for
iPhone applications, has managed to hit a landmark 1 billion downloads  in its
first year of service. As seen time and again in the history of malware, new
types of malware tend to emerge and become major threats when the size of the
audience for them has reached a “critical mass”: spamming for example only
became a threat when e-mails became a major communication channel; while Denial
of Service (DoS) attacks became more common as various Internet-based businesses
and economies became established. Now, as the iPhone becomes more common and
spurs other mobile phone makers to come out with their own Internet-enabled
models, it appears as though the size of audience of Internet-enabled mobile
phone users is going to explode.

Mobile malware becomes more sophisticated

What is particularly threatening about the introduction of widespread
Internet connectivity is that the scope of possible actions a malware can
perform has been greatly increased. Earlier malware such as Skulls or Cabir were
largely limited to directly damaging phone functions, and to propagating
themselves via fundamentally limited means, such as MMS or Bluetooth. Now that
many smartphones have a direct link to the Internet, the only limits on the
potential of a malware's actions are a) the malware author's imagination and
technical capability, and b) the capabilities of the smartphone's operating
system.

One of the latest threats, as of 2009, is the Yxe worm on
Symbian OS phones, which includes functionality disturbingly similar to worms
that infect computers. Like its PC-based counterparts, Yxe will attempt attempt
to evade security programs and collect data about the phone system. Possibly the
most significant feature however is that the worm tries to connect to an online
domain in order to upload the collected data, and keep the connection open at
all times. Fortunately, this particular threat is still rare in the wild, and
hopefully remains so.

An overlooked threat

Another, often overlooked aspect of mobile malware is not so much the
malware itself, but what it might be targeting. With the advent of smartphones,
more and more people have naturally been storing sensitive personal information
on their phones — not just SMSes or phone contacts, but also e-mails, documents,
notes and so on. This is particular true of phones issued by businesses and used
for business purposes, as these are often used to transmit and store sensitive
corporate information. As with sensitive information stored on the computer,
such data stored on the smartphone can be a valuable target to an attacker — if
the smartphone can be breached.

Banking by phone

Another activity that was once restricted to computers has also recently
been making the leap to the mobile phone — banking. Performing banking services
on a mobile phone is a relatively old idea, having been mooted sometime around
the late 1990s. It was only around 2007 however that the major infrastructure
for mobile banking — applications, networks, bank and consumer education and
willingness — was finally set up and pilot projects launched.

As of early 2009, mobile banking has not yet seen any of
the threats that plague computer-based online banking (phishing, pharming,
banking Trojans, etc). A note of caution however — it is unlikely that mobile
banking's 'honeymoon' period will last forever. Currently, maybe less than 10%
of bank customers eligible for mobile phone banking services make use of this
option, as awareness, trust and confidence in mobile banking still needs to be
nurtured. As more consumers adopt mobile banking however, security experts
expect hackers to migrate their money-stealing efforts to the mobile phone as
well.

Venu Palakirti, Country Manager (India & SAARC region), F-Secure