blog.brandprotect.com

The Rise of Mobile Malware

We've all heard the warnings about malware: don't click links in emails from unknown senders, don't click suspicious links on facebook, install software found online at your own risk.  What you likely haven't heard about is how mobile malware is on its way, and will change the way you think about your phone.

For years now, phones have been moving beyond simply placing and receiving calls - you can get email, play games, listen to music, download or stream full-length movies, read ebooks, surf the web, do your online banking, control the lights or garage door or door locks or temperature in your house, or videochat with a friend.  And those are just the common tasks - I'm not going to start listing all the quasi-useful mini-apps you can kill time with.  While these functionalities are a gold mine from a commercial standpoint, the average user still doesn't take full advantage of all these features.  Regardless, the ability for the end user to install applications on their phone makes the phone more of a portable computer than a phone, in the traditional sense.  Unfortunately for them, most users still consider their iPhones and BlackBerrys phones, and not portable computers.

I say "unfortunately", because this mentality is what the malware writers will bank upon - people don't think that their devices are at risk, simply because they are using phones, and not computers. 

Until recently, there has been little to no reason for a malware author to expend any effort to write a piece of malware for a phone - there was little reward for their efforts.  All of this added functionality - combined with a sharp drop in the learning curve - has brought forth a veritable horde of potential victims.  Because of this, new tactics are being used - the malware is not only being designed to steal your information and send it to the perpetrators, but can be used as "ransomware" (applications which lock out some or all functionality until you pay a "ransom"), give full control of your phone to the perpetrators, or force your phone to call premium long distance numbers which rack up your phone bill.

Now, I know there are many readers saying to their screens "but I have an iPhone - Apple's ‘walled garden' approach protects me from applications like that!" - and you are correct.  For the time being, iPhones are exempt from malicious applications due to Apple's development policy.  Well, not all iPhones, only about 90% of them.  The other 10% are "jailbroken" - essentially, users have installed an alternative operating system on their phones which allows them to customize the interface, run multitasking (this feature was recently announced as being included in the new iPhoneOS, however multitasking has been available on the "grey market" for several years), or install applications that have not been reviewed by Apple.  

Jailbroken iPhones, BlackBerrys, Android devices, and Windows Mobile devices are all susceptible to mobile malware, since anyone can write and release an application for them.  An Austrailian teenager wrote the first iPhone malware a few months ago, as a Proof of Concept, and that resulted in some nefarious characters altering the code and releasing it into the wild.  Thousands of jailbroken iPhones were infected, with all data that was on the phones being accessible by the perpetrators, and the phones were held hostage until the user paid a ransom.  Spanish security company firm S21sec wrote an app for jailbroken iPhones (also as a Proof of Concept) which showed that the device could be infected and used as a node in a botnet, for doing things like Denial of Service attacks or distributed computing (sometimes used for cracking complex passwords).  In the past few weeks, both Android and Windows Mobile devices have been compromised, and malware released in the wild.  BlackBerrys have remained relatively untouched at the time of writing this, however it is only a matter of time before someone invests the time to write malware for that platform.  

To give you an idea of how much data can be acquired by these apps, here's a list of what S21sec was able to do with their mobile malware:

• Full VNC access (remote control)
• Access to all messages (email, SMS, MMS), contact list, wifi passwords, photos (and their accompanying GPS data), browsing history, keyboard and photo caches, and current GPS coordinates
• Keyboard overlay created, allowing them to capture everything typed into the phone
• "Nuke" the phone (basically, turn it into an expensive brick). This was done by sending a 6-character command to the phone remotely

At present, there is little stopping malware authors from creating these applications and releasing them for public consumption.  If you consider how little people have thought about the security of their devices, and how quick and easy it is to try out the latest hot app, there are likely a lot of users out there setting themselves up for a surprise.  Let's just hope that we don't all have to start paying for anti-virus applications for our phones.