Mobile security is a growing concern for users of smartphones and tablets, which have become personalised devices over the past couple of years. Seven experts discuss the extent of the problem, and what end users and operators should be doing.
Nick Black - Senior technical manager, Trend Micro
Vanja Svajcer - Principal researcher, SophosLabs
Maher Jadallah - Regional manager, MEA, Sourcefire
Faisal Al Bannai - CEO, Axiom Telecom
Bulent Teksoz - Chief security strategist,emerging markets, Symantec
Walid Kamal - SVP, technology security, risk and fraud management, Du
Christian Funk - Senior malware expert, Kaspersky Lab
CommsMEA: How important is mobile security?
Funk: Over the course of 2011, we recorded 5,255 new modifications of mobile threats and 178 new families. Moreover, the total number of threats over just one year increased 6.4 times. In December 2011 alone we uncovered more new malicious programs targeting mobile devices than over the entire 2004-2010 period. 2012 is continuing this tendency and we are seeing a further growth in the number of mobile malware. Only in the first half of this year we encountered over 20,000 new mobile malware which makes mobile security an important issue for users.
Bannai: Mobile security is extremely important. Handsets are getting smarter and faster, and people are relying on them to handle every aspect of their life, whether it is banking, travel bookings or storing important data such as work emails and documents.
Jadallah: Mobility increases risk and with the growing Bring Your Own Device (BYOD) movement, security professionals face an even greater security challenge. According to recent research, mobile phone sales worldwide rose to 1.5 billion units in 2011. Research indicates that malware targeting Android-based devices has increased by nearly 500% since last summer. A study by IDC found that while 40% of IT decision makers say that their workers access corporate information from employee-owned devices, 80% of workers say they access corporate networks this way. To reduce security risk we need to close this gap by ensuring security teams have better visibility and intelligence.
Teksoz: According to Symantec’s State of Mobility Survey, 67% of companies are concerned with malware attacks spreading from mobile devices to internal networks. In addition, Symantec’s latest Internet Security Threat Report highlighted that mobile vulnerabilities increased by 93% in 2011 and that threats targeting the Android operating system are on the rise. The average annual cost of mobile incidents for enterprises, including data loss, damage to the brand, productivity loss, and loss of customer trust was $429,000 for enterprise. The average annual cost of mobile incidents for small businesses was $126,000.
Kamal: The proliferation of mobile devices may do wonders in achieving improved lifestyles on one hand, but it can give a host of new problems to deal with on the other hand especially due to attachment of individual lifestyles to these devices and the associated information. The information could be a phone book entry to confidential or sensitive information and its loss could lead to legal, financial or reputational consequences or it could even challenge an individual’s existence one day. Therefore it is very important to protect mobile devices from various forms of unauthorised use, especially loss or theft of the device itself through efficient adoption of relevant security controls and technologies.
Svajcer: We have seen an exponential growth in malware samples on mobile devices over the past two years, when the first Android malware was discovered. Although at present very few users’ systems are actually being infected, there are certainly more than just ‘a few cases’ compared to the number of samples of Android malware we are seeing every day. For example we received over 20,000 previously unknown Android malware samples in June 2012. We can draw a strong comparison between the current situation in mobile malware and the early days of Windows malware. It is therefore very likely that we will reach a similar point with mobile malware to the situation today with Windows, particularly given that we are in the middle of a platform shift that will ultimately see us carrying out much of our work on smartphones, tablets and PCs. We all know that the bad guys go where the money is, so as mobile devices increasingly become just another endpoint, carrying corporate data and connecting to a corporate network, security becomes an increasingly important issue.
CommsMEA: Are there any particular mobile OS platforms that are more vulnerable than others?
Black: Android devices have been targeted aggressively in 2012. Literally hundreds of thousands of new malware has been developed, and is now in the wild, that targets the Android Google Play store. These attacks leverage the applications that are downloaded by disguising themselves as legitimate applications or alternatively injecting exploit code into existing applications that are already available for download from the Play store.
Funk: Recently we’ve seen that the dominance of malicious programs targeting the J2ME platform has come to a definitive end. This was primarily due to the fact that virus writers have shifted their focus to the Android platform. As a result of the popularity of this platform, virus writers now face a number of additional problems. Nowadays nearly 99% of mobile malware accounts for Android malicious programs. Thus users of devices working on this platform are exposed to greater risks compared to other users.
Teksoz: All mobile OS platforms have vulnerabilities and are at risk of attack. Most recently, the Android OS was targeted by hackers due to its open operating platform. The attacks in the Middle East on android users named Android.Arspam where hacktivist used the hot topic of the “Arab Spring” on online forums to attack a large number of individuals using Android.
iOS’s security model offers strong protection against traditional malware, primarily due to Apple’s rigorous app certification process and their developer certification process, which vets the identity of each software author and weeds out attackers. Google has opted for a less rigorous certification model, permitting any software developer to create and release apps anonymously, without inspection. This lack of certification has arguably led to today’s increasing volume of Android-specific malware.
CommsMEA: What are the capabilities of some of the most dangerous malware?
Black: The target for the more serious Cyber criminals is always data theft. Implanting malicious code in to a mobile device without the user’s knowledge can allow extended data leakage. This stolen data is then sold on to another organisation that will leverage the data for other illegal activities. Data that is targeted range from user names and passwords, to contact lists and address books through to bank account and credit card information. ID theft is an area that is particularly attractive to these criminals.
Bannai: Malware comes in various incarnations and can cause serious problems. Notable recent examples include the Geinimi Trojan, which attaches to apps and games. The corrupted software is then redistributed in back-alley Android app stores. When people download the game or app, their whole phone gets taken over.
Teksoz: Symantec has classified the types of threats into a variety of categories based on their functionality. The first is collecting data, the most common among bad mobile apps was the collection of data from the compromised device. This was typically done with the intent to carry out further malicious activities, in much the way an information-stealing Trojan might. This includes both device- and user-specific data, ranging from configuration data to banking details. More concerning is data gathered about the device software, such as operating system (OS) version or applications installed, to carry out further attacks. Rarer, but of greatest concern is when user-specific data, such as banking details, is gathered in an attempt to make unauthorized transactions.
Another common threat is to track a user’s personal behavior and actions. These risks take data specifically to spy on the individual using the phone. This is done by gathering up various communication data, such as SMS messages and phone call logs, and sending them to another computer or device. In some instances they may even record phone calls. In other cases these risks track GPS coordinates, essentially keeping tabs on the location of the device, and their user, at any given time.
The third-largest group of risks is bad apps that send out content. These risks are different from the first two categories because their direct intent is to make money for the attacker. Most of these risks will send a text message to a premium SMS number, ultimately appearing on the mobile bill of the device’s owner. Also within this category are risks that can be used as email spam relays, controlled by the attackers and sending unwanted emails from addresses registered to the device. One threat in this category constantly sent HTTP requests in the hopes of bumping certain pages within search rankings.
Lastly are traditional threats. This type of threat includes back doors and downloaders. Attackers seem keen to port these types of risks from PCs to mobile devices.
Kamal: Capabilities of malware vary based on the sophistication involved and the type and the magnitude of the damage anticipated. it could be a simple virus that wipes out some system or stored information in the device or an advance malware used to transmit some sensitive information to a third party (hacker). Or it could even be used as a launching pad for later attacks against others and controlled by the same hacker. such attacks involves DDoS (Distributed Denial of Service) which prevents or disturbs a service or function of a particular entity or used to obtain restricted access to third party systems without hacker been exposed to the victim. Another form of malware widely used today by fraudsters is to transfer credit balances from victims’ mobile wallet or any other account accessible or registered with the mobile device.
CommsMEA: How can end users protect their smartphones from intrusions?
Black: Common sense is underrated as an effective data theft prevention technique. Proper mobile security software, such as Trend Micro Mobile Security, that is a purpose built security layer can prevent data leakage through common attack vectors.
Funk: First of all, I recommend to install an antivirus solution like Kaspersky Mobile Security on a personal mobile device to provide protection against growing number of threats. Besides that users should be more careful when downloading apps from the Internet. This should be done only from legitimate resources. When browsing the web with a smartphone one should follow similar safety instructions like internet-surfing on a PC. So, never go to suspicious links, do not click on advertising banners offering tempting content inside.
Bannai: While much of the responsibility lies with the manufacturers and developers, the end-user needs to be proactive and alert. Study the nature of your operating system and discover where the dangers might lie. You can then look at introducing additional software. It is also a good idea to stay on top of how resources are used on your device. If you spot anything strange, such as significant battery drainage, you may be infected and need to take urgent action. Be attentive and understand the content you are introducing to your phone.
Jadallah: Malicious attacks are growing in number and come in the most basic form such as fake websites, applications or emails. To protect against emerging mobile threats, we recommend that smartphone users only install and purchase mobile apps from authorised application stores, apply proper passwords, use encryption and maintain the latest security.
Svajcer: use only the OS developers app store/market, install a mobile security app, be careful with links sent from unknown persons or links not requested. Don’t jailbreak or root your phone. The inability for users to run as the most privileged user is there for a reason. Sometimes the security of the overall platform depends on that. If you root your mobile device all bets are off. Corporate users should not allow access to corporate networks for rooted/jailbroken devices. The risk of loss or theft of a device is still higher than the risk of malware infection. Make sure that devices are fully encrypted if possible so that the data is not compromised if the device is lost or stolen. Users should make sure that the device data is synchronised with the backup system and ideally that the data in the cloud is also protected by encryption.
CommsMEA: Should operators be doing more to give mobile subscribers malware protection via VAS?
Black: Operators should be responsible for some of this security. All mobile traffic, be it SMS, email, MMS, BBM or iChat goes through the carriers’ gateways at some point. This is the point of easiest detection and prevention and yet most carriers in the region that we have approached will not implement measures to prevent even spam prevention. Have a read of the end user agreements from some of these carriers and it becomes very evident that the users are responsible for data security and no recourse is directed at the carriers or providers.
Bannai: Operators should definitely be doing more. As more and more operators in the region are tying up with principals and providing smartphones with data packages, they can potentially pre-install top-of-the range security features as a VAS. Operators introducing their own app stores can strive to go above and beyond to eliminate malware causing apps by exercising greater levels of quality control.
Jadallah: We recommend that operators partner with vendors such as Sourcefire, to gain current knowledge regarding evolving IT security challenges and establish credibility as a trusted advisor.
Kamal: Yes, this is something very important in controlling and combating such malware exploits. This will complement device level protection such as Anti Virus agents and encryption. The operator would consider MDM technologies, network based Anti Virus, content filtering solutions, SSL inspection techniques and zero day malware projection techniques. The Zero Day malware protection techniques are very effective in controlling unknown malware exploits and APT attacks.
Furthermore, the operator can play a major role in providing necessary user awareness and extend the help desk support functions in case a user suspects malware behaviour or a compromise against these devices.
Svajcer: Endpoint security, including malware protection, should be an integral part of security on the device, especially Android devices which are targeted by malware.
CommsMEA: How dangerous is it to use jailbroken devices?
Black: This is a contentious subject. Perhaps a different question is: “Why would a user want to allow data on his mobile device to be managed by a service provider if there are no data protection responsibilities from the provider?” In recent years BlackBerry users were effectively subject to a Denial of Service attack from regional providers because they sent out an erroneous “update” to the provider packaged firmware. I am sure the operators will argue that having an “open” phone allows uncontrolled application downloads that could potentially compromise the phone. I am not convinced that either approach can prevent targeted attacks.
Teksoz: Jailbroken devices have had their security disabled, making them attractive targets for attackers due to their increased vulnerability.
Svajcer: Jailbroken (iOS) or Rooted (Android) devices remove the security restrictions (sandbox) from the OS, which means the phone’s built-in protection is no longer in place and attackers can deeply integrate themselves into the OS. No company should allow jailbroken phones to receive corporate data.