TECHNOLOGY NEWS Mobile Security: Finally a Serious Problem? Neal Leavitt The growing popularity of wireless technology may have finally attracted enough hackers to make the potential for serious security threats a reality. n the world of computers and Device makers and wireless- THREATS ON THE MOVE communications, the more service providers have long focused Mobile devices increasingly face widely a technology is used, the on communications and other ser- various types of threats, as Figure 1 more likely it is to become the vices, with security remaining an shows. targetI of hackers. afterthought. Such is the case with mobile tech- Referring to the two most popu- Botnets nology, particularly smartphones, lar smartphone platforms, Ed Moyle, Attackers form a botnet by infecting which have exploded in popularity senior analyst with market research multiple machines with malware that in recent years. According to market firm Security Curve, said, “Security victims generally acquire via e-mail analysis firm ABI Research, 370 mil- is now playing catch-up with the rapid attachments or from compromised lion smartphones were in use globally adoption of Android and iPhone, both applications or websites. The malware last year. of which are hard for enterprises to gives hackers remote control of the Many users download mobile appli- manage.” “zombie” devices, which can then be cations with little regard to whether Thus, after years of warnings about instructed to perform harmful acts in they’re secure, providing a ready way mobile security, there finally appears concert. for hackers to attack the devices. to be a reason to worry. “These command channels In addition, said Gustavo de Los In fact, the number and types of could also provide a way to update Reyes, executive director for AT&T mobile threats—including viruses, the malicious code so that it will Security R&D, “These phones are spyware, malicious downloadable communicate or act differently,” said being used frequently for sensitive applications, phishing, and spam— Juniper Networks research engineer transactions like banking, mobile pay- have spiked in recent months. Troy Vennon. ments, and transmitting confidential For instance, McAfee Labs’ threat The easiest way for an attacker to business data, making them attractive report for 2010’s fourth quarter benefit from a mobile zombie network targets if not protected.” reported a 46 percent increase in is to send SMS or multimedia message “The payoffs—financial and per- malware targeting mobile phones service (MMS) communications to a sonal information—could be huge,” over the same time period the previ- premium phone account that charges noted Purdue University computer ous year. victims fees per message, explained science professor Richard P. Mislan. “We’re seeing more than 55,000 Vennon. Smartphones generally connect to new pieces of [mobile] malware on The scammers act as the premium- the Internet, as well to PCs for software a daily basis,” said Dave Marcus, account owner’s affiliates, receiving updates or media synchronization, McAfee Labs’ director of security some of the money that their attacks providing convenient attack vectors. research and communications. generate, noted Bradley Antsis, vice 0018-9162/11/$26.00 © 2011 IEEE Published by the IEEE Computer Society JUNE 2011 11 r6tec.indd 11 5/24/11 12:41 PM TECHNOLOGY NEWS 100 computer, said Network Box USA’s Annoyance Stella. This could let a hacker place Steal money Trojans, spyware, and backdoors on 80 Invade privacy the machine and even conduct iden- Propagation Malicious tools tity or information theft, he added. 60 Some schemes use a sensational headline or promise information on a current hot topic to grab readers’ 40 attention and encourage them to click on a malicious link. Number of malware families 20 Spyware Hackers can use spyware available 20 2000 2004 2005 2006 2007 2008 2009 2010 2011 online to hijack a phone, allowing Year Source: Fortinet them to hear calls, see text messages and e-mails, and even track a user’s Figure 1. The number of threats to mobile devices, particularly those designed to steal location through GPS updates. money, has increased steadily during the past few years. Most commercial mobile spyware applications send an update of cap- president of technical strategy for users voluntarily install them,” said tured communications or location security vendor M86. Pierluigi Stella, chief technology data to a website where the spy logs The Yxe malware family that hit officer for Internet security vendor in to view the data, noted Juniper Net- China last year caused this problem. Network Box USA. works’ Vennon. In some cases, SMS Also in 2010, malware originating Once on a handset, the programs communications inform the spy that in Holland exploited a vulnerability in steal personal information such as the system has obtained new data. jailbroken smartphones—those that account passwords and logins and The software can even create a owners have modified to gain OS root send it back to the hacker. They also hidden access point inside a mobile access and remove manufacturers’ open backdoor communication chan- phone that lets a hacker turn on the usage limitations—to create a botnet. nels, install additional applications, device without it ringing, in essence The network sent SMS messages to and cause other problems. converting it into a microphone, premium numbers. Most mobile application mar- said Purdue University’s Mislan. Last year, another mobile botnet ketplaces don’t require that code in The spy could then hear nearby targeted European customers of a applications be cryptographically conversations. Dutch online bank. The malware signed by the developer before it can While some malware writers used in the attack included command be uploaded, noted Kurt Stammberger, sell or give away mobile spyware, logic that gave the hacker remote vice president of market development there are also online vendors—such control of victims’ smartphones. for security vendor Mocana. as ClubMZ, FlexiSPY, and Retina- With PCs, hackers often use “Until this becomes common,” he X Studios—that sell the software zombies within botnets to launch said, “malicious apps will proliferate commercially. denial-of-service attacks. Thus far, quickly on mobile platforms.” These companies say their prod- though, there have been no major ucts are only for legal uses and can mobile DoS incidents. Social networking be helpful in finding a stolen mobile As smartphone use has grown, so device or in monitoring the activi- Malicious applications has mobile social networking. ties of children, as well as employees In some cases, hackers have Malicious links on social networks using company phones. uploaded malicious programs or can effectively spread malware. Par- Mobile phone spyware is illegal in games to third-party smartphone- ticipants tend to trust such networks the US but is sold by websites hosted application marketplaces—such and are thus willing to click on links elsewhere, noted Simon Heron, prin- as those for Apple’s iPhone and that are on “friends’” social network- cipal with Network Box’s UK office. Google’s Android devices—or have ing sites, even though—unknown otherwise made them available on to the victim—a hacker may have Bluetooth the Internet. placed them there, said M86’s Antsis. Bluetooth enables direct com- “These malicious apps are usu- Clicking on a link could download munication, including the sharing of ally free and get on a phone because a malicious application on a victim’s content, between mobile devices. 12 COMPUTER r6tec.indd 12 5/24/11 12:41 PM Wireless devices can broadcast Mobile phishing is particularly primarily because they’re challeng- their presence and allow unsolicited tempting because wireless commu- ing and expensive to develop. connections and even the transmis- nications enable phishing not only “Restricted [OS] kernel access sion of executables if users don’t via e-mail, as is the case with PCs, but means you can’t put the crypto- configure their Bluetooth operations also via SMS and MMS, noted AT&T’s graphic processes sufficiently low appropriately. de Los Reyes. down in the stack, close to the sili- On rare occasions, mobile mal- Social media phishing is con. Processor limitations, memory ware—such as the Cabir worm—has becoming a major issue as social constraints, and battery-life issues used Bluetooth to propagate. networking sites contain an increas- make some of these apps as slow as ing amount of personal information molasses,” explained Stammberger. Wi-Fi that phishers can use to make Hackers can intercept communi- their attacks more effective, said OTHER MEASURES cations between smartphones and Paul Henry, security and forensics Security vendor MobileIron Wi-Fi hotspots. analyst for market research firm recently launched a storefront so that The fundamental vulnerability is Lumension Security. businesses can deliver mobile appli- hotspot architecture with no encryp- tion to protect transmitted data. “If a user connects to [such] a The number and types of mobile threats— hotspot for the first time, the end- including viruses, spyware, malicious down- to-end connection between the loadable applications, phishing, and spam— user’s device and the hotspot pro- vider is not secured, so the [hacker] have increased in recent years. can intercept and control the user’s traffic,” said Carnegie Mellon Uni- versity computer science professor TRADITIONAL SECURITY cations directly to employees without Patrick Tague. In this scenario, the