Last month, the FBI put out a warning on two malware threats that would have been routine but for one thing. The cyberviruses targeted mobile phones and tablets running Google’s Android operating system.
Until recently, malicious software has been something only computer users worried about. Mobile devices had largely been free of attacks by cybercriminals.
But as smartphones and tablets have become powerful handheld computers with Internet access, the incidence of malware aimed at mobile devices is on the rise, cybersecurity experts say.
“We’re not only seeing more attacks, but more attention paid to mobile platforms,” said Howard Schmidt, former cybersecurity coordinator for the White House. “And the reason is the fact that these devices have become so popular. They have become the next target.”
Hackers are taking aim at mobile in part because there’s more valuable data on today’s smartphones and tablets, experts say. And as employees increasingly use their personal mobile devices for work — a trend known as Bring Your Own Device — the lure for hackers is likely to increase.
“Most people don’t think about the security risk on a mobile device like they would on a laptop or a desktop because they haven’t been conditioned that there are risks on these new platforms,” said Schmidt. “We look at the rich, robust capabilities these devices give us, but cyberprotection oftentimes is not in the front of our mind.”
Although cyberthreats are starting to pop up on mobile devices, the sheer number remains small compared with what’s out there targeting computers, experts say.
And in fact, there are fewer holes to exploit in some mobile operating systems. “They don’t rely on third-party software to do a lot of things, and even when they do, they don’t have the same security vulnerability,” said Patrik Runald, director of security research at San Diego’s Websense, which makes security software for large companies. “On mobile, when we are seeing attacks, they are often pure social engineering driven.”
Social engineering ploys, or “spear phishing,” typically use targeted emails and SMS (short message service) that attempt to trick people into downloading an infected application.
“Attackers do some reconnaissance,” said Runald. “They might know a person’s interests from looking at a Twitter feed or a Facebook profile. So let’s say they find out a person is a season-ticket holder to the Chargers. They could craft a message that said ‘Click here for an offer on season tickets for next year.’ ”
These social engineering attacks won’t work on some of the more tightly controlled mobile platforms. Apple iPhone owners, for example, can’t download apps from a source other than the Apple’s Apps Store without making some fairly advanced modifications to their phone. Apple also examines apps for sale in its store. So it’s hard for malware to get a foothold.
Google’s Android operating system, which has 65 percent market share for smartphones, is more open. It supports downloading apps from websites outside of Google’s Android Marketplace. There also are several different versions of the Android operating system in the marketplace, making it difficult to deploy a uniform patch to fix any problems.
“The success of Android does mean that criminals are starting to take notice of it and look for ways to take advantage of this new platform,” wrote Aryeh Goretsky, a researcher at security software firm ESET, in a recent report. “(But) at ESET, only a small fraction of the malware we see on a daily basis is for Android.”
Two recent Android malware programs, however, were highlighted by the FBI on Oct. 22. Loozfon is information-stealing malware that uses “spear phishing” to lure victims, sending them a message offering a profitable payday for sending out email. A link leads to a website that pushes Loozfon into the device. It steals the device’s phone number and contacts list.
FinFisher is spyware that can take over a device so it can be remotely controlled and monitored anywhere. It can be transmitted when a user visits a specific Web link or opens a text message masquerading as a system upgrade.
Another way malware is finding its way onto smartphones is through cracked applications, many of which are games. To encourage hackers, Dancing Penguins, a foreign website, pays them for infecting Android phones.
“You don’t have to figure out how to monetize the hacked phone yourself,” said Stephen Cobb, a security researcher at ESET. “You sell it to somebody who does that. Usually they use it to send premium-rate SMS messages or SMS spam, which we’re seeing a lot more of.”
Cobb said over the past couple of years, malware has become an industry, with underground online forums that serve as marketplaces for buying and selling information necessary to do malware.
“Now we’re starting to see the implications of that,” he said. “If you’re a bad guy who is getting too old for breaking and entering and you have a nephew who is good with computers, you can go out and buy all the bits and pieces you need” for cybercrime.
What cybercriminals are after is data, say experts. Motivated by money, they want to steal identity, credit card credentials and other personal information.
And increasingly, there’s the potential for corporate data to be available via a hacked personal smartphone or tablet that’s used for work.
“Think about how much corporate data we have on these devices,” said Runald, the Websense security researcher. “In your email box, if you’re a VP at a large organization, you probably have a lot of confidential information. If you’re a salesperson, you might have part of your customer list. So there is a lot of confidential data on these devices that needs to be secured.”
Using personal devices for work is a growing quandary for corporate information technology departments. There is a business benefit to the Bring Your Own Device trend. It doesn’t cost the company money to buy devices, while the firm gets the productivity gain from employees working remotely.
But there are also risks. “You have three things going on at the same time: The rapid growth in smartphone usage, the industrialization of malware to exploit these devices and the ‘Bring Your Own Device’ phenomenon,” said Cobb of ESET. “We shouldn’t underestimate the extent to which the smartphone is the keys to the kingdom.”
Many tools already exist to protect corporate data and allow mobile devices to be used safely at work, said John Marinho, vice president of Cyber Security at CTIA, an industry trade group. Malware protection software, source code analysis for applications to make sure there are no vulnerabilities and encrypting sensitive data are all steps that companies are taking.
CTIA has been working on mobile security issues, including establishing a Cyber Security Working Group to drive awareness of cyberthreats and to lobby for laws giving companies and governments the ability to better share information.
Schmidt, the former White House cybersecurity chief, said best practices standards exist for security and privacy surrounding mobile devices. Strong password protection, the ability to wipe data from a lost device and other steps are available to ease security concerns in a Bring Your Own Device world.
“This is great technology. These devices are really beneficial in so many ways to businesses,” he said. “From a corporate IT standpoint, don’t take the stand that you can’t do this. Take the stand that this is how you do it securely, and we will help you.”
The FBI recommends these safety tips for consumers to guard mobile devices:
-- Turn off features not needed to minimize the “attack surface” of your phone.
-- Check to see if your phone’s operating system supports encryption. This can be used to protect the user’s personal data in case of loss or theft.
-- Review and understand the permissions you are giving when you download applications.
-- Passcode-protect your mobile device. This is the first layer of physical security to protect the contents of the device. Then, enable the screen-lock feature after a few minutes of inactivity.
-- Get malware protection for your mobile device.
-- Do not connect your device to unknown wireless networks. These networks could be rogue access points that capture information passed between your device and a legitimate server.
-- If you sell your device or trade it in, make sure you wipe the device (reset it to factory default) to avoid leaving personal data behind.
-- Make sure to update your smartphone’s applications and firmware regularly. If you don’t, you increase the risk of having your phone hacked or compromised.
-- Avoid clicking on or downloading software or links from unknown sources.