A quick guide to mobile malware (part 2)

This is the second article in a 3-part series on mobile malware.

Why (should I be worried)?

Worm:iOS/Ikee.A changed the phone's wallpaper

Last week I gave a brief summary of the kinds of threats a user might encounter on the smartphones of today. This week’s article is supposed to cover the reasons why a user would worry about mobile malware, so let me give the short answer now:

Usually, mobile malware attacks are motivated by: Bragging rights; money; stealing personal information that can be sold for money. For the user that gets hit by the malware, it means: Losing control over your phone; losing your money; someone else might be using your personal details for who-knows-what.

So let’s assume your phone’s been infected. Just how much should you be worried? Well, that kind of depends on your luck and what kind of malware you’re dealing with.

“Hey folks! Look what I can do!”

Like PC-based malware, the first threats to appear on the phone are often the product of some technically-minded person finding a loophole in the phone’s operating system, writing a program to exploit it, then releasing it to the general public to, basically, prove that it can be done. A prank for bragging rights, more or less. There may also be more subtle motivations involved, but if your phone is on the receiving end, you probably wouldn’t care.

Sometimes, if you’re lucky, that first malicious program doesn’t do anything worse than changing the phone’s wallpaper (Worm:iOS/Ikee.A is a good example here). So, for the user, the cost for the malware creator’s bragging rights is: time spent dealing with the problem and probably a massive headache.

Not a good loss, but bearable. Unfortunately, the next two potential losses for a user hit by mobile malware – money and/or personal data – are more serious.

“Give me back my phone!”

As other attackers get hold of that pioneer program and modify it to be more malicious, the next few versions (or variants) of it usually get more ‘risky’ to the user. If the malware is really malicious, it can alter the phone’s functionality to the point that the device is basically ‘bricked’ – it can’t be used for anything other than a paperweight.

Some examples we saw on the Symbian platform – which, by virtue of being the first widely used smartphone platform, also suffered the most threats – were Cardtrap, Skulls, Romride and Locknut. At this point, if the damage isn’t recoverable, the user is also out by the price of the phone and loss of the data stored on the phone itself. Ouch.

SMSes = $$$

Still, not everyone has to be concerned about data loss, if they have their contacts backed up elsewhere and they don’t keep financial or confidential details on their phone. What if you do, though? Say, you do mobile bank transactions, or store your PINs or account log-in details on the phone? Can an attacker find a way to pull confidential data off the phone?

‘Early generation’ smartphones – for the sake of this article, let’s say they’re the ones that sent data out by WAP  – didn’t give crooks a lot of options for getting hold of data they could make money from.  On these phones, the ‘traditional’ way for crooks to make money was through what amounts to SMS fraud (an example is the Redoc trojan family).

In this kind of scheme, the attackers has to plant a trojan on the device that forces it to send SMS messages to a premium phone number, which can wrack up a high phone bill for the user. Though effective, these attacks tend not to be very widespread, as they are limited by the geographical location and size of the telecom networks and target-able users. If you’re not in the target group, the threat is almost nonexistent.

Stealing data

Nowadays though, ‘new generation’ smartphones – as in ones with fast data connections back up by unlimited or cheap data packages from telco providers, making it convenient for a user to just leave the data connection open – offer a crook more options. Instead of bothering with SMS fraud, they can create malware that find and retrieve specific information stored on the device, which could potentially give far greater returns. Case in point is the very next Ikee variant, Ikee.B, which stole financially-sensitive information stored on the phone.

In this case, the loss is hard to estimate as fortunately, this type of malware isn’t common and the risk they pose is highly individual, depending on what details you store on your phone. It would probably also depend on how the attacker would be able to convert the details stolen into hard cash – sell it off in bulk together with details stolen from others? Find a way to log into a compromised account and withdraw the money?

There’s no ‘standard scenario’ here, so it’s hard for a user to realistically evaluate the fallout of having data stolen off their phone. All that can be reliably said is that personal and financial details are major targets on a PC and they’re probably no less attractive on mobile devices; it’s just that up until now, attackers didn’t have a way to scam these details out of someone on a mobile device.

Going straight for the money

As with PC threats, the main motivation for mobile threats seems to have transitioned from bragging rights to making money. And in a totally unscientific personal observation, it sure seems like mobile malware made that transition much faster than PC threats did. As a very rough comparison:

  • Brain, the first PC-based malware, came out in 1986; it was only in the early 2000’s that profit-motivated malwares became prevalent (though there doesn’t seem to be any agreement on which was the first).
  • By comparison, the iOS was launched in early 2007; its first trojan (of the bragging rights variety) came out almost exactly a year later; and shortly thereafter came Ikee.B, which was more malicious (but only on jailbroken iPhones).
  • The Android OS was launched in late 2007; its first trojan was also the first to try an SMS fraud scam, and it appeared in August of 2010.

It’s early days yet for mobile threats so we really don’t know how they are going to evolve.

It would probably be a safe bet to say that there are going to be more new threats though, and not all of them are going to be as benign as a plastering on a Rick Astley wallpaper.

Next week, the last in this series – How (can I protect myself)?

More posts from this topic

kids laptop remote working take your kids to work

How about ‘Take Your Work to Kid’ Day?

In the United States, Australia and Canada, April 23 will be Take Our Sons and Daughters to Work Day. But given our changing economy and workplace, is one day enough to improve the bonds between parent and child? Originally created to give girls a chance to "shadow" their parents in the workplaces women have so often been excluded from, Take Your Kid to Work Day, as it's often called, was expanded in 2003 to include boys as a way to help all kids see "the power and possibilities associated with a balanced work and family life." It's a nice ideal, but it isn't much of a reality, at least in many industrial countries. Americans spend an average of 1,788 hours a year at work. Most parents with full-time jobs will spend almost two-thirds of their day working and sleeping, leaving little time for anything else. Hopefully your country is a little better at balancing work/home. Finnish workers, for instance, spent 1,666 hours on average at work in 2013 that's 122 hours or 3 full weeks less than their American counterparts. Don't be jealous: German workers only averaged 1,388 hours at work in 2013. Chances are wherever you live your kids already see you at work. A 2012 survey found that 60 percent of Americans are email accessible for 13.5 hours a weekday with an extra 5 hours on the weekend. Given the extraordinary demands work makes on us, perhaps you can make a demand on your work to be a bit more flexible. Given that we're nearly always accessible, why can't parents plan around their kids' schedules and get some work done? Activities like sports, dance, karate and other arts offer parents a chance to be an active observer of their kids while getting some work done on a mobile PC or device while their children are being supervised by another adult. Given that 70 percent of millennial use their own devices for work, it's likely that younger parents already do this to some degree on their phones and tablets. But they're likely not thinking about potential data leakage that can occur, especially when using public Wi-Fi built on old technology that could expose your identity and possibly even your email. But with security and a virtual personal network -- like our Freedome VPN -- you can be about as secure in the office as you're out in the world seeing how your kids work, as they get another chance to see you. Cheers, Sandra [Image by Wesley Fryer | Flickr]        

April 21, 2015
BYOD

Why Bring your own Device (BYOD)?

Do you ever use your personal phone to make work related calls? Or send work related e-mails? Maybe you even use it to work on Google Docs, or access company files remotely? Doing these things basically means you’re implementing a BYOD policy at your work, whether they know it or not. BYOD – that’s bring your own device – isn’t really a new trend, but it is one that’s becoming more widespread. Statistics from TrackVia suggest that younger generations are embracing BYOD on a massive scale, with nearly 70% of surveyed Millennials admitting that they use their own devices and software, regardless of their employer’s policies on the matter. This is essentially pressuring employers to accept the trend, as the alternative could mean imposing security restrictions that limit how people go about their work. Consequently, Gartner predicts that 38% of businesses will stop providing employees with devices by 2016. It kind of seems like workers are enforcing the trend, and not businesses. But it’s happening because it’s so much easier to work with phones, tablets, and computers that you understand and enjoy. Work becomes easier, productivity goes up, life becomes more satisfying, etc. This might sound like an exaggeration, and maybe it is a little bit. BYOD won’t solve all of life’s problems, but it really takes advantage of the flexibility modern technology offers. And that’s what mobility should be about, and that’s what businesses are missing out on when they anchor people to a specific device. BYOD promotes a more “organic” aspect of technology in that it’s something people have already invested in and want to use, not something that’s being forced upon them. But of course, there are complications. Recent research confirms that many of these same devices have already had security issues. It’s great to enjoy the benefits of using your own phone or tablet for sending company e-mails, but what happens when things go wrong? You might be turning heads at work by getting work done faster and more efficient, but don’t expect this to continue if you happen to download some malicious software that infiltrates your company’s networks. You’re not alone if you want to use your own phone, tablet, or computer for work. And you’re not even alone if you do this without telling your boss. But there’s really no reason not to try and protect yourself first. You can use security software to reduce the risk of data breaches or malicious infections harming your employer. And there’s even a business oriented version of F-Secure's popular Freedome VPN called Freedome for Business that can actually give you additional forms of protection, and can help your company manage an entire fleet of BYOD and company-owned devices. It’s worth bringing these concerns to an employer if you find yourself using your own devices at the office. After all, statistics prove that you’re not alone in your concerns, and your employer will most likely have to address the issue sooner rather than later if they want the company to use technology wisely.  

April 17, 2015
BY