What motivates most of the world’s most advanced mobile malware authors? One word: money.
Mobile Threats Motivated by Profit, 2004-2011
“The most credible threat is coming from hackers who want to profit monetarily with their attacks. And right now we’re seeing more profit-motivated mobile malware than ever before,” F-Secure’s Chief Research Officer Mikko Hypponen said, in the Mobile Threat Report Q4 2011 (Available here).
Since 2009, more than half of mobile malware has been profit-motivated. Do you remember what was happening in the mobile world around 2009? The Android mobile platform emerged and has since replaced Symbian as the mobile OS most often targeted by mobile malware.
From the Mobile Threat Report: “Android malware continues to expand rapidly in the fourth quarter of 2011, with malware originating from Russia forming a significant presence in the scene.”
Mobile Threats by Platform, 2004-2011
You’ll notice that while the iOS platform that powers Apple devices has expanded exponentially but it has not experienced a boom in new malware targeting it. F-Secure Labs has credited the security approvals required for placement in Apple’s AppStore for keeping malicious apps to a minimum. Mobile malware that affects jailbroken iPhones but the Labs does not expect an iOS malware boom.
What does a boom in malware look like?
In Finland, there is this thing called juhannus. A few years ago, our former colleague Hetta described it like this: Well, Midsummer – or juhannus – as it is called in Finnish, is one of the most important public holidays in our calendar. It is celebrated, as you probably guessed, close to the dates of the Summer Solstice, when day is at its longest in the northern hemisphere. Finland being so far up north, the sun doesn’t set on juhannus at all. Considering that in the winter we get the never ending night, it’s no surprise we celebrate the sun not setting. So what do Finns do to celebrate juhannus? I already told you we flock to our summer cottages, but what then? We decorate the cottage with birch branches to celebrate the summer, we stock up on new potatoes which are just now in season and strawberries as well. We fire up the barbecue and eat grilled sausages to our hearts content. We burn bonfires that rival with the unsetting sun. And we get drunk. If that isn't vivid enough, this video may help: [protected-iframe id="f18649f0b62adf8eb1ec638fa5066050-10874323-9129869" info="https://www.facebook.com/plugins/video.php?href=https%3A%2F%2Fwww.facebook.com%2Fsuomifinland100%2Fvideos%2F1278272918868972%2F&show_text=0&width=560" width="560" height="315" frameborder="0" style="border: none; overflow: hidden;" scrolling="no"] And because the celebration is just so... celebratory, it's easy to lose your phone. So here are a few ways to prepare yourself for a party that lasts all night. 1. Don't use 5683 as your passcode. That spells love and it's also one of the first passcodes anyone trying to crack into your phone will try. So use something much more creative -- and use a 6-digit code if you can on your iPhone. You can also encrypt your Android. 2. Write down your IMEI number. If you lose your phone, you're going to need this so make sure you have it written down somewhere safe. 3. Back your content up. This makes your life a lot easier if your party goes too well and it's pretty simple on any iOS device. Just make sure you're using a strong, unique password for your iCloud account. Unfortunately on an Android phone, you'll have to use a third-party app. 4. Maybe just leave it home. Enjoy being with your friends and assume that they'll get the pictures you need to refresh your memory. And while you're out you can give your phone a quick internal "clean" with our free Boost app. [Image by Janne Hellsten | Flickr]
Yet another big vulnerability in the headlines. The Metaphor hack was discovered by Israel-based NorthBit and can be used to take control over almost any Android device. The vulnerability can be exploited from video files that people encounter when surfing the web. It affects all versions of Android except version 6, which is the latest major version also known as Marshmallow. But why is this such a big deal? Severe vulnerabilities are found all the time and we receive updates and patches to fix them. A fast update process is as a matter of fact a cyber security cornerstone. What makes this issue severe is that it affects Android, which to a large extent lack this cornerstone. Android devices are usually not upgraded to new major versions. Google is patching vulnerabilities, but these patches’ path to the devices is long and winding. Different vendors’ practices for patching varies a lot, and many devices will never receive any. This is really a big issue as Android’s smartphone market share is about 85% and growing! How is this possible? This underlines one of the fundamental differences between the Android and iOS ecosystems. Apple’s products are planned more like the computers we are used to. They are investments and will be maintained after purchase. iOS devices receive updates, and even major system upgrades, automatically and free of charge. And most users do install them. Great for the security. Android is a different cup of tea. These devices are mostly aimed at a cheaper market segment. They are built as consumables that will be replaced quite frequently. This is no doubt a reasonable and cost-saving strategy for the vendors. They can focus on making software work on the currently shipping devices and forget about legacy models. It helps keeping the price-point down. This leads to a situation where only 2,3% of the Android users are running Marshmallow, even half a year after release. The contrast against iOS is huge. iOS 9 has been on the market about the same time and already covers 79% of the user base. Apple reported a 50% coverage just five days after release! The Android strategy backfires when bugs like Metaphor are discovered. A swift and compete patch roll-out is the only viable response, but this is not available to all. This leaves many users with two bad options, to replace the phone or to take a risk and keep using the old one. Not good. One could think that this model is disappearing as we all grow more and more aware of the cyber threats. Nope, development actually goes in the opposite direction. Small connected devices, IoT-devices, are slowly creeping into our homes and lives. And the maintenance model for these is pretty much the same as for Android. They are cheap. They are not expected to last long, and the technology is developing so fast that you would be likely to replace them anyway even if they were built to last. And on top of that, their vendors are usually more experienced in developing hardware than software. All that together makes the IoT-revolution pretty scary. Even if IoT-hacking isn’t one of the ordinary citizen’s main concerns yet. So let’s once again repeat the tree fundamental commands for being secure on-line. Use common sense, keep your device patched and use a suitable security product. If you have a system that provides regular patches and updates, keep in mind that it is a valuable service that helps keeping you safe. But it is also worth pointing out that nothing as black and white. There are unfortunately also problematic update scenarios. Safe surfing, Micke Photo by etnyk under CC
Tuesday February 9th is Safer Internet Day this year. An excellent time to sit down and reflect about what kind of Internet we offer to our kids. And what kind of electronic environment they will inherit from us. I have to be blunt here. Our children love their smartphones and the net. They have access to a lot of stuff that interest them. And it’s their new cool way to be in contact with each other. But the net is not designed for them and even younger children are getting connected smartphones. Technology does not support parents properly and they are often left with very poor visibility into what their kids are doing on-line. This manifests itself as a wide range of problems, from addiction to cyber bullying and grooming. The situation is not healthy! There are several factors that contribute to this huge problem: The future’s main connectivity devices, the handhelds, are not suitable for kids. Rudimentary features that help protect children are starting to appear, but the development is too slow. Social media turns a blind eye to children’s and parents’ needs. Most services only offer one single user experience for both children and adults, and do not recognize parent-child relationships. Legislation and controlling authorities are national while Internet is global. We will not achieve much without a globally harmonized framework that both device manufacturers and service providers adhere to. Let’s take a closer look at these three issues. Mobile devices based on iOS and Android have made significant security advances compared to our old-school desktop computers. The sandboxed app model, where applications only have limited permissions in the system, is good at keeping malware at bay. The downside is however that you can’t make traditional anti-malware products for these environments. These products used to carry an overall responsibility for what happens in the system and monitor activity at many levels. The new model helps fight malware, but there’s a wide range of other threats and unsuitable content that can’t be fought efficiently anymore. We at F-Secure have a lot of technology and knowledge that can keep devices safe. It’s frustrating that we can’t deploy that technology efficiently in the devices our kids love to use. We can make things like a safe browser that filters out unwanted content, but we can’t filter what the kids are accessing through other apps. And forcing the kids to use our safe browser exclusively requires tricky configuration. Device manufacturers should recognize the need for parental control at the mobile devices. They should provide functionality that enable us to enforce a managed and safe experience for the kids across all apps. Privacy is an issue of paramount importance in social media. Most platforms have implemented good tools enabling users to manage their privacy. This is great, but it has a downside just like the app model in mobile operating systems. Kids can sign up in social media and enjoy the same privacy protection as adults. Also against their parents. What we need is a special kind of child account that must be tied to one or more adult accounts. The adults would have some level of visibility into what the kid is doing. But full visibility is probably not the right way to implement this. Remember that children also have a certain right to privacy. A good start would be to show whom the kid is communicating with and how often. But without showing the message contents. That would already enable the parents to spot cyberbullying and grooming patterns in an early phase. But what if the kids sign up as adults with a false year of birth? There’s currently no reliable way to stop that without implementing strong identity checks for new users. And that is principally unfeasible. Device control could be the answer. If parents can lock the social media accounts used on the device, then they could at the same time ensure that the kid really is using a child account that is connected to the parents. The ideas presented here are all significant changes. The device manufacturers and social media companies may have limited motivation to drive them as they aren’t linked to their business models. It is therefore very important that there is an external, centralized driving force. The authorities. And that this force is globally harmonized. This is where it becomes really challenging. Many of the problems we face on Internet today are somehow related to the lack of global harmonization. This area is no exception. The tools we are left with today are pretty much talking to the kids, setting clear rules and threatening to take away the smartphone. Some of the problems can no doubt be solved this way. But there is still the risk that destructive on-line scenarios can develop for too long before the parents notice. So status quo is really not an acceptable state. I also really hope that parents don’t get scared and solve the problem by not buying the kids a smartphone at all. This is even worse than the apparent dangers posed by an uncontrolled net. The ability to use smart devices and social media will be a fundamental skill in the future society. They deserve to start practicing for that early. And mobile devices are also becoming tools that tie the group together. A kid without a smartphone is soon an outsider. So the no smartphone strategy is not really an alternative anymore. Yes, this is an epic issue. It’s clear that we can’t solve it overnight. But we must start working towards these goals ASAP. Mobile devices and Internet will be a cornerstone in tomorrow’s society. In our children’s society. We owe them a net that is better suited for the little ones. We will not achieve this during our kids’ childhood. But we must start working now to make this reality for our grandchildren. Micke