From late 2010 to the first few months of 2011, there’s been a fair bit of buzz in the tech media about how mobile malware may be the big IT security issue for 2011. (To be fair, I also said something similar in a previous post.)
Even though PC threats are still hugely more prevalent, mobile malware tends to get more press because they’re like the up-and-coming starlets of tech threats – they’re fresh, new, interesting, and frankly, just a little sexier than plain ol’ Windows malware.
At least – they are to IT security pros. For the average man on the street? Not so much. For many smartphone users, especially those only recently transitioning from ‘dumbphones’ to smartphones, ‘mobile threats’ can still be a pretty nebulous concept.
Since it seems likely that we’ll be talking more and more about mobile threats from now on, I reckoned this would be a good time for a quick tour through the world of mobile malware. And to make thing easier, let’s break this guide into 3 articles covering the 3 most important questions for a new (or even not-so-new) smartphone user:
What (should I be worried about)?
Why (should I be worried)?
and How (do I protect myself)?
So let’s get this tour started with…
Mobile malware is nothing more than malicious programs designed to run on operating systems (OS) used by mobile devices. The most common devices affected are mobile phones, though PDAs, tablets and other consumer electronics may be affected if they also use the targeted OS.
Mobile threats aren’t a new phenomenon – the earliest mobile malware we have on record is Cabir (image above), which came out in June 2004. However, until the last 2 years or so, mobile malware hasn’t been a big deal. For most of the last 10 years or so, the number of distinct mobile malwares created has been in the low hundreds – a drop in the ocean compared to their millions of PC counterparts.
Why? Mostly because PCs are easier to attack, there’s more of them, and there’s enough financial and personal information on them to make it worth the attacker’s efforts. Nowadays though, smartphones are rapidly gaining more allure as targets for malware authors, and for much the same reason PC threats have become so prevalent: exposure to the Internet.
Up until about 3 years ago (the ‘DumbPhone Era’, if you like), mobile threats were most commonly transmitted from user to user as Bluetooth worms, SMS-worms, etc. This limited distribution pattern tended to reduce the impact of mobile malware – the attacker had trouble distributing the malware to huge numbers of people, and an individual user generally couldn’t spread the infection very widely either.
That was before the Internet came to the phone. Nowadays, almost all smartphone users can connect to the Internet via a browsing program on their mobile phone (a mobile browser). Taking advantage of (currently) cheap data plans from telecom companies, smartphone users have been going online via their phones in record numbers in the last couple years .
Unfortunately, this new-found connectivity comes with an unintended side effect. For PC users, their broadband connection to (and behavior on) the Internet has proved to be the most significant pipeline for malware distribution. For mobile users – ditto.
In the last few months, almost all mobile threats we’ve seen have arrived via the mobile browser or by the user downloading a bad app from the Internet – and it seems safe to say that in future, most of the major mobile threats will be distributed over the Internet.
There are a few distinct threat types favored on the mobile device, though these preferred types can change over time. Even as recently as last year, trojans (malware distributed using fake names, such as Skulls.D at right) and worms (particularly Bluetooth-worms) were the main threats for mobile users. By end 2010 and early 2011 though, we started seeing trojanized apps, rogue apps and online attacks targeted at mobile audiences.
Trojanized apps are a more sophisticated take on the ‘classic’ trojan, which was usually just a malicious file distributed under the stolen name of a legitimate one – say, a system update or game. Trojanized applications, on the other hand, are legitimate files that were reverse-engineered and adulterated with malicious code. The ‘Frankenstein’ program that results is usually very similar to the original, and may even be fully functional. Examples of this type of malware are Trojan:WinCE/Terdial and more recently Trojan:Android/BgServ.A and Trojan:Android/DroidDream.B.
Rogue apps are simply fraudulent programs that say they do something, but don’t. This is the mobile equivalent of a rogue, PC scareware that’s been around for many nears. There’s nothing particularly new about this threat on phones either – we posted about possibly fake mobile banking trojans in 2010 and even earlier – but as new smartphone users are still likely come in contact with these malicious programs, the danger remains present.
On a different front, now that mobile browsing has become a major activity for smartphone users, online attacks that have troubled PC users for years are starting to affect mobile surfers too. Our Labs Weblog reported one phishing website that appeared to have formatted its fake URL to make it harder for mobile viewers to tell it’s a fake site.
An interesting point mentioned in the post was that a phishing attack may even work better on mobile browsers, as the lack of screen real estate works against the user by concealing any tell-tale ‘phishiness’ in a website’s URL. It’s early days yet, but I suspect it won’t be too long before we have to start coming out with a new Web Browsing Do’s and Don’t list specifically for mobile users, as PC-focused lists may not work for a mobile audience.
Of course, these are just the three most notable types of mobile malwares we’ve seen in the first few months of 2011. Only time will tell how the attackers will refine their strategies and creations to take better advantage of mobile audiences. If the recent trend we’ve seen in the Labs is any indication, with more mobile samples being sent in for analysis, it seems pretty plausible that the next six months will see some new threat types turn up.
In summary though: Now and for the foreseeable future, PC threats will still be much more prevalent, no question about that. We are however starting to see more mobile threats emerging, as the large numbers of mobile phones accessing the Internet present a new, accessible and attractive target for attackers. At the moment, these new threats require the user to either download a malicious app or visit a malicious site.
In less than two months, the world has seen the two biggest ransomware outbreaks ever…
July 7, 2017
UPDATE: For the latest on Petya, check this F-Secure Labs post. Are we still calling…
June 28, 2017