A quick guide to mobile malware (part 2)

This is the second article in a 3-part series on mobile malware.

Why (should I be worried)?

Worm:iOS/Ikee.A changed the phone's wallpaper

Last week I gave a brief summary of the kinds of threats a user might encounter on the smartphones of today. This week’s article is supposed to cover the reasons why a user would worry about mobile malware, so let me give the short answer now:

Usually, mobile malware attacks are motivated by: Bragging rights; money; stealing personal information that can be sold for money. For the user that gets hit by the malware, it means: Losing control over your phone; losing your money; someone else might be using your personal details for who-knows-what.

So let’s assume your phone’s been infected. Just how much should you be worried? Well, that kind of depends on your luck and what kind of malware you’re dealing with.

“Hey folks! Look what I can do!”

Like PC-based malware, the first threats to appear on the phone are often the product of some technically-minded person finding a loophole in the phone’s operating system, writing a program to exploit it, then releasing it to the general public to, basically, prove that it can be done. A prank for bragging rights, more or less. There may also be more subtle motivations involved, but if your phone is on the receiving end, you probably wouldn’t care.

Sometimes, if you’re lucky, that first malicious program doesn’t do anything worse than changing the phone’s wallpaper (Worm:iOS/Ikee.A is a good example here). So, for the user, the cost for the malware creator’s bragging rights is: time spent dealing with the problem and probably a massive headache.

Not a good loss, but bearable. Unfortunately, the next two potential losses for a user hit by mobile malware – money and/or personal data – are more serious.

“Give me back my phone!”

As other attackers get hold of that pioneer program and modify it to be more malicious, the next few versions (or variants) of it usually get more ‘risky’ to the user. If the malware is really malicious, it can alter the phone’s functionality to the point that the device is basically ‘bricked’ – it can’t be used for anything other than a paperweight.

Some examples we saw on the Symbian platform – which, by virtue of being the first widely used smartphone platform, also suffered the most threats – were Cardtrap, Skulls, Romride and Locknut. At this point, if the damage isn’t recoverable, the user is also out by the price of the phone and loss of the data stored on the phone itself. Ouch.

SMSes = $$$

Still, not everyone has to be concerned about data loss, if they have their contacts backed up elsewhere and they don’t keep financial or confidential details on their phone. What if you do, though? Say, you do mobile bank transactions, or store your PINs or account log-in details on the phone? Can an attacker find a way to pull confidential data off the phone?

‘Early generation’ smartphones – for the sake of this article, let’s say they’re the ones that sent data out by WAP  – didn’t give crooks a lot of options for getting hold of data they could make money from.  On these phones, the ‘traditional’ way for crooks to make money was through what amounts to SMS fraud (an example is the Redoc trojan family).

In this kind of scheme, the attackers has to plant a trojan on the device that forces it to send SMS messages to a premium phone number, which can wrack up a high phone bill for the user. Though effective, these attacks tend not to be very widespread, as they are limited by the geographical location and size of the telecom networks and target-able users. If you’re not in the target group, the threat is almost nonexistent.

Stealing data

Nowadays though, ‘new generation’ smartphones – as in ones with fast data connections back up by unlimited or cheap data packages from telco providers, making it convenient for a user to just leave the data connection open – offer a crook more options. Instead of bothering with SMS fraud, they can create malware that find and retrieve specific information stored on the device, which could potentially give far greater returns. Case in point is the very next Ikee variant, Ikee.B, which stole financially-sensitive information stored on the phone.

In this case, the loss is hard to estimate as fortunately, this type of malware isn’t common and the risk they pose is highly individual, depending on what details you store on your phone. It would probably also depend on how the attacker would be able to convert the details stolen into hard cash – sell it off in bulk together with details stolen from others? Find a way to log into a compromised account and withdraw the money?

There’s no ‘standard scenario’ here, so it’s hard for a user to realistically evaluate the fallout of having data stolen off their phone. All that can be reliably said is that personal and financial details are major targets on a PC and they’re probably no less attractive on mobile devices; it’s just that up until now, attackers didn’t have a way to scam these details out of someone on a mobile device.

Going straight for the money

As with PC threats, the main motivation for mobile threats seems to have transitioned from bragging rights to making money. And in a totally unscientific personal observation, it sure seems like mobile malware made that transition much faster than PC threats did. As a very rough comparison:

  • Brain, the first PC-based malware, came out in 1986; it was only in the early 2000’s that profit-motivated malwares became prevalent (though there doesn’t seem to be any agreement on which was the first).
  • By comparison, the iOS was launched in early 2007; its first trojan (of the bragging rights variety) came out almost exactly a year later; and shortly thereafter came Ikee.B, which was more malicious (but only on jailbroken iPhones).
  • The Android OS was launched in late 2007; its first trojan was also the first to try an SMS fraud scam, and it appeared in August of 2010.

It’s early days yet for mobile threats so we really don’t know how they are going to evolve.

It would probably be a safe bet to say that there are going to be more new threats though, and not all of them are going to be as benign as a plastering on a Rick Astley wallpaper.

Next week, the last in this series – How (can I protect myself)?

More posts from this topic

yahoo

What You Need to Know About the Yahoo Hack

Reports that half a billion Yahoo accounts were hacked in 2014 "by a state-sponsored actor" were confirmed today by the tech giant. This hack of "names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions" is the largest in the company's history and one of the most consequential breaches of all time. Our security advisor Sean Sullivan told CNN what Yahoo users need to know right now: [youtube https://www.youtube.com/watch?v=kO-70yKF4bE] He also gave a longer interview to Data Breach Today about the wider implications of the hack. The most important takeaway from this attack is you should always use an extra layer of protection -- in this case Yahoo's two-factor authentication on all your accounts -- and never reuse any important password. Even though Yahoo's passwords stored your passwords with encryption, it's still possible for criminals to get access to them, especially if they are weak. A former Yahoo employee told Reuters that the answers to security questions were deliberately left unencrypted to help catch fake accounts more easily because fake accounts that used the same answers over and over. Sean always uses nonsense answers for so-called security questions so they aren't guessable by anyone who knows him or follows him on social media. He recommends you do the same. So what should you do now? Sean recommends you "walk, not run" to your Yahoo account to disable your security questions and change your password -- and change them on any other site where you've used them to something unique. Make sure you create non-human passwords -- not patterns like yahoo1985. Make them long and difficult to remember. If they're between 20 and 32 characters, they are nearly uncrackable, as our senior researcher Jarno Niemelä recommends. And to deal with all that complexity, use a password manager like our F-Secure KEY, which is free on one device. You can also store your nonsense answers to your security questions in there. Then turn on two-factor authentication, if you haven't already. If you're wondering who might have carried out such a massive attack, Sean does have a hypothesis. [Image by Christian Barmala | Flickr]

September 23, 2016
BY 
android_wi-fi

How to Create a Portable Hotspot on Android with VPN on

Many Android users (myself included) have long found it annoying that creating a working portable hotspot is not possible while using a VPN on the device that shares the connection.  From the user interface to the lines of code that power the app behind it, a driving principle of designing Freedome has always been to make the kind of VPN that only makes your online experience better, without hindering it in any way. Tethering with VPN is now possible This is why we are extremely happy - both personally and for our users - to announce that our new Android release (out now on Google Play) makes it possible to have Freedome turned on while sharing your connection with other devices. We are also the first (as far as we know) major VPN provider to make this happen. Instructions on setting up a portable hotspot The new update automatically allows you to create a portable hotspot with Freedome VPN, so the instructions are fairly simple. Download Freedome VPN on your Android Turn on the portable hotspot feature from your Android settings Keeping it simple, as usual! A note on privacy It’s worth noting for the sake of your privacy that the tethered device’s traffic will NOT go through the VPN tunnel of the device sharing the connection. According to Freedome Product Development Director Harri Kiljander: “Android does not allow tethered devices access to the VPN tunnel. This is a deliberate choice forced by Android for security reasons. For instance, when using VPN to access your employer’s network, they might not want your friends and family there. Also a VPN tunnel shared with others wouldn’t really be a private network anymore” In other words, remember to use Freedome on laptops and any other devices you connect to your own hotspots with. If you have any questions, drop us a line on Twitter. Enjoy!

September 23, 2016
BY 
webcam

QUICK TIP: Change the Default Passwords on Your Webcams and Baby Monitors

If you don't want to read the manual for the new Wi-Fi-connected device you just installed in your home, do yourself a favor and at least check how to change the default password. A new report finds that more than 100,000 devices in the United Kingdom alone could be possibly be accessed by peeping strangers. How is this possible? "Two words," explains F-Secure security advisor Sean Sullivan. "Default settings." Most consumers don't seem to imagine that their baby monitor, web cam of Wi-Fi router might be targeted by a hacker. "That’s called security through obscurity and it just does not work," Sean explains. "There are 'deep-web' search engines --such as Shodan -- that routinely scan for devices on the Internet. And just about anybody can find interesting things there that shouldn’t be publicly accessible but are." Often all online intruders need to do is type in the password that the manufacture sent the device out with. "You need to change the webcam’s password to something complex and unique," he says. "Don’t worry about having to type it all the time, you’ll probably only need to configure the associated mobile app once. And then the app will remember the password for you." This one simple step will greatly reduce your risk of having your devices hacked. Still many of us won't do it. The time to get rid of this terrible habit of leaving default passwords untouched is now, before our homes become so overrun by Wi-Fi-connected devices that hackers begin to devote serious resources to this sort of intrusion and possibly find some convenient way to monetize it. So don't let your fear of not being able to remember the passwords for all these devices become the weak link in your security. "Once you’ve set your secure password, store it someplace safe for future use," Sean says. He suggests a using a password safe like F-Secure KEY or a piece of paper in a secure location in your home. Just don't store it anywhere in sight of a webcam that still is using its default password. [Image by DAVID BURILLO | Flickr]

September 22, 2016