When a security researcher revealed that the Apple iPhone was tracking its owner’s travel history, the revelation made news around the world.
For the first time millions of smartphone users woke up to the fact that their mobile devices may be collecting data that has generally been considered private. As billions of users around the globe adopt smartphones as a tool of choice for business and banking, rapid shifts in marketshare are creating a mobile landscape with unprecedented privacy issues and increasing security risks.
On February 11, 2011, the world’s largest phone manufacturer Nokia announced that it will be transitioning from the Symbian operating system to Windows Phone 7. This historic alliance can be seen as a response to the increasing global popularity of Apple’s iOS and Google’s Android mobile platforms. In early 2011 Google’s Android has passed Symbian as the world’s most popular mobile OS,.
Thus far, the diversity of mobile platforms—as compared to the PC world where Windows dominates—along with application approval processes—such as those employed by Symbian and Apple—have limited the impact of mobile attacks thus far.
Yet Android’s growing popularity and open application development process may present some concerns for consumers. Not only have trojanized apps appeared in third-party marketplaces but in March 2011 more than 50 rogue apps were even removed from Android’s official market place.
As Android evolves to 3.0 to support tablets with customized interfaces from various manufacturers, its lack of a centralized process to patch security holes may create the possibility of ongoing exploits. These vulnerabilities will surely be exploited as the number of users using their phones for financial transactions on these platforms grows. Meanwhile, privacy concerns have sparked a federal grand jury investigation in the United States about the kinds of user data mobile app makers are collecting and sharing with advertisers.
Finally, the SpyEye mobile malware, which works in combination with a PC banking Trojan, exemplifies the high stakes cat-and-mouse game pitting financial institutions and law enforcement agencies against online criminals. This game began on PCs and has now—like most games that start on a PC—gone mobile.
Mobile OS News
In February of 2011, Nokia announced that Windows Phone 7 will be the primary operating system for its future devices. This is a historic switch from the Symbian platform that introduced most of the globe to smartphones. Windows Phone 7 and Xbox are the only Microsoft platforms where applications must be pre-approved by Microsoft before users can run them. As a result, F-Secure does not expect any major mobile malware outbreaks just because of Nokia’s partnership.
Android is now the most popular mobile platform with 39.5% market share. Android’s rise, which was most striking in the United States, went from being the fourth most popular mobile platform to overtaking Apple’s iOS and Blackberry’s OS to become the leading mobile OS in just twelve months. Symbian is currently the world’s second most popular mobile platform, running on 20.9% of mobiles around the globe. As a result of the Nokia/Microsoft deal, IDG predicts that Symbian will be on less than 1% of smartphones by 2015 while Windows Phone 7 will rise to the 20.9% market share now occupied by Symbian.
Android 3.0, also known as Honeycomb, is designed to support tablet computing and compete with Apple’s iPad. Google worked with Motorola and HTC to support the launch of Honeycomb on the Motorola Xoom and the HTC Thunderbolt. These collaborations indicate that Google may be trying to somewhat rein in how developers deploy its OS. However, it also creates uncertainty in how exploits focused on different versions/implementations of the OS will be patched, which could leave some devices vulnerable to zero-day attacks.
iPhone Location Data Controversy
In March of 2011 Forensic researcher Alex Levinson announced that he had found a way to map out where an iPhone has been. The information comes from a location cache file found on an iPhone (Library/Caches/locationd/consolidated.db).
Most mobile carriers and smartphone OS makers, including Android and Windows Phone 7, track some form of location data. In addition, a small and growing percentage mobile users use location-based social networks to track their location. However, few had any idea that their entire travel history could be tracked. For the very first time, millions of device owners had to face the new and unchartered privacy implications of smartphone ownership and use.
Dangerous Apps and More Privacy Problems
Apple has embraced a “walled garden” approach for the development of applications that run on the iPhone iOS. All apps available through its official App Store require Apple’s approval. Apple also holds all developer revenue in escrow for 30 days or so. As a result, most scams are shut down and removed before the scammers can benefit. Of course, the iPhone “jailbreak” has created an underground market of unsanctioned apps that Apple has no control over. But users must actively seek out these alternatives.
In contrast, Android’s approach to application development has created what could be called a “Wild Wild West” atmosphere that has been exploited by rogue developers. Malicious apps are often copies of copyrighted apps that have been trojanized and then sold to consumers as legitimate software. These trojans can lead to information leakage and high data usage, which could leave users with inflated phone bills. Previously these malicious apps were primarily distributed in third-party marketplaces, primarily in mainland China. However in 2011, they reached the official Android Market.
In January, a Chinese version of the “Steamy Window” application for Android was found repackaged with a trojan. F-Secure Labs saw this as a clear sign that Android malware was on the rise.
Soon thereafter a new Android trojan named ADRD appeared. ADRD was mostly found included in several applications from a third-party application provider in China, with the applications repackaged to contain the trojan. Most of the infected applications were wallpaper-related.
Then in March, the threat of trojanized apps hit the mainstream. More than fifty apps were removed from the official Android Market. The malicious applications were uploaded using various developer names. According to the androidpolice.com report, one of the malicious applications contained a known exploit (“rageagainstthecage”) for gaining root access.
In response to the breach of security, Google used its “Kill Switch” to remove the trojans from Android handsets. Google also forced an install of a program called Android Market Security Tool to affected phones. This was only the second time Google has used its Kill Switch.
Google also realized a security tool to affected users. Ironically, a trojanized version of the tool was found on a mainland Chinese network.
Google’s purchase of Motorola is likely to fuel Android’s growth on smartphones and tablets. Android 4 is scheduled to arrive this October, creating tablet competitors to the iPad. Tablets are more likely to be used to do things traditionally done on PCs, such as online banking, and that could very likely increase attacks on tablets.
Consumers will soon recognize that mobile devices require many of the same security precautions as PCs. Software needs to be updated and applications should be researched before installing them on your smartphones. F-Secure Labs released a list of tips for protecting your mobile device.
Even when applications aren’t malicious users still need to be aware that phones may be sharing confidential data with app makers without the owners’ knowledge. Federal prosecutors in New Jersey are investigating several smartphone application creators, including Pandora, for allegedly sharing user data—such as GPS location, gender and age—with third parties without notifying users, in violation of the United States’ Computer Fraud and Abuse Act. While no charges have been filed, this can be seen as a serious wake-up call to application developers in regards to how they protect customer data.
Both Twitter and Facebook released https browsing support in early 2011 for PC-based web browsers in response to Firesheep, a tool that makes it possible to see what information is shared over free open Wi-Fi networks. Facebook’s implementation still has some glitches and not all social networking sites secure their data this way. Users need to be aware the information on phones (and laptops) shared over unsecured Wi-Fi is vulnerable to eavesdroppers. Use a VPN when connecting over Wi-Fi whenever possible. At the time of writing, many mobile apps and mobile web browsers do not support https browsing.
The Cat and Mouse Game Hits Mobile
For nearly a decade, financial institutions have been striving to keep ahead of online criminals. They’ve secured their sites, implemented anti-phishing technology and offered to SMS one-time passwords or mTANs to customers to protect their accounts. As banks innovate, criminals make it their business to keep up.
In late 2010, security blogger Brian Krebs discovered that -the authors of two popular botnet kits had merged to form what he called a “supertrojan.” In March, a variant of SpyEye was used in a new “man-in-the-mobile” attack on a European bank. This attack combined a trojan that affects a PC’s web browser with a mobile trojan that verifies itself, forming a unique new attack that might have tricked even the savviest of users.
The trojan injects fields into the bank’s webpage to phish the customer’s mobile phone number and the IMEI of the phone. This is done under the guise that the bank needs that information to make SMS transfers MORE secure. The bank customer is then told the information is needed from their mobile. A “certificate” is sent to the phone with a notice to the user that it can take up to three days before the certificate is ready. Using the IMEI of the phone, the criminals can create a “developer certificate” that bypasses security prompts. If the trojan is installed, the one-time password can be stolen, along with all of the customer’s money.
Users should keep in mind that while banks make their best effort to secure digital transactions, actually going into a bank for important transactions or transfers is still a wise idea.
Where is Mobile Malware Headed
Recent mobile malware makes it very easy to imagine what data e-criminals are after. In addition to banking and other crucial credentials, photos are an attractive target. This malware targeting Symbian phones can’t steal your photos, yet. But it’s close.
The data we keep in our pocket holds an incomprehensible amount of data and access to our lives. The question is, what are we willing to do to protect it.
To commemorate F-Secure’s 30th year of innovation, we’re profiling 30 of our fellows from our more than…
August 16, 2018