Mobile Malware: New Threat Requires New Response
Mobile phones, mobile devices of all kinds, are under increasing threat from malware hidden inside downloaded apps. The threat is increasing rapidly; this year has seen a doubling, or even tripling, of the incident rate over last year. The Wall Street Journal (WSJ) reports the problem as the emerging dark side of the mobile Web.
Some security threats are familiar to desktop and laptop users, but others are novel. Some examples reported in the WSJ:
- A malicious game app, downloaded from the Android Market, that wiped out all text messages and personal notes on the phone.
- An iPhone app, now removed from the App Store, that uploaded users contact lists to the vendors servers.
- Numerous banking apps that could be used to capture and use account numbers and passwords.
- Espionage and hacking attempts. Both the FBI and the U.S. Air Force ban downloading apps onto Blackberries and smart phones provided to employees. (The Air Force noted fewer than a dozen mobile phone based attacks a year ago and over 500 in May of this year.)
The latest attack: apps loaded with malware that sit dormant and then, days later, starts to auto dial overseas numbers to premium services.
When you’re phone bill comes… Ka-Ching!
That’s one of the major differences between PC and mobile attackers. On the mobile side, the device is tied to a monthly bill. And users may not know they’ve even been attacked - until the phone bill gets here.
Some people believe that there is greater likelihood of encountering malicious apps for Android devices because, until the past month or two, no one at those marketplaces was charged with screening and 'vetting' apps. Google, however, argues that their store is not more vulnerable than others, and points out new security features (including the ability to remotely disable malicious apps) added to the Android Market. And it is clear that Blackberrys and iPhones are not immune. Both RIM and Apple have had to remove approved apps after being on sale for some period of time, in response to after-the-fact customer complaints.
Countermeasures for mobile malware are available, including the outright ban on downloaded apps approach taken by the Air Force and the FBI. Apple, RIM, Google, and other app sources are increasing their efforts to detect malicious apps before they can expose users to risk. Verizon has a unit, Verizon Business, has an investigative-response team that studies computer crime and provides customers of their mobile phones and network with warnings and advice. Even trade associations, like the Financial Services Roundtable, have units devoted to detecting and countering financial crimes and misuse. The U.S. government maintains the National Vulnerability Database, under the auspices of the Department of Homeland Security, as a repository of known security threats and countermeasures.
Numerous companies offer security software, akin to the familiar anti-virus software most people have installed on their desktops and notebooks. TopTenRevies rates what they believe are the top ten vendors of mobile security solutions. A company, lookout, announced this month that they had one million registered users of their software product. The fact that they reached this goal in six months suggests that user awareness and response is increasing. Lookout reports that, "four out of five Lookout users are on Android and BlackBerry devices with the remaining users on Windows Mobile." (Those three systems are the only ones supported by Lookout.)