Getting malware onto smartphones has until now involved a PC somewhere along the way, but that's about to change. Next-generation mobile malware is only months away, which will attack the device directly, leading to developments such as mobile botnets, according to Amil Klein, chief technology officer at Trusteer.
Amit Klein (Credit: Munir Kotadia/ZDNet Australia)
When malware goes straight to the device, all of the malware techniques already seen in desktop operating systems will be available to mobile malware developers — which means that the development cycle will be rapid.
"The only thing that they are probably waiting for is a critical mass in online banking moving to mobile devices. Once the money is there, they'll be there within not years this time but months."
So far, we've seen three generations of mobile malware, said Klein.
Generation 0, as Klein called it, was simply about inflating the victim's phone bill by sending high-cost SMS messages and dialling premium-rate international numbers. Examples are Trojan-SMS.AndroidOS.FakePlayer and WinCE Terdial.
Generation 1 used phishing techniques to obtain user log-in credentials. A key example was iPhoneOS/Ikee.B, which changed local host settings to redirect bank customers to a phishing site. It spreads via the network among jailbroken iPhones.
Generation 2 is more sophisticated. It can attack all smartphone communications channels: email, phone and SMS. It can subvert online financial transactions by intercepting and even modifying notification and authorisation messages.
The prime examples of Generation 2 mobile malware are Zeus in the Mobile (ZitMo) and SpyEye. They can attack BlackBerry, Symbian and Win Mobile, and commands are delivered to the hacked phone by SMS. Commands include sending, forwarding or deleting SMS without the user knowing, adding or deleting call blocks and forwarding, blocking and unblocking phone numbers.
The code for Zeus was leaked recently and another security researcher, Tomasz Salacinski, described it as "really good" and an "impressive piece of work".
For example, Zeus takes just six lines of code to intercept and remove the payment confirmation email that's otherwise received when Zeus conducts a fraudulent transaction — provided, at least, that the smartphone's user is accessing their email through one of the major webmail providers. The result is that the user doesn't know funds were stolen until their monthly statement arrives.
Klein says that we've already seen three documented attacks by Generation 2 mobile malware. The first was in September 2010, when Zeus was used to attack multiple Spanish banks. The second, in February 2011, also used Zeus, and was aimed at ING Poland. The third, in April 2011, used SpyEye to attack multiple German banks.
Klein's clear message was that the next-generation malware is imminent, and will develop fast.
The good news in all of this, said Klein, is that the solution landscape is similarly mature. "It, too, can learn a lot from what we have done — what works and what not — in the desktop world," he said. The solutions already ported to the mobile world include anti-virus and secure browsers, as well as solutions for which there's no direct desktop equivalent such as application hardening.