Welcome to the mobile malware mess, we hope you enjoy your stay

Welcome to the mobile malware mess, we hope you enjoy your stay

Summary: The real mobile malware era is here. Are we really ready for it?


Guest editorial by Roel Schouwenberg

Over the last few weeks, there's been a dramatic surge in activity in the mobile malware arena.

The anti-malware industry has been talking and warning about mobile malware for more than five years now. It seems the time has finally come.

For those who haven't been following mobile too closely, we've been bombarded with a slurry of mobile malware samples.

From mobile variants of Zeus for Windows Mobile, Symbian and Blackberry, it seems that the open nature of the platform is attracting the mobile malware authors.follow Ryan Naraine on twitter

Things are clearly moving fast for Android. But, up until last week, it too was missing that crucial component that could push mobile malware over that particular threshold: malicious apps in the Android marketplace.

Up until now Android malware had only been found in third party marketplaces and web sites. Now, the malicious apps are living in Google's own garden. This is particularly important because there are quite a few service providers who don't allow their customers to install non-marketplace applications. In addition, people seem to inherently trust applications that reside in a central repository.

Let's not kid ourselves - there's definitely more malware in the official market place. We're only now finding them.

I fully expect cases where the industry will only detect malicious apps months after they were published in the official marketplace.

What's more worrisome is that these apps jailbreak the phone to get full root access to the phone. These samples use widely available code to achieve this.

This tells us that Google's (code) review process for new apps is rather sub-optimal. Shouldn't they have been able to spot this?

And this is were things get really painful.

Security solutions running on Android - and other mobile operating systems - run in a very restricted manner. This is because of the security model of the mobile OS. This means that the security software must stop an attack from successfully executing, otherwise the threat may be able to run at a deeper level than the security software.

The fact that this new attack already involves getting full root access is extremely worrisome. While the intentions of restrictive security models are good, they can easily backfire.

Just think of PatchGuard on Windows 64-bit systems. PatchGuard was designed to prevent/fight 64-bit rootkits. It also meant that security software is no longer able to do certain very low-level things.

It really worked to delay the introduction of rootkits on 64-bit systems . This was great but now that those rootkits are here, it's an extra tough fight for security companies.

That brings us to the next issue. Google was very quick to remove these malicious apps from the marketplace, and from users' devices.

But can Google also undo the jailbreak and all consequent actions remotely? I surely hope that the affected devices at least got a prompt showing that the integrity of the device had been breached.

Last but not least I couldn't help but noticing how the security community was scrambling to get (all) the samples associated with the latest attack. Because Google was so fast to remove the apps this seemed somewhat of a challenge.

Moving forward I definitely hope that we can come up with a better mechanism for that. It would be great if Google could start sharing suspicious/malicious apps with the anti-malware communtity. It will be to the benefit of all involved parties.

All things considered, I can only wonder whether we're starting this new battle with too much of a disadvantage. Restricting all apps to user-mode works only if there's absolutely no way for someone to cheat.

Unfortunately, the first truly serious attack on the Android platform immediately involved someone cheating. That does not bode well for the future.

Right now, I see a lot of problems with mobile (malware). Some of which I didn't even get a chance to addressing in this piece. The most pertinent thing right now is that Google really ramps up the scrutiny for new (and existing) apps in the marketplace. It's quite simply incredible that they approved an app with easy-to-find exploit code inside.

The real mobile malware era is here.  Are we really ready for it?

* Roel Schouwenberg is a senior researcher for Kaspersky Lab. He is a member of the company's Global Research & Analysis Team and focuses on all aspects of cyber security.

Topics: Mobility, Android, Google, Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Android is based on Linux

    Linux has a superior security model. Linux cannot get virus because of that. This article is clearly just FUD. No malware exists for any Linux variant, Android included.

    Ok, sarcasm off. Now the market share argument has been validated, perhaps we can hope for some agreement on what to do about these pests?
    • RE: Welcome to the mobile malware mess, we hope you enjoy your stay

      @honeymonster This is a M$ sponsored conspiracy to malign Linux/Android. --sarcasm
      • Malware can exploit Android in limited ways.

        A fix for current exploits in the market was released with Android 2.2.2.

        The culprits of these infections is not Google, but Handset makers and Cellphone companies and users.

        Users have the right to demand that the original manufacturer as much as the cellphone company provide the updates if a release would have prevented the infection over 60 days prior.

        This will in time bring legal trouble to manufacturers and those who sell the units, and it should. As they are responsible for the quality of the product if a known solution is available.
      • RE: Welcome to the mobile malware mess, we hope you enjoy your stay


        All OS are targets for malicious applications. Period. Especially those which perform transactions that must use personal identifying information (names, address, DOB, etc.) and some financial info.

        Smartphone/tablet apps are just the next big market to attack.
      • RE: Welcome to the mobile malware mess, we hope you enjoy your stay

        With more corporations moving to mobile-enabled applications and exposure to their internal infrastructures (think BES/Blackberry for starters), this is going to get wild and crazy fast. It's the attack-vector most talked about in many security-circles for the past several months. <a href="http://www.hierba.es">Cosmetica</a>
      • wedding

        I don???t know what to say except that I have enjoyed reading. Nice blog, I will keep visiting this blog very often.
        <a href="http://www.lizfields.com">Bridal Gowns</a>
    • RE: Welcome to the mobile malware mess, we hope you enjoy your stay

      @honeymonster hackers will never cooperate with google and co unless a user su.apk is available. Deny root to the owners of their devices and you'll get no help plugging root holes.
    • easy solution

      use a secure os like ios, blackberry os or wp7 instead. android: open, as in open target.
      banned from zdnet
    • RE: Welcome to the mobile malware mess, we hope you enjoy your stay

      @honeymonster :)nice
  • Mobile malware in the Market Place has happened several times in the past.

    This is the biggest but not, by far, the first event within the Market Place.

    <i>But, up until last week, it too was missing that crucial component that could push mobile malware over that particular threshold: malicious apps in the Android marketplace.</i>

    Is categorically a false statement. This has been happening as early as Dec 2009 or so and is nothing really new.
    • Exactly, Roid malware has been in Googles garden since day one.

      @Bruizer <br><br>I know you can do better Ryan, I've seen it and read it...<br><br>Google has never done anything for quality control. Just google "android malware" and choose news and filter back to right after Roid was released... SMobile released AV for Roid November 2008.<br><br><a href="http://www.tmcnet.com/usubmit/2008/11/05/3761863.htm" target="_blank" rel="nofollow">http://www.tmcnet.com/usubmit/2008/11/05/3761863.htm</a><br><br>"Days after the release of Android, the first exploit became public," said Daniel V. Hoffman, chief technology officer, SMobile Systems. "VirusGuard allows users to react quickly to new Malware-related threats and to protect their devices without having to wait days or weeks for an operating system update."(that was before Google went to yearly updates... LOL)<br><br>Those exploits were first found in Google very own Android App store. <br><br>One of the things I have said all along.. Roid is a festering cesspool of virii and malware. Rememeber the free screensaver app that sole 7 million identities and sent them to China? That came from Google's Roid store.<br><br>Not sure if you are in denial or what Ryan. But Roid malware is nothing new, and the vast majority of it came from Google backyard.
      • Ahhhh... Guest editorial by Roel Schouwenberg...

        Guest editorial by Roel Schouwenberg<br><br>I didn't see that at first... (I guess that explains the picture of the bearded lady.. LOL)<br><br>Roel, go fix your facts dude, they are dead wrong and you are giving Ryan a bad name. See my post above.
  • Sub-optimal? Try negligent, Or completely missing. Or we couldn't

    care less until it makes the news. Did you notice that no apps are available for download right now until one by one they've been through the new vetting process? Yeah neither did I... apple does some minimal reiview. in the ms marketplace every single byte of code in every single app has been inspected prior to making it available. There's no excuse for google doing any less, they're making money hand over fist off the services licenses theyre charging for every android phone shipped and every ad spammed to your phone. And yet they do nothing. Take that as a strong sign of what they think of their customers...
    Johnny Vegas
    • RE: Welcome to the mobile malware mess, we hope you enjoy your stay

      @Johnny Vegas

      Google's customers aren't the Android users, they're the firms that buy Google's advertising services. To Google, Android users are actually a resource, in much the same way that sheep are a resource to a sheep farmer. He feeds them and looks after them, but it's ultimately the wool, the milk and the meat that he's after.
      • RE: Welcome to the mobile malware mess, we hope you enjoy your stay

        @WilErz Perfect summary.
      • sheep

        true and great analogy. and yet there are a lot of sheep on these tech-sites. how can you be a fan of the butcher that will slaughter you? unbelievable.
        banned from zdnet
  • So this proves how secure WP7 is over Android

    Because there is no known malware for WP7.
    Will Farrell
    • RE: Welcome to the mobile malware mess, we hope you enjoy your stay

      @Will Farrell

      That's because the software is examined thoroughly first.
    • RE: Welcome to the mobile malware mess, we hope you enjoy your stay

      @Will Farrell : does "no KNOWN malware" mean what I think it means? Or does it mean there haven't been enough WP7 phones sold to make it worth malware engineers' time... yet?
      • RE: Welcome to the mobile malware mess, we hope you enjoy your stay

        I hope so.