Be prepared for the year of mobile malware

Consumer behaviour will determine the extent of the threat to mobile devices, but expect more malicious activity, says Rik Ferguson

The number of types of attack on mobile devices may not be growing, but circumstances are conspiring to create a genuine threat, says Rik Ferguson.

The rise in threats to mobile devices is definitely real, although still a long way from reaching epidemic proportions. The real message for the coming months is about preparedness.

There were a limited number of new threats in 2009, but a significant increase in their complexity and criminal intent. Signs are that consumer acceptance of mobile phone-based financial activity is now mainstream, with handset banking applications even being advertised on primetime television.

Rudimentary botnets
Two distinct handset-based rudimentary botnets emerged last year: one on the Symbian platform, which was aimed at stealing phone identity details and propagated through SMS; and one more recently that affected only jailbroken iPhones, but was clearly aimed at banking customers in the Netherlands, stealing their details and passing them on to a command-and-control server in Lithuania.

With this change in consumer habits and also the possibility, finally, of some sort of handset monoculture being created at the application layer — with the cross-platform availability of Adobe Flash for mobile — expect to see more mobile-related malicious activity, the extent of which will be dictated by consumer behaviour.

It is true to say that the threat is growing, but it is really more in complexity than in sample size. In fact, some commentators have noted that the raw number of malicious code samples has actually dropped over recent years.

Social engineering
It is important to remember that many of today's threats do not rely on malicious code and are purely web-based social-engineering exercises, such as pushing rogue social network applications, and phishing for bank, email, social networking or other credentials.

These attacks target the end user, irrespective of the device they are using — whether it be a mobile handset, netbook or PC. The problem is sometimes exacerbated on handsets by the way web browsers have been designed to save on screen space. For example, the default browser on my Symbian-based handset does not show the URL of the page I am visiting, yet that feature is often our last line of defence against phishing attacks and scam websites.

It is difficult to say whether one mobile operating system is more or less vulnerable than another, as again vulnerability is influenced by user behaviour to a large degree. Most handset operating systems enforce code-signing, meaning no unauthorised code can be run, but the user is free to disable this.

Apple iPhones have a relatively secure architecture that prevents applications from seeing files other than their own. But many users jailbreak theirs and install unapproved, unexamined apps, which opens security holes. The latest iPhone worms exploited holes of this type.

Mobile malware will be driven by consumer behaviour. Online crime is about money and as more mobile devices are used for web browsing, banking or storing personal information, their attractiveness will increase. The lack of a dominant vendor is also a mitigating factor, but in the world of exploits and malware, most attacks are now aimed at applications, rather than operating systems.

Common attack vector
The emergence of Adobe Flash for mobile devices may begin to provide the common attack vector that is currently missing. Certainly, once an operating system attracts determined criminal intentions, you can bet more flaws will become apparent.

The key protection for the enterprise when it comes to handsets is encryption, which is great against loss or theft of devices, preferably with a remote-wipe capability. Data leak prevention tools are also beginning to offer some integration with mobile services to prevent sensitive corporate data from being transferred onto vulnerable devices in the first place.

Mobile devices and the protection thereof should be managed in a very similar context to the more familiar computer estate of the enterprise — through central management, central policies and centralised logging. Acceptable use policies should be revisited to ensure they contain guidelines on the use of mobile devices and training should be more than a one-off event. Of course, that is true of all security training.

I would suggest a tip-of-the-day approach to security training — daily, small message stuff. As more and more user-configured and user-supplied technology creeps into the workplace, enterprises need to invest in building a culture of security.

Rik Ferguson is senior security adviser for Trend Micro. He has over 15 years' experience in the IT industry with companies such as EDS, McAfee and Xerox.