Enisa: Malware for smartphones is a 'serious risk'

The European security agency has released a report highlighting the most dangerous aspects of smartphone usage for business users and consumers
Written by Ben Woods, Contributor

Businesses and consumers are at risk of data breaches through smartphone use, according to the European Network and Information Security Agency .

Data leakage and disclosure, phishing and spyware are among the more common risks, the European Network and Information Security Agency (Enisa) said in a report on Friday.

The report focused on threats posed to the end user, company employees and high-level company officials — people that use smartphone devices for managing disparate aspects of their lives.

"Smartphones are a goldmine of sensitive and personal information — it's vital to understand how to maintain our control over this data," said Giles Hogben, co-author of the report.

One of the most common risks associated with smartphones is the unwitting transmission of confidential information through applications that use location services, such as geolocation data included with pictures taken using a smartphone camera, Enisa said.

"Many users are unaware or do not recall that the [location] data is being transmitted, let alone know of the existence of the privacy setting to prevent this. Unintentional disclosure may help attackers to track and trace users and so allow stalking, robbery or hijacking," the report said.

Enisa also found that 'dialler ware', spyware and financial services malware pose a medium risk to company employees and a high risk to consumers.

Certain services, such as SMS, phone calls and data usage incur charges for the consumer. If a user installs a rogue app, that could lead to unexpected high charges for services. For example, some malicious Windows Mobile apps were found to have been repackaged with malware, known as 'dialler ware', that silently dialled premium rate phone numbers.

Spyware is designed to harvest user and usage data, and the abundance of information carried on the average smartphone makes them a target, said the agency. The smartphone model, which asks users for permission before installing software, provides some protection from spyware. However, Enisa said that "even when it seems there is a legitimate need for an app to send data over a particular channel, the permission model of smartphones is not always granular enough to protect users against abuse".

Financial services malware is software created to harvest or intercept users' online banking details either through key-logger software, SMS interception or by posing as a legitimate banking app.

Smartphone platforms have in the past been less prone to security difficulties than PCs, said the report.

"This may be due to the efforts from platform vendors or simply because traditional PCs still provide an easier and more interesting target for attackers," said the report.

The researchers also point out that mobile devices have many of their features sandboxed, unlike PCs, and are therefore less vulnerable to attack.

The report notes that the 'walled garden' approach — which only allows digitally signed apps from a central distribution channel, such as the iTunes app store — taken by many software vendors also decreases the possibility of accidentally installing malicious software. Apple iPhone users who want to install unsigned apps need to jailbreak their handsets first, while Google's open-source Android OS provides a specific option that allows users to install non-Android Market apps without 'rooting' their device.

Some mobile operating systems also employ 'remote kill' features that allow a handset to be wiped remotely or allow a third party to remove certain apps from users' handsets; however, remote application removal has met with objections.

"The judgement about whether a particular app is malicious may not be clear-cut so there is the potential for 'false positives' that result in the removal of apps that were not acting maliciously," the report says. It also notes that there could be data information laws that cover accessing a user's device implicated in the practice.

Enisa also highlights the possibility that the increase in smartphone usage could overwhelm an operators' data network capacity. However, it notes that in the UK and Europe the spectrum will be bolstered by the switch from analogue to digital TV services, thereby freeing up spectrum that could be used for data.

Editorial standards