Mobile adds to advanced threat concerns

Cybercriminals' preferred vehicle to penetrate an organization via an advanced persistent threat (APT) may one day be a mobile device, particularly a cellular phone, but this scenario will take time to be realized, said Trend Micro executives.

In a phone interview with ZDNet Asia, James Lee, director of business strategy at Trend Micro, noted that APTs targeting mobile computing devices is "not a question of if, but a question of when". Explaining, he said APTs don't necessarily only target industrial equipment such as Scada (supervisory control and data acquisition) systems. Rather, their intent is to destroy critical infrastructure or steal data.

The executive stated that there have already been Android malware that sends out device data such as IMEI (International mobile equipment identity) number and version of operating system (OS) to a command and control server. Such malware, he said, demonstrate similar intent for data theft that APTs were created for.

Lee added: "The leaked information can potentially be used to create malware that can target a specific OS or user group, which can then be used to launch a DDoS (distributed denial-of-service) attack against a certain network infrastructure [or] for online identity theft."

APTs first made headlines last year when security experts uncovered a stealthy operation dubbed Operation Aurora that targeted a number of prominent companies including Google. In July 2010, another APT called Stuxnet appeared to target an Iranian nuclear plant. This category of online attacks was also identified as the cause of the security breach suffered by EMC's security division, RSA, earlier this year.

While APTs gain in prominence, Myla Pilao, Trend Micro's director of core technology marketing, noted that "it will take time" for smartphones and tablets to be the sole entry point for cybercrooks when it comes to highly-targeted attacks.

Currently, mobile devices are "middleman devices" and their growing numbers present a lot of opportunities to criminals for use as entry points for attacks, said Pilao. However, they are not repositories for lucrative data and not yet capable of being the sole channel to extract sensitive information.

Mobile botnets a worry
This has not stopped users from worrying about mobile security, though. Lee pointed out that both the public and private sectors in Singapore, for example, are increasingly concerned about mobile botnets in light of the growing adoption of smartphones and tablets.

The prevalence of these endpoints not only highlights the risk of data leakage, but also the possibility of DDoS attacks, he added.

However, Lee maintained that such concerns were brought up in discussions around the need to rethink enterprise security given the rise in mobile computing devices and uptrend in "IT consumerization or bring-your-own device".

Moreover, mobile botnets are less threatening than PC botnets, noted Macky Cruz, a technical communications specialist at Trend Micro's TrendLabs. An infected laptop, for example, would have "more ability to perform the payload" given its better processing power, she said.

But Cruz admitted that mobile botnets will have a bigger impact going forward as tablets and smartphones get fitted out with more powerful processors.

Paul Ducklin, Asia-Pacific head of technology at Sophos, thought differently. He questioned if a mobile-driven DDoS attack would give crooks any "major advantage over the sort of botnets they already have at their disposal".

This is because the "modern smartphone user world is generally more tightly-managed by the OS vendor and the telephone provider", compared to the combination of PC platforms and broadband Internet service providers (ISPs), he explained.

"Handsets are generally more traceable, too, as more and more countries put increasingly intrusive identity checks into the purchasing process, even for pre-paid data plans," said Ducklin. "In fact, you could argue that the hybrid nature of smartphones--phone, SMS (short message service), voicemail, Internet--actually makes it much easier for mobile phone companies to cut off the Net connectivity of infected users as they could simultaneously alert the user via a different channel."

ISPs, on the other hand, are typically reluctant to cut off any but the most egregious 'known bot offenders' as such terminations mean a raft of possibly expensive support calls to get the customer out of trouble, he noted.

The Sophos expert said what would be more worrying to organizations are the "low-key, low-bandwidth malware that doesn't draw attention to itself by pounding out malicious Web traffic to attack other people", but undermines users' security by stealing passwords, fiddling with banking transactions or engaging in spyware-like behavior.