Welcome to the mobile malware mess, we hope you enjoy your stay
Guest editorial by Roel Schouwenberg
The anti-malware industry has been talking and warning about mobile malware for more than five years now. It seems the time has finally come.
For those who haven't been following mobile too closely, we've been bombarded with a slurry of mobile malware samples.
From mobile variants of Zeus for Windows Mobile, Symbian and Blackberry, it seems that the open nature of the platform is attracting the mobile malware authors.
Things are clearly moving fast for Android. But, up until last week, it too was missing that crucial component that could push mobile malware over that particular threshold: malicious apps in the Android marketplace.
Up until now Android malware had only been found in third party marketplaces and web sites. Now, the malicious apps are living in Google's own garden. This is particularly important because there are quite a few service providers who don't allow their customers to install non-marketplace applications. In addition, people seem to inherently trust applications that reside in a central repository.
Let's not kid ourselves - there's definitely more malware in the official market place. We're only now finding them.
I fully expect cases where the industry will only detect malicious apps months after they were published in the official marketplace.
What's more worrisome is that these apps jailbreak the phone to get full root access to the phone. These samples use widely available code to achieve this.
This tells us that Google's (code) review process for new apps is rather sub-optimal. Shouldn't they have been able to spot this?
And this is were things get really painful.
Security solutions running on Android - and other mobile operating systems - run in a very restricted manner. This is because of the security model of the mobile OS. This means that the security software must stop an attack from successfully executing, otherwise the threat may be able to run at a deeper level than the security software.
The fact that this new attack already involves getting full root access is extremely worrisome. While the intentions of restrictive security models are good, they can easily backfire.
Just think of PatchGuard on Windows 64-bit systems. PatchGuard was designed to prevent/fight 64-bit rootkits. It also meant that security software is no longer able to do certain very low-level things.
It really worked to delay the introduction of rootkits on 64-bit systems . This was great but now that those rootkits are here, it's an extra tough fight for security companies.
That brings us to the next issue. Google was very quick to remove these malicious apps from the marketplace, and from users' devices.
But can Google also undo the jailbreak and all consequent actions remotely? I surely hope that the affected devices at least got a prompt showing that the integrity of the device had been breached.
Last but not least I couldn't help but noticing how the security community was scrambling to get (all) the samples associated with the latest attack. Because Google was so fast to remove the apps this seemed somewhat of a challenge.
Moving forward I definitely hope that we can come up with a better mechanism for that. It would be great if Google could start sharing suspicious/malicious apps with the anti-malware communtity. It will be to the benefit of all involved parties.
All things considered, I can only wonder whether we're starting this new battle with too much of a disadvantage. Restricting all apps to user-mode works only if there's absolutely no way for someone to cheat.
Unfortunately, the first truly serious attack on the Android platform immediately involved someone cheating. That does not bode well for the future.
Right now, I see a lot of problems with mobile (malware). Some of which I didn't even get a chance to addressing in this piece. The most pertinent thing right now is that Google really ramps up the scrutiny for new (and existing) apps in the marketplace. It's quite simply incredible that they approved an app with easy-to-find exploit code inside.
The real mobile malware era is here. Are we really ready for it?
* Roel Schouwenberg is a senior researcher for Kaspersky Lab. He is a member of the company's Global Research & Analysis Team and focuses on all aspects of cyber security.