While mobile malware exists, it remains relatively rare compared to malware on computers. There are several reasons for this, including that mobile users typically do not have administrator privileges, most download apps only from official app stores that monitor for malware, and mobile phones contain less sensitive data than computers. However, as mobile phones take on more functions like mobile payments, they may become more appealing targets for cybercriminals. Companies need to focus more on changing employee security behaviors than worrying only about the technical risks of mobile malware.
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Pocket virus threat
1. Difference Engine: The threat in the pocket | The Economist
Page 1 of 4
Babbage
Science and technology
Difference Engine
The threat in the pocket
Oct 18th 2013, 22:30 by N.V. | LOS ANGELES
GIVEN all the talk about mobile
malware—Trojans, viruses, keyloggers,
phishing expeditions and other scams
infecting the phones in people’s pockets—users
might be forgiven for thinking cybercrooks are
cleaning up at their expense. Truth is,
surprisingly few bits of malware have found
their way into mobile phones. More by
accident than design, smartphones have turned out to be much tougher to infect than laptops
and desktop PCs. At least, that is the case at present.
Makers of security software would like mobile-phone users to think otherwise. Everywhere
Babbage turns these days there is yet another white paper on the threat of mobile malware.
Adverts, too—online and in print—warn increasingly of the dangers of texting and talking,
searching and surfing without some from of protection against malicious software.
Individuals should take note, but the warnings are aimed primarily at IT professionals in
firms where employees are allowed to use their own phones and tablets to connect to
company networks.
Certainly, the BYOD (bring your own device) trend has created security headaches for
network managers. It may be one thing for individuals to discover some malicious app they
have unwittingly downloaded has racked up large telephone bills by spewing out text
messages to pricey pay-to-use services. It is quite another for IT managers to learn that
company secrets—contact lists, passwords, authentication keys, business plans and
http://www.economist.com/blogs/babbage/2013/10/difference-engine-0/print
1392/08/08
2. Difference Engine: The threat in the pocket | The Economist
Page 2 of 4
confidential memoranda—have been leaking out via employees’ phones to competitors or
criminals. While individuals may be hundreds of dollars out of pocket, companies could be
on the hook for millions.
Mobile malware is still very much in its infancy. Adrian Ludwig, Google’s top security
engineer, reckons only one in 100,000 apps downloaded by Android users from all sources,
legitimate or otherwise, pose any threat. Researchers at Georgia Institute of Technology and
Damballa, a security firm based in Atlanta, agree.
After surveying two networks with some 380m users between them, the Georgia researchers
found fewer than 3,500 phones with signs of having been infected by malware—ie, one in
108,000. Given that there are around 1.5 billion smartphones and tablets in the world (about
the same number as there are desktop and laptop computers), probably fewer than 15,000
mobile devices are harbouring mischievous software of some sort.
That is nowhere near enough to attract the attention of criminals. The black-hat botnets they
rent by the day, week or month to carry out their nefarious bidding comprise hundreds of
thousands of zombie computers that have been infected and hijacked unbeknown to their
owners. Such computers present a far easier target for cybercrooks—whether to coral into
botnets, or exploit directly for criminal purposes.
There are good reasons why smartphones have proved tougher nuts to crack than computers.
First, mobile-phone users are rarely administrators by default—unlike, say, users of
Windows XP computers, where everyone has administrative privileges unless they have
taken the trouble to set up individual user-accounts with separate passwords. The danger, of
course, is that administrators (or super-users in Linux-speak) can tinker with the settings of
a device’s operating system to their heart’s content.
It is possible, of course, to grant such rights to phone users—through jailbreaking an Apple
device or rooting and sideloading an Android. Doing so, however, not only voids the maker’s
warranty, but can also “brick” the device—turning it into an expensive paperweight.
Even so, there are always folk willing to take the risk, to add functions and features to their
phones that are not normally available. But doing so exposes them to vulnerabilities which
can be readily exploited. One of the more common tricks hackers use is to inject a “secureshell daemon” into a device by embedding it in an e-mail message or a website offering free
downloads. Tools like secure shells allow malware to spread quickly across networks, while
setting up “packet forwarding” routines to establish bridges between company networks and
http://www.economist.com/blogs/babbage/2013/10/difference-engine-0/print
1392/08/08
3. Difference Engine: The threat in the pocket | The Economist
Page 3 of 4
unauthorised servers elsewhere.
Fortunately, with jailbreakers and rooters occupying such a tiny corner of the mobile-phone
universe, cybercriminals tend not to waste time trying to rip them off. Mainstream computer
users make easier and more lucrative targets.
Another reason why mobile phones have so far remained largely free of malware is because
they lead such sheltered lives. Most users download any apps they want (the average is
around 40) from one or other of the two official locations: Google’s Play Store for Android
devices, and Apple’s App Store for iPhones and iPads. Both are reasonably well policed.
Despite its laissez-faire reputation, Google’s marketplace for apps is curated far better than
third-party sites, though nowhere near as rigorously as Apple’s.
With 1m apps available for the Android operating system and over 750,000 for Apple’s iOS,
users have little need to venture outside their walled gardens. The small minority who visit
dubious download sites have only themselves to blame if their phones become infected.
Third-party app stores, especially for Android devices, tend to be dens of iniquity. Most offer
free apps for downloading pornography or pirate copies of sought-after music, video and
utilities as honeypots for the gullible. As a rule, expect anything downloaded from thirdparty sites to come with some form of malware embedded in it.
At its least damaging, such downloads may be no more than nuisanceware—software that
causes adverts to pop up, unnecessary toolbars to be added to browsers, and home pages
diverted to inappropriate sites. Other times, it is just scareware—software that offers to scan
the user’s device for viruses and the like, and then requires payment for the full version of
the software needed to fix the problem, which probably did not exist in the first place.
At its most toxic, by contrast, mobile malware can collect personal data and contact lists,
monitor keystrokes, track the phone’s location, even take photographs or video of users and
their surroundings. It will then transmit the proceeds back to servers run by organised crime
for extortion, identity theft, scams or phishing trips.
Because mobile phones, unlike laptops and desktops, are still not widely used for online
banking or credit-card transactions, they tend to be of less interest to the cyberworld’s shady
characters. However, that is changing.
Thanks to improvements in “near-field communication”, phones are beginning to morph
into wallets—with all the necessary links to bank accounts and credit cards—so users can
http://www.economist.com/blogs/babbage/2013/10/difference-engine-0/print
1392/08/08
4. Difference Engine: The threat in the pocket | The Economist
Page 4 of 4
make incidental payments at stations, convenience stores and elsewhere merely by waving
their phone near a terminal. Cybercrooks are, no doubt, watching such developments with
interest.
Overall, though, it is business that tends to suffer most from follies users have with phones.
And the biggest hazard of all is not mobile malware, but data leakage caused by employees
losing their phones, or selling sensitive corporate information collected on their mobiles.
Gartner, an information-technology consultancy based in Stamford, Connecticut, counsels
clients not to get too worked up about malware penetrating their networks through the
personal devices employees bring to work. It is the users themselves who are the problem,
not their mobile phones.
How, for instance, do companies prevent employees from responding to “spear-phishing
attacks” in the form of highly personalised and legitimate-looking e-mail or text messages
from seemingly reputable sources that seek clarification of various corporate details?
Security measures need to focus more on changing social behaviour, rather than trying to
solve the relatively minor problem of mobile malware.
As for Babbage, he has taken the precaution of activating the Google app on his Android
phone and tablet that enables devices to be located, tracked, rung or wiped clean if lost or
stolen. He also keeps their WiFi and GPS radios switched off until needed. That saves battery
life, and adds an extra layer of protection.
He has also installed a popular security suite on both devices that blocks all known malicious
software. He is aware that it is not the known threats that are the problem, but the unknown
ones (ie, the “zero-day” attacks). Still, he sleeps easier with it there. The only other thing he
does religiously is to steer clear of third-party download sites with offers that seem too good
to be true. Invariably, they are.
http://www.economist.com/blogs/babbage/2013/10/difference-engine-0/print
1392/08/08