Will 2011 be the year of mobile malware?

While the expert predictions may have yet to fully come true, vendors are preparing for the worst

Perhaps one of the most common predictions of the last six years has been that mobile malicious software will suddenly proliferate, driven by widespread adoption of smartphones with advanced OSes.

None of those prognostications have really come to fruition, but it's likely that the coming year will bring a host of new malicious applications. Users -- while generally aware of threats aimed at their desktop computers and laptops -- have a good chance of being caught flat-footed with their mobile phones.

In the third quarter of this year, up to 80 million smartphones were sold around the world, which accounted for about 20 per cent of the total number of mobile phones sold, according to statistics published last month by analyst firm Gartner. Smartphones are Internet- capable and therefore more vulnerable to attack than other mobile devices.

The threats against those devices are going to come in several categories:

Rogue applications: Marketplaces for mobile applications are becoming increasingly popular for platforms ranging from Apple's iOS and Google's Android to Microsoft's Windows Phone 7 and Symbian. Apple maintains tight control over its App Store, which has helped reduced rogue applications from being offered. But bad applications for other platforms have popped up.

In September, researchers from security vendor Fortinet discovered a mobile component for Zeus, a notorious piece of banking malware that steals account credentials. The mobile component, which targeted Symbian Series 60 devices or BlackBerrys, intercepted one-time passcodes used to verify transactions.

The mobile app carried a legitimate signing certificate, which allowed it to be downloaded and installed on devices. The development was particularly disconcerting as many banks are looking at using mobile phones to send one-time passcodes by SMS (Short Message Service) rather than issuing separate devices that can generate the code.

There's little defense from sneaky rogue applications, but users should be generally careful about downloading programs, particularly for platforms where those applications may not be vetted so closely.

Traditional malware: While desktop OSes such as Windows are plagued by malware, there have been far fewer malicious programs aimed at mobile devices as of yet. But researchers have seen applications such as rogue dialers, which will send SMSes to premium-rate numbers owned by the fraudsters. Other threats include worms spread by communication protocols such as Bluetooth.

With the increase in use of tablet computers that use mobile operating system, those devices will also be subject to those same threats. "We do believe that is going to arrive in the next 12 months," said Bradley Anstis, vice president of technical strategy for security vendor M86. Malicious hackers are "lazy people, they will always go after the low-hanging fruit."

Privacy, data collection issues: Mobile applications can also have other privacy-related risks such as collecting, transmitting or storing data. Advertising networks and mobile application developers are often highly interested in metrics around how and where people are using their applications. Data may include information identifying a specific device, with users unaware they are being tracked. Apple, however, allows application developers to collect location information but only as long as users are notified.

Social engineering: Just like on desktops and laptops, fraud doesn't have to involve a technical trick. Phishing -- the practice of using a fake website to trick users into revealing sensitive information -- is as much or more of a threat on mobile devices. People often trust their mobile device more than their computer and are therefore more vulnerable to phishing.

If a person is on a corporate network, phishing sites are usually blocked, Anstis said. But if someone is using a work mobile device over 3G, that connection is not going through a corporate gateway but the operator's network, which may not block those harmful sites. M86 has been developing a browser-based system that would send URLs to its data center for analysis and block malicious ones, Anstis said.

Other companies are also seeing opportunities for new services around mobile devices. Juniper Networks, for example, acquired SMobile Systems in July for US$70 million. SMobile has a laboratory in Columbus, Ohio, that focuses on studying mobile malware, said Amir Khan, business development manager for the U.K. and Ireland.

"The reason we set that up is because we realize the threats in the mobile space are very specific," Khan said. "It's not just that desktop threats have migrated to the mobile world."

Join the CSO newsletter!

Error: Please check your email address.

Tags securitymobile securityYEAR END

More about AppleFortinetGartnerGoogleJuniperJuniperM86MicrosoftSymbian

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts