If you use it, mobile malware will come

IT people who try to secure mobile devices in a big company face three big conceptual problems.

First, many, if not most, of the smartphones and tablets are from Apple. Both veteran and rookie users tend to believe Apple devices aren't vulnerable to malware and hacks, so users don't need to take any precautions.

Second, even non-Mac users tend to think security is already built in to their smartphones or tablets, so they also resist efforts to install anti-virus, firewall or other additional security on what are often their own systems.

Third, the fastest-growing malware segment targets Adobe applications rather than the traditional browser or operating system, doing an end-around the expectations of both users and many IT security people, according to analysts at the security firms McAfee and Commtouch.

The sense of security that Apple users have comes from the Mac. Mac users have been trained to feel safe because Apple averages 6 percent to 8 percent client OS market share, which has encouraged malware writers and bot-net builders to aim at Windows machines instead, according to Alex Stamos, a security analyst at iSec Partners.

Android Takes the Malware Lead

The August edition of security firm McAfee Labs's quarterly threat report (PDF) found that the number of malware threats rose faster during the first six months of this year than ever -- 22 percent faster than last year, which held the previous record.

Among mobile devices, malware aimed at Google's Android OS increased in number 76 percent compared to the year before, taking the lead from Symbian, previously the most-threatened smartphone operating system. Still, though it leads smartphone OSes in the number of malware threats, McAfee found only 44 specifically aimed at Android. But given there are 425,000 iOS apps on the market compared to about 200,000 for Android, the difference in availability of malware is remarkable.

And it is causing some damage. During the first half of 2011 about half a million Android users were infected with some form of malware; the number of infected Android apps skyrocketed from 80 in January to more than 400 by June, the Lookout report found.

By the end of 2012, 5 percent of all Android and iOS phones or tablets will have been infected at least once by viruses or trojans - most likely versions designed to steal information about users' bank accounts, not just prove it's possible to infect an iPhone, according to a report from security vendor Trusteer and its CEO Mickey Boodaei.

The fantastically successful Zeus malware kit, which is designed to steal banking information, has been found running effectively on every major phone OS except iOS, according to Sophos virus research Vanja Svajcer.

iOS Faces Far Fewer Threats

So far, however, McAfee has found not one single credible threat from trojans, viruses or rootkits designed for iPhones, iPads or anything else running Apple's iOS.

Rival security firm Commtouch did find one iPhone virus hosted on a malicious Web site to which users were directed by spam emails that claimed to offer photos of the"iPhone 5G S." Instead it downloaded a trojan called iphones5.gif.exe.

Part of the reason iOS malware is so rare is that it's easier to develop for the open-source-modeled Android than the closed and proscribed requirements of iOS, the report found.

Unlike desktop and laptop machines, which are usually infected by malicious attachments in email or visits to poisoned web sites, the most common infection point for smartphones is an app poisoned by hackers and downloaded by users who assume it is clean, according to a July report from Lookout Mobile Security.

That explains why Android devices are more vulnerable than iOS. It's easier to distribute malicious software through the comparatively uncontrolled Android apps market place as compared to Apple's iTunes App Store because Apple spends more time vetting the apps, Stamos said. So far the most common infection method is poisoned versions of legitimate apps that appear in an Android App Store.

None of the commonly available malware or hacking toolkits include canned exploits or virus frameworks designed for the Mac, so "script kids" without extensive programming skills of their own have a much harder time attacking iPhone than Windows, he said.

Aside from Apple's efforts to filter malware out of iOS distribution points, the operating system also has a more effective sandbox in which to run third-party applications even than Mac OS X Lion server. All third party apps get access to the same data, but are controlled more closely and have to ask the OS for information such as location data rather than retrieving it themselves, according to the Lookout report.

The almost non-existence of malware for iOS doesn't mean there are no threats, especially those hidden on malicious web sites that could attack using Java, HTML5 or other code that iPhones support, but which are not exclusive to iOS.

The major risk to iOS devices is jailbreaking them, which enables them to run apps other than those from Apple's iTunes App Store, thus opening the device to more threats. So far, however, even jailbroken iPhones have not been found to be infected, Stamos said, but that won't last long.

Closing the Open Book

All handhelds are vulnerable to total data loss if they're left behind in airports or coffee shops, according to IDC research analyst Ian Song. That's because few handheld users encrypt all their data or require a password to access them every time the screen goes dark, so any lost smartphone is, essentially, an open book.

The best option for that problem is to use only smartphones whose storage can be wiped clean or reformatted remotely, whether by administrators or by the user. Apple, for example, provides wipe and lock services for customers who lose their iPhones.

"Otherwise there's nothing you can do but call it and maybe someone will mail it back to you," Song said.

Don't Rest Easy

Still, hackers have a wide range of doors through which they can slip with smartphones, analysts said -- via Bluetooth, Wi-Fi and 3G connections if they can crack the encryption; even SMS messaging.

Aside from embedding malware that can corrupt the phone while it's running, it's possible to intercept or spoof data signals, especially SMS traffic, which can be used to infect and control an Android phone.

The upshot, for both Android and iOS users?

"A phone is a computer, and it needs the same kind of security as a computer -- firewalls, antivirus, backup," Song said. "If you don't treat it as a potential risk, eventually it's going to bite you."

Join the CSO newsletter!

Error: Please check your email address.

Tags mcafeesecuritymobilemalware

More about Adobe SystemsAppleApple.CommtouchGoogleIDC AustraliaMcAfee AustraliaSophosSymbian

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kevin Fogarty

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place