Mobile malware has been on the horizon since first emerging in 2004, but beginning in 2011 computer security pros witnessed an explosion of zero-day attacks, with a new incident reported every few weeks. While application development on the proprietary iPhone platform has been a “walled garden” — with app developers subject to a formal review process, the Android marketplace is more open. Any unvetted mobile developer can upload mobile applications to the Android Market, which allows for open innovation but presents security challenges. Application security researchers were startled to find that Android malware accounts for 92 percent of mobile malware today. With total malware up more than 600 percent this past year, the latest malware threats to BYOD enterprises are coming in the form of mobile applications[source: Juniper Networks Mobile Threats Report]. Complicating the problem is consumer ignorance about the security risks associated with mobile computing.
There are four main kinds of malicious mobile applications, or MMAs for short, which we detailed in our mobile security eBook:
Spyware that tracks device user activities like texting, emails, calls, location, contacts or browsing history.
Trojans that generate unauthorized premium rate calls, texts or purchases – all charged to the victim’s wireless bill.
Phishing sites that look like legitimate logins to a known service like online banking or social networks but are instead clever methods to steal user credentials.
The current crop of MMAs is getting more sophisticated with malware that can operate in the background, completely invisible to the user, running executables or contacting botmasters for new instructions. The next wave of MMAs is expected to be even more advanced, with botnet tendencies to actually hijack and control infected devices.
An Abridged History of Malicious Mobile Applications
How did we get here? To recognize the capabilities of today’s malware and how best to detect it, a short history of past attacks can explain how malware went airborne:
Cabir (2004) – Believed to be the first computer worm capable of infecting mobile phones, Cabir targeted devices running Symbian OS. Relatively harmless, this attack simply hijacked the compromised phone's UI and ran the battery down as it replicated itself, but served as a hacker proof-of-concept to catch the world’s attention. The tempest was out of the teapot. Within two years the number of viruses targeting smartphones soared from one to 200.
SMS/MMS Attacks (2006) – With names like CommWarrior, RedBrowser and FlexiSpy, these worms, trojans and spyware exploited ubiquitous mobile messaging services to do their damage, sending a constant stream of surreptitious messages to international numbers and leaving phone users with the bill – literally.
iKee (2009) – Shortly after the explosion in smartphones, this simple yet effective worm targeted iPhones. The worm compromised jailbroken phones and turned them into both bots and botmasters. Similar to a PC-based botnet, the worm assigned each infected smartphone a unique identifier so that the command & control server could send specific new instructions and execute commands on each individual device. It was a powerful demonstration of how easy it could be for an attacker to create a fairly large, functioning botnet using compromised mobile devices.
DroidDream (2011) – Malware hit the official Android Market with this virulent trojan. Packaged inside more than 50 seemingly legitimate applications, DroidDream tricked more than 250,000 users into downloading it before Google removed it from its marketplace. DroidDream gave attackers root access to potentially hijack the entire device and its data, sending private user information to the attacker and, like iKee, laid the groundwork for a mobile botnet.
IT professionals are often caught flatfooted when it comes mobile security. Fully a third of IT respondents to a study by Webroot admitted to some ignorance about the threats posed by MMAs with a quarter admitting their current level of mobile security is ineffective. For their part, users aren’t helping. 73 percent admit to not notifying IT when their device has been infected.
There are some concrete steps that IT can take to protect users and inform them about the growing threat that MMAs pose:
1. Download apps only from official app stores like Apple's App Store or Google Play. The vast majority of rogue apps are found on unofficial app stores or websites, many based in China or Russia. Staying loyal to official marketplaces dramatically decreases the amount of mobile application malware users will ever encounter.
2. When evaluating third party apps for purchase, do some research on the developer and their reputation. Read user ratings, paying special attention to reviews from disgruntled users, and seek out app recommendations from reputable sources. On the other hand, help other users by giving feedback both good and bad to apps you have experienced.
3. Rethink “permissions” when installing new apps for the first time. Malicious app developers are counting on that level of carelessness to sneak malware on to your device. Read the end user agreement before clicking to understand exactly what permissions the app is asking for.
4. Ensure that all of your employee’s mobile applications fall within your enterprise’s security criteria through with an automated mobile application testing tool or by referencing a trusted mobile app security database.