Security issues around mobile phones are garnering more and more attention in their own right. CBR sat down with David Emm, Principal Security Researcher, Global Research & Analysis Team at Kaspersky, to discuss some of the main threats and what people can do about them.
CBR: Ransomware has been in the news recently. Can you tell me more about it?
DE: Most of the malware we see for mobile phones mirrors what we see on desktop and laptops. It’s been a gradually evolving thing, and I think 2011 was a bit of a turning point there. That’s when we started to see a massive ramping up of numbers. I think we saw 6 times the amount of malware in 2011 than we saw in the six years preceding and we’ve seen that level of exponential growth since. At the end of 2013 there were about 200,000 code samples, 295,000 new ones were added last year.
I think they’re gradually adding to their repertoire, and ransomware is an obvious one. If you pitch a fishy email or message someone, they may not click on it or may not be related to that financial institution. With ransomware, everyone’s got files on their device, so you’re onto a sure-fire thing.
It works on mobiles as well as laptops. Ransomware tends to take two forms, they’re either blockers, which block access to the device, or they actually encrypt the data. Initially on mobiles about a year and a half ago we saw blockers. More recently we’ve seen ones that will encrypt the data.
They pretend to be from a police agency, varying it depending on location, so it could be national crime agency here, FBI. One twist on mobile is that the graphic which pretends to be from the police, they will take a picture with the camera and put the image within that background so that it looks more official.
CBR: So there will never be a cure for ransomware?
DE: Mostly, people like us can’t decrypt it. In the early days when the encryption was pretty weak, it was possible. Sometimes after that it’s been possible, if they make a mistake in the implementation. But if they implement it properly there’s no way.
The thing to stress is to back up. If you haven’t got a back up, it can be pretty ugly. As more people use mobile devices maybe they’ll be more of a target, especially since, in the wake of last year’s celebrity iCloud hack, people are a bit more wary about using online storage.
CBR: Are enterprises more at risk from mobile ransomware than consumers?
DE: It’s one of those things where even within companies, maybe data isn’t backed up. Certainly for SMBs that’s the case. They’re letting people bring their own device, they’re storing data on it, they’ve got no in-house expertise, so they see the productivity side of it but they’re not necessarily thinking about the security aspects.
From a practical point of view, that’s probably the sweet spot for attackers. Big business will probably have a backup regime, they’re containerising the data on those things, and it’s easy enough to give somebody another device. A small business probably isn’t thinking about that, and individuals on laptops are probably not thinking about it either. That’s probably the major area for exploiting it.
Typically the data doesn’t go anywhere. It stays where it is, it’s just encrypted. The sensitivity side of it is less of an issue; this is a hammer we’re talking about in malware terms.
CBR: What would you advise small businesses to do?
DE: Small businesses should build backups into the routine. Even if you only backup once a week, if you lose all that data, it’s not too much of an issue. Whereas if all that data is stored on the mobile, especially with a small business maybe a sales team which is not coming into the office very much and is spending nearly all of its time on a tablet or phone.
Ideally obviously you will have internet software to block these attacks in the first place. Making sure that software is up to date is important too, although on a mobile it may be that you have very little control over that. I think the confidentiality issue doesn’t affect as regards ransomware but there are other threats on mobile where it does.
CBR: Can you give an example?
DE: We’ve seen malware used in targeted attacks. Red October was a case in point; a targeted attack campaign at government agencies, diplomatic bodies, energy companies, universities, energy sector.
Once they’d infiltrated the network they would then monitor what was going on, so they would try to access mobile devices and the data on them. So they weren’t looking to install malware on the device they were just looking to get information from it across the network.
Another example might be with legal surveillance tools. These things are commercially available and they’re aimed mainly at police agencies. But there’s no guarantee they’re going to stay in those hands, and they can be quite sophisticated. Increasingly the developers of these have been adding mobile capabilities to them.
Probably about 60 percent of the malware for mobiles integrates the compromised device into a botnet. So they’re using control and commands servers to control what’s going on, it’s not a one-off hack. Quite a bit of the malware is traditional spyware designed to leak information.
On the one hand there’s the targeted attack aspect. On the other hand there’s the more mainstream backdoor and spyware type application.
CBR: Are people taking mobile security seriously enough?
DE: Six years ago people were using [mobiles] to make calls and text. All the cool stuff like Facebook, Instagram, Snapchat, Twitter, has been added organically. I think psychologically people still think of it as a phone, not a computer.
Also on the desktop and laptop, we went through this whole thing in the 90s of the problem getting bigger to the point where there were massive outbreaks or epidemics that impacted themselves on the psyche. People would read about them and think about the impact they could have.
There’s not been anything similar, so in a way, mobile developers have skipped all of those stages and gone straight to the cybercrime stage where they silently steal stuff. So there’s no give-away to make it obvious. Therefore I think businesses get it, but I don’t think individuals do, so I suspect there are an awful lot of unprotected devices.
It’ll be interesting to see what changes that. It might be that there is some huge ransomware epidemic and people feel it through the back of that. It might be headlines about a big company being hacked because somebody left a mobile in a taxi. Something like that will drive it home.
CBR: Do you think the scope for damage is as high for mobile?
DE: I think it is. Let’s say I have a simple PIN or no PIN at all and I leave it here. Somebody could get access to corporate mail, access to any documents on the phone and a Twitter account, all behind that PIN, which you can’t do on a laptop. It gives somebody quite a bit of capability for gathering information and maybe even being able to access a corporate network. If you’re in the vicinity of the building, the wi-fi key is already saved on it.
The other thing is if you connect to a public wi-fi network. While I’m behind the firewall in the office, out and about I’m not. Therefore, there’s an increased danger of leakage or information-gathering, and again, I don’t think people think about it. We’re beginning to see targeted attacks, which include leaking data through mobile devices.
The one thing I think is lacking in the public psyche is probably money. If you do your online banking with a laptop and click on a phishing email and someone gets your banking details or they’re able to capture your password, although there’s been a growing amount of banking malware on mobiles, so far 90 percent of it is based in Russia. It’s only beginning to break out of that now. We’ve seen with other types of malware, they incubate in Russia and start to move southwards and westwards. So SMS Trojans did that and some of the spyware did that.
So we think it’s likely that banking malware will do the same. That’s phishing apps that pretend to be my bank but aren’t, it’s malicious apps that are able to access my email, or malicious apps that are able to access my bank account and transfer funds. I think that will happen over here as well, and as people start to lose real money, they’ll begin to see this. Right now, maybe a company’s at risk, but the individual isn’t.
Even if I move money around, maybe I’m not doing it through a website as you would on a laptop, you’re doing it on a dedicated app. Banks have been through the history of banking on laptops and desktops and learn some lessons and factor that in. In fairness, banks talk to people like us about securing apps like this. I’d say right now, banking on a mobile is more secure than on a laptop. This isn’t necessarily by design of the device, but just because at the moment there isn’t that much banking malware facing Europe. It will happen I think.
CBR: Why does the majority of malware target Android?
DE: There’s a massive difference between Android and iOS. The overwhelming majority of malware we see is on Android. I think that’s because there’s so much flexibility at different levels of Android. Samsung or Vodafone, for example, can customise the operating system. App developers are free to develop apps left right and centre. We’re not restricted to Google Play.
If you look at iOS, it is what it is. I can get it from Carphone Warehouse or Vodafone or straight from Apple. If I want applications I have to go to the app store. It’s like operating Wembley Arena with one door in and out. The stuff you see on iOS tends to be on jailbroken devices.