2012 will be the year mobile malware becomes a big issue, according to Websense. The company reckons that the increasing sophistication of malicious apps and poor security standards on Android phones will see it become a major problem sooner rather than later.
Despite plenty of headlines over the last 18 months or so about the severity of mobile threats, some security organisations have suggested the problem is minute compared to the continued threats facing PC users.
However, Carl Leonard, Websense security research manager, told CBR that the threat is growing and losses from malicious apps stretch into millions of dollars. Most of that money is stolen via malware that can sign a mobile user up to expensive SMS services without their knowledge. Malware that targets banking and other sensitive information is the other app of choice for crooks.
Despite saying that malicious apps are getting more sophisticated Leonard added that currently, most apps Websense is seeing are not very advanced. To demonstrate just how easy it is to develop and release a malicious app Leonard gave CBR a demonstration, in the back of a limo idling in the backstreets just off London’s Fleet Street.
Using an Eclipse SDK for Android, Leonard took just a few minutes to set the malicious app up. It was disguised as an antivirus app and called Awesome AV Scanner – he said this is a classic technique for tricking unsuspecting users into downloading the app.
The app certainly looked convincing. A star rating system was offered and in the bottom right corner a "processing" symbol whizzed around, suggesting the app was indeed scanning for viruses. The app then prompted the user to register their app; clicking this caused it to crash.
A second app then replaced the first, but this time it didn’t crash so users were left with the impression that registration was successful. In truth, what really happened was that the user had just given their password to the crook. Chances are, Leonard said, this password would open up other online accounts as people generally repeat the same password on many sites and services.
Content from our partners
It wasn’t just a random choice the demonstrate this on an Android device – Leonard and Spencer Parker, group product manager at Websense, both said that the phones are fundamentally less secure than Apple’s iPhone. Android makes up the vast majority of malware targets, Parker said.
"The Apple system is much better at picking up [malware in apps], although Google is trying to migrate to a similar system," Parker told CBR. "There are many different market places for Android, which create a gray market where unsanctioned apps are freely available."
"The in-built Android MDM (mobile device management) is nowhere near as good as Apple’s," Parker continued. "With Apple there is a deliberate sandboxing, so data doesn’t talk to other apps. So if an attack is launched at Safari, it’ll just attack Safari. With Android it’s different, so a browser-based attack can attack other apps."
He added that games are the most common attack vector, with many malicious apps disguised and legitimate games, such as a newer version of Angry Birds.
What does this mean for businesses? Well, a way onto a user’s mobile is a way into the business, whether it is via the same password being used for certain things or access to work emails that may contain sensitive corporate information.
The answer to this conundrum is co-operation between the user and the business. If employees want to use their personal devices for work then they have to abide by company security policies, says Parker. "The end user and the business have to share responsibility [for security]," he said. "The business has to make the user aware of the policies and keep them up to date."
