Thoughts on Malware for Mobile Devices - SANS Internet Storm Center

Thoughts on Malware for Mobile Devices
One of the reasons that I love going to conferences is that it really makes me think. Being around some of the best minds in information security. talking to people, listening to thier views and re-evaluating my own opinions based on any new information is a big takeaway for me. For those who were not at SANSFire this year and didn't otherwise follow the Handler's annual State of the Internet Panel, one of the questions asked of the panel was (and I'm paraphrasing because I can't remember the exact word for word question) "Every year we hear a prediction that this will be the year that mobile malware becomes wide spread. Do you think that will happen this year?" I remember giving some answer along the lines of "Well, we've already had a few examples" and one of the other Handlers cited the malware infested apps that became available (breifly) from the iTunes Store. The panel concluded and we all went about our business but something was nagging me. Something just didn't feel right. I started talking to a few friends discussing mobile security and then looked at my own devices. How would I really know if there was malware on my smart phone? Malware authors have become increasingly good at hiding the presence of malware on infected systems and I didn't have anti virus on my phone, a problem which has since been corrected. But given the problems with signature based AV protection, do I really have confidence that I'm protected? How do we really know that mobile malware is not widespread right now? Please take a moment and answer the poll that I've posted and if you have some creative ways you're protecting your mobile devices, send them in and I'll post them. Christopher Carboni - Handler On Duty	Chris 140 Posts
Subscribe	Jun 22nd 2010 9 years ago
According to Lookout, a vendor of mobile protection, the problem is already somewhat widespread and growing quickly. http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?articleID=225402185&cid=RSSfeed	Anonymous
Quote	Jun 22nd 2010 9 years ago
"Keitai saito" is the Japanese words for mobile web sites. I am not talking about smart phones but cellphones that, in most cases, only available and sold in Japan. Almost every mid size companies in Japan have their mobile web sites. What I see here is, users frequently access mobile sites no less that they access web sites in their PCs. But I rarely hear any incidents about mobile sites being used to distribute malware or something like that. One of the reasons is that, mobile browsers support no Javascript or very restricted version. Maybe "no script" playing a decisive role in this matter?!	Anonymous
Quote	Jun 22nd 2010 9 years ago
I'd rather not buy a smartphone until one becomes available that I can erase, and then install an unmodified, signed, official Debian armel image. Then I'd secure it the same way I'd secure a desktop PC or server. The installation or flash process would have to be possible without using software within the phone OS; a minimal read-only BIOS, or a USB or serial interface that can access onboard storage hardware directly (ie. not via a software USB mass storage emulation) ought to suffice. This way it shouldn't be possible to brick the device, either, because it should be possible to re-flash with a working image if something goes wrong. I'm not sure why smartphones tend to be so deliberately resistant to this; it seems that telco's, hardware manufacturers, and quite possibly the phone OS distributors conspire to keep the hardware drivers (particularly the GSM/UTMS/HSDPA hardware) proprietary and OS usually locked-down. The Sharp Zaurus ought to have been great if it had ever evolved into a smartphone. OpenMoko made some progress. I'm hoping the Nokia N900 is a step towards a more mainline Linux distro running on a phone, with hopefully less closed-source code.	Steven C. 171 Posts
Quote	Jun 22nd 2010 9 years ago
Steven, can't see the majority of phone owners doing or even wanting to do this.	Dean 135 Posts
Quote	Jun 22nd 2010 9 years ago
True... until then, people are dependent on having been sold a phone that is reasonably secure, and that it will continue to be secure (via updates) for the working life of the device. Although a security update might not be able to remove an existing infection, or un-do a data disclosure you suffer as a result of spyware infection. My problem is trust; I'd rather have absolute control over my device. It's like I probably wouldn't trust a library/cafe computer with private data, passwords etc.; I'd be much more comfortable using my own device, and using crypto on any shared Internet connection provided to me. An iPhone is therefore like the library/cafe computer where Apple is your (trusted?) sysadmin. And you maybe don't even know how secure the communication is; a lot of private data such as Facebook traffic could be going out plaintext, so you're trusting your telco with that too.	Steven C. 171 Posts
Quote	Jun 22nd 2010 9 years ago
Sadly users of smart phones tend to want 'rich internet experience' on their phones and have a Mac OS-like view that their phone isn't a "PC" so it's safe to browser randomly or download apps without a second thought. Or, to put it another way, the security of their device has nothing to do with their usage and everything to do with their platform. I think that will be the big factor in making smart phones a bigger target assuming they continue to be adopted by non-technical users.	ashcrow 9 Posts
Quote	Jun 22nd 2010 9 years ago
http://blogs.forbes.com/firewall/2010/06/21/researcher-builds-mock-botnet-of-twilight-loving-android-users/	John Hardin 62 Posts
Quote	Jun 22nd 2010 9 years ago
What is being defined as malware in the original statistics? I have seen some definitions in the past that are downright fraudulent themselves (irony). Are we talking cookies or are we talking executable code that is now part of the device's software stack (i.e. app, system extension, widget, etc.)?	BGC 23 Posts
Quote	Jun 22nd 2010 9 years ago

One of the reasons that I love going to conferences is that it really makes me think. Being around some of the best minds in information security. talking to people, listening to thier views and re-evaluating my own opinions based on any new information is a big takeaway for me.

For those who were not at SANSFire this year and didn't otherwise follow the Handler's annual State of the Internet Panel, one of the questions asked of the panel was (and I'm paraphrasing because I can't remember the exact word for word question) "Every year we hear a prediction that this will be the year that mobile malware becomes wide spread. Do you think that will happen this year?"

I remember giving some answer along the lines of "Well, we've already had a few examples" and one of the other Handlers cited the malware infested apps that became available (breifly) from the iTunes Store. The panel concluded and we all went about our business but something was nagging me. Something just didn't feel right.

I started talking to a few friends discussing mobile security and then looked at my own devices.

How would I really know if there was malware on my smart phone?

Malware authors have become increasingly good at hiding the presence of malware on infected systems and I didn't have anti virus on my phone, a problem which has since been corrected. But given the problems with signature based AV protection, do I really have confidence that I'm protected?

How do we really know that mobile malware is not widespread right now?

Please take a moment and answer the poll that I've posted and if you have some creative ways you're protecting your mobile devices, send them in and I'll post them.

Christopher Carboni - Handler On Duty

Chris

140 Posts

According to Lookout, a vendor of mobile protection, the problem is already somewhat widespread and growing quickly.

http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?articleID=225402185&cid=RSSfeed

Anonymous

"Keitai saito" is the Japanese words for mobile web sites. I am not talking about smart phones but cellphones that, in most cases, only available and sold in Japan.

Almost every mid size companies in Japan have their mobile web sites. What I see here is, users frequently access mobile sites no less that they access web sites in their PCs.

But I rarely hear any incidents about mobile sites being used to distribute malware or something like that.

One of the reasons is that, mobile browsers support no Javascript or very restricted version.

Maybe "no script" playing a decisive role in this matter?!

Anonymous

I'd rather not buy a smartphone until one becomes available that I can erase, and then install an unmodified, signed, official Debian armel image. Then I'd secure it the same way I'd secure a desktop PC or server.

The installation or flash process would have to be possible without using software within the phone OS; a minimal read-only BIOS, or a USB or serial interface that can access onboard storage hardware directly (ie. not via a software USB mass storage emulation) ought to suffice. This way it shouldn't be possible to brick the device, either, because it should be possible to re-flash with a working image if something goes wrong.

I'm not sure why smartphones tend to be so deliberately resistant to this; it seems that telco's, hardware manufacturers, and quite possibly the phone OS distributors conspire to keep the hardware drivers (particularly the GSM/UTMS/HSDPA hardware) proprietary and OS usually locked-down.

The Sharp Zaurus ought to have been great if it had ever evolved into a smartphone. OpenMoko made some progress. I'm hoping the Nokia N900 is a step towards a more mainline Linux distro running on a phone, with hopefully less closed-source code.

Steven C.

171 Posts

Steven, can't see the majority of phone owners doing or even wanting to do this.

Dean

135 Posts

True... until then, people are dependent on having been sold a phone that is reasonably secure, and that it will continue to be secure (via updates) for the working life of the device. Although a security update might not be able to remove an existing infection, or un-do a data disclosure you suffer as a result of spyware infection.

My problem is trust; I'd rather have absolute control over my device. It's like I probably wouldn't trust a library/cafe computer with private data, passwords etc.; I'd be much more comfortable using my own device, and using crypto on any shared Internet connection provided to me.

An iPhone is therefore like the library/cafe computer where Apple is your (trusted?) sysadmin. And you maybe don't even know how secure the communication is; a lot of private data such as Facebook traffic could be going out plaintext, so you're trusting your telco with that too.

Steven C.

171 Posts

Sadly users of smart phones tend to want 'rich internet experience' on their phones and have a Mac OS-like view that their phone isn't a "PC" so it's safe to browser randomly or download apps without a second thought. Or, to put it another way, the security of their device has nothing to do with their usage and everything to do with their platform. I think that will be the big factor in making smart phones a bigger target assuming they continue to be adopted by non-technical users.

ashcrow

9 Posts

http://blogs.forbes.com/firewall/2010/06/21/researcher-builds-mock-botnet-of-twilight-loving-android-users/

John Hardin

62 Posts

What is being defined as malware in the original statistics? I have seen some definitions in the past that are downright fraudulent themselves (irony). Are we talking cookies or are we talking executable code that is now part of the device's software stack (i.e. app, system extension, widget, etc.)?

BGC

23 Posts