Feeds

Got a mobile phone? Then you've got a Trojan problem too

This time it’s personal

Top three mobile application threats

Something wonderful has happened: phones have got smart, but the bad news is they may open the door to those you don’t want to let in.

Time was when getting software to run properly on your mobile phone was such a challenge that it was nigh on impossible for bad guys to write malware that worked.

Most phones used proprietary platforms and there was little or no access to source code. Apps ran in the nice little sandbox of Java. Or, more typically, failed to run.

Now the increasing sophistication of mobiles has opened the door for bad guys to get a grip.

Your secrets are out

A Trojan on your laptop gives someone access to all your data, and maybe even through your corporate virtual private network to all your company’s secrets.

The same is true of your mobile except that the attack gets personal. As well as opening a route to your work data, a Trojan has access to all your friends, relatives and other contacts.

Why did you call that headhunter three times last week? Who is that woman you keep calling? Then there are all your text messages, telling it where you are and when. Off sick and on the golf course?

Worse, a Trojan has a billing relationship with your mobile. Your laptop can’t send premium-rate reverse-billed SMSs but your phone can.

The value of all the data on your device means it is no longer just a phone. This is what propels companies to provide mobile device management (MDM): the ability to control what is on your mobile, to push new work tools to it and to wipe it if it is lost or stolen.

The same technology can be turned against you – as Android developer LSDroid found with its Cerberus anti-theft software.

This is archetypal MDM software designed to help you find a lost or stolen Android phone. It gives you remote control through a website which will tell you if the SIM card has been changed and sound an alarm, even if the phone is in silent mode.

What matters here is the security which controls who has access. This was done using random numbers and the phone IMEI (international mobile station equipment identity). Unfortunately this wasn’t enough and a blogger called Paul built an exploit that could break the security in a couple of hours. The problem was quickly fixed, but it showed that what you think is protecting your data might be doing the opposite.

The price of popularity

Android, being the type of phone chosen by the majority of users, is the one most under threat. Security expert Jon Sawyer from Applied Cyber Security compares this to the days when people claimed Macs were more secure than Windows.

“It was only because so many more people were targeting Windows that it looked less secure,” he says.

Sawyer has found a number of vulnerabilities in phones, among which perhaps the most spectacular was an LG vulnerability that could be made to look like a service update and so did not request permissions. This in turn could modify any file, opening up the phone to any kind of modification including rooting.

As a “white hat”, he contacted LG and waited six months until the flaw was fixed before publishing, but he bemoans the lack of feedback from the security teams at the handset manufacturers.

He also singles out BlackBerry for hostility to security researchers. According to Sawyer, vulnerabilities in Android are rarely the fault of the operating system but often what the individual manufacturers have done at system level.

Google’s Android security team is good, he says, although he would recommend upgrading to version 4.3 or later.

James Lyne of Sophos echoes this view. He says that however good Google’s security people are, Android is probably the weakest of the mainstream smartphone platforms.

Runners up

He contends that BlackBerry is the most secure, both in its BB7 and BB10 incarnations – although for security you have to sacrifice the openness of the BB10 system and then you have to wonder what is the point of going to BB10 in the first place.

Lyne would put Apple and Microsoft in joint second place, but from very different perspectives. Apple checks apps before they go into the store and then is very quick to pull any malevolent ones that get through. Lyne cautions, however, that the “trust me” approach could come back and bite Apple.

“The lack of transparency means there is trust where it isn’t deserved,” he says.

He paints a scenario of malware that might jailbreak as it goes, spreading from iPhone to iPhone and putting the devices outside of Apple’s control.

Today’s mobile malware is very 1990s

That hasn’t happened but Lyne still prefers the PC model of security. He says that today’s mobile malware is very 1990s so all you need to do to prevent it is a simple reputation look-up.

But he warns that “mobile opens up old wounds that previously we’d closed on PCs” – smarter polymorphs and the like. Lyne says of all the operating systems Windows Phone is the best architected to cope with the threats we have not seen yet.

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.