Feeds

Got a mobile phone? Then you've got a Trojan problem too

This time it’s personal

5 things you didn’t know about cloud backup

Something wonderful has happened: phones have got smart, but the bad news is they may open the door to those you don’t want to let in.

Time was when getting software to run properly on your mobile phone was such a challenge that it was nigh on impossible for bad guys to write malware that worked.

Most phones used proprietary platforms and there was little or no access to source code. Apps ran in the nice little sandbox of Java. Or, more typically, failed to run.

Now the increasing sophistication of mobiles has opened the door for bad guys to get a grip.

Your secrets are out

A Trojan on your laptop gives someone access to all your data, and maybe even through your corporate virtual private network to all your company’s secrets.

The same is true of your mobile except that the attack gets personal. As well as opening a route to your work data, a Trojan has access to all your friends, relatives and other contacts.

Why did you call that headhunter three times last week? Who is that woman you keep calling? Then there are all your text messages, telling it where you are and when. Off sick and on the golf course?

Worse, a Trojan has a billing relationship with your mobile. Your laptop can’t send premium-rate reverse-billed SMSs but your phone can.

The value of all the data on your device means it is no longer just a phone. This is what propels companies to provide mobile device management (MDM): the ability to control what is on your mobile, to push new work tools to it and to wipe it if it is lost or stolen.

The same technology can be turned against you – as Android developer LSDroid found with its Cerberus anti-theft software.

This is archetypal MDM software designed to help you find a lost or stolen Android phone. It gives you remote control through a website which will tell you if the SIM card has been changed and sound an alarm, even if the phone is in silent mode.

What matters here is the security which controls who has access. This was done using random numbers and the phone IMEI (international mobile station equipment identity). Unfortunately this wasn’t enough and a blogger called Paul built an exploit that could break the security in a couple of hours. The problem was quickly fixed, but it showed that what you think is protecting your data might be doing the opposite.

The price of popularity

Android, being the type of phone chosen by the majority of users, is the one most under threat. Security expert Jon Sawyer from Applied Cyber Security compares this to the days when people claimed Macs were more secure than Windows.

“It was only because so many more people were targeting Windows that it looked less secure,” he says.

Sawyer has found a number of vulnerabilities in phones, among which perhaps the most spectacular was an LG vulnerability that could be made to look like a service update and so did not request permissions. This in turn could modify any file, opening up the phone to any kind of modification including rooting.

As a “white hat”, he contacted LG and waited six months until the flaw was fixed before publishing, but he bemoans the lack of feedback from the security teams at the handset manufacturers.

He also singles out BlackBerry for hostility to security researchers. According to Sawyer, vulnerabilities in Android are rarely the fault of the operating system but often what the individual manufacturers have done at system level.

Google’s Android security team is good, he says, although he would recommend upgrading to version 4.3 or later.

James Lyne of Sophos echoes this view. He says that however good Google’s security people are, Android is probably the weakest of the mainstream smartphone platforms.

Runners up

He contends that BlackBerry is the most secure, both in its BB7 and BB10 incarnations – although for security you have to sacrifice the openness of the BB10 system and then you have to wonder what is the point of going to BB10 in the first place.

Lyne would put Apple and Microsoft in joint second place, but from very different perspectives. Apple checks apps before they go into the store and then is very quick to pull any malevolent ones that get through. Lyne cautions, however, that the “trust me” approach could come back and bite Apple.

“The lack of transparency means there is trust where it isn’t deserved,” he says.

He paints a scenario of malware that might jailbreak as it goes, spreading from iPhone to iPhone and putting the devices outside of Apple’s control.

Today’s mobile malware is very 1990s

That hasn’t happened but Lyne still prefers the PC model of security. He says that today’s mobile malware is very 1990s so all you need to do to prevent it is a simple reputation look-up.

But he warns that “mobile opens up old wounds that previously we’d closed on PCs” – smarter polymorphs and the like. Lyne says of all the operating systems Windows Phone is the best architected to cope with the threats we have not seen yet.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
JLaw, Kate Upton EXPOSED in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.