Original URL: http://www.theregister.co.uk/2013/10/18/feature_mobile_security_malware/

Got a mobile phone? Then you've got a Trojan problem too

This time it’s personal

By Simon Rockman

Posted in Security, 18th October 2013 10:16 GMT

Something wonderful has happened: phones have got smart, but the bad news is they may open the door to those you don’t want to let in.

Time was when getting software to run properly on your mobile phone was such a challenge that it was nigh on impossible for bad guys to write malware that worked.

Most phones used proprietary platforms and there was little or no access to source code. Apps ran in the nice little sandbox of Java. Or, more typically, failed to run.

Now the increasing sophistication of mobiles has opened the door for bad guys to get a grip.

Your secrets are out

A Trojan on your laptop gives someone access to all your data, and maybe even through your corporate virtual private network to all your company’s secrets.

The same is true of your mobile except that the attack gets personal. As well as opening a route to your work data, a Trojan has access to all your friends, relatives and other contacts.

Why did you call that headhunter three times last week? Who is that woman you keep calling? Then there are all your text messages, telling it where you are and when. Off sick and on the golf course?

Worse, a Trojan has a billing relationship with your mobile. Your laptop can’t send premium-rate reverse-billed SMSs but your phone can.

The value of all the data on your device means it is no longer just a phone. This is what propels companies to provide mobile device management (MDM): the ability to control what is on your mobile, to push new work tools to it and to wipe it if it is lost or stolen.

The same technology can be turned against you – as Android developer LSDroid found with its Cerberus anti-theft software.

This is archetypal MDM software designed to help you find a lost or stolen Android phone. It gives you remote control through a website which will tell you if the SIM card has been changed and sound an alarm, even if the phone is in silent mode.

What matters here is the security which controls who has access. This was done using random numbers and the phone IMEI (international mobile station equipment identity). Unfortunately this wasn’t enough and a blogger called Paul built an exploit that could break the security in a couple of hours. The problem was quickly fixed, but it showed that what you think is protecting your data might be doing the opposite.

The price of popularity

Android, being the type of phone chosen by the majority of users, is the one most under threat. Security expert Jon Sawyer from Applied Cyber Security compares this to the days when people claimed Macs were more secure than Windows.

“It was only because so many more people were targeting Windows that it looked less secure,” he says.

Sawyer has found a number of vulnerabilities in phones, among which perhaps the most spectacular was an LG vulnerability that could be made to look like a service update and so did not request permissions. This in turn could modify any file, opening up the phone to any kind of modification including rooting.

As a “white hat”, he contacted LG and waited six months until the flaw was fixed before publishing, but he bemoans the lack of feedback from the security teams at the handset manufacturers.

He also singles out BlackBerry for hostility to security researchers. According to Sawyer, vulnerabilities in Android are rarely the fault of the operating system but often what the individual manufacturers have done at system level.

Google’s Android security team is good, he says, although he would recommend upgrading to version 4.3 or later.

James Lyne of Sophos echoes this view. He says that however good Google’s security people are, Android is probably the weakest of the mainstream smartphone platforms.

Runners up

He contends that BlackBerry is the most secure, both in its BB7 and BB10 incarnations – although for security you have to sacrifice the openness of the BB10 system and then you have to wonder what is the point of going to BB10 in the first place.

Lyne would put Apple and Microsoft in joint second place, but from very different perspectives. Apple checks apps before they go into the store and then is very quick to pull any malevolent ones that get through. Lyne cautions, however, that the “trust me” approach could come back and bite Apple.

“The lack of transparency means there is trust where it isn’t deserved,” he says.

He paints a scenario of malware that might jailbreak as it goes, spreading from iPhone to iPhone and putting the devices outside of Apple’s control.

Today’s mobile malware is very 1990s

That hasn’t happened but Lyne still prefers the PC model of security. He says that today’s mobile malware is very 1990s so all you need to do to prevent it is a simple reputation look-up.

But he warns that “mobile opens up old wounds that previously we’d closed on PCs” – smarter polymorphs and the like. Lyne says of all the operating systems Windows Phone is the best architected to cope with the threats we have not seen yet.

And last comes Android

And last comes Android. Lyne agrees with Sawyer that it is the most under attack, and notes that it is fragmentation that poses the biggest problem.

The scale is shown by research conducted by Lacoon Security, an Israeli consultancy which surveyed the smartphones of half a million users over a number of networks.

Lacoon found that one in 1,000 had some kind of spy phone software installed. Of these 53 per cent were Android and 47 per cent iOS, with 22 per cent of the infections being on Android 4.x.

Given that there is a security threat if you don’t use an MDM, and that using an MDM itself might pose a security treat, what is the best option, particularly for those highly targeted Android devices?

Hard Knox

Perhaps the best combination of MDM and devices is the Samsung Knox system. Like the General Dynamics solution announced at Mobile World Congress, Knox has a customisable boot and uses the NSA-derived SELinux (security enhanced), although Sawyer notes that until the end of August Samsung shipped this in permissive mode rather than enforced mode.

Samsung does not provide an MDM system for Knox phones directly but builds on its Safe program to provide a basis for other suppliers of MDM system.

In a world of end-to-end ecosystems from Amazon to iTunes it is surprising that Samsung has elected not to enter the fray. Perhaps it thinks Western companies would prefer not to have a South Korean company own the keys to their commercial secrets.

The secure container is a common approach, adopted by Knox, General Dynamics, Deutsche Telekom’s SimKo3, MobileIron, Airwatch, FiberLink, Zenprise and Good Technology, among others.

The model of using a container for applications cuts the risk of the data leakage associated with BYOD (bring your own device). A secure container is set up for corporate applications such as email, calendar, browser, storage clients and so on.

Data downloaded from the enterprise, such as email attachments and files, cannot be accessed by applications outside that container.

This provides the perfect excuse to leave the work phone behind when you go on holiday

This stops users from being able to email, text or Dropbox any files that should live only within the corporate environment. All the data stored is encrypted using AES-256.

This provides the perfect excuse to leave the work phone behind when you go on holiday as you will be prohibited from taking it anywhere that has UN export restrictions and sanctions in place or where encryption is illegal.

Sophos has a lighter touch, perhaps more tailored to BYOD. This ensures the user has a decent passcode and that the device is properly configured – for example that SSL is turned on for email and looking for the signs of Trojans.

There is no easy way to detect if a phone has been rooted or jailbroken. The signatures are to look for those apps such as Cydia, which takes advantage of the freedom to download third-party applications to an iPhone, or Superuser which establishes privileges on an Android phone.

Daniel Brodie, senior researcher at Lacoon, adds that data is unencrypted once it is in memory and a crafted Trojan could bypass the container.

Choose your cloud

And don’t forget the hosting. Although backing up your corporate data in the cloud might be a good thing to do for all kinds of reasons, you need to make sure that the cloud you are using is secure. If data is covered under the data protection act you are legally obliged to know where it is.

This has led to the advent of companies such as Secura Hosting, a government-approved G-Cloud supplier, which undertakes to keep data within the UK only.

So, has mobile malware suddenly gone from being talked about to actually happening? All those companies that sold solutions for which there was no problem now do have a problem to deal with.

That is why one security expert I spoke to was carrying a Motorola Razr. It might be old and limited but it was built before phones got smart. It is unhackable. ®