Got a mobile phone? Then you've got a Trojan problem too
This time it’s personal
Something wonderful has happened: phones have got smart, but the bad news is they may open the door to those you don’t want to let in.
Time was when getting software to run properly on your mobile phone was such a challenge that it was nigh on impossible for bad guys to write malware that worked.
Most phones used proprietary platforms and there was little or no access to source code. Apps ran in the nice little sandbox of Java. Or, more typically, failed to run.
Now the increasing sophistication of mobiles has opened the door for bad guys to get a grip.
Your secrets are out
A Trojan on your laptop gives someone access to all your data, and maybe even through your corporate virtual private network to all your company’s secrets.
The same is true of your mobile except that the attack gets personal. As well as opening a route to your work data, a Trojan has access to all your friends, relatives and other contacts.
Why did you call that headhunter three times last week? Who is that woman you keep calling? Then there are all your text messages, telling it where you are and when. Off sick and on the golf course?
Worse, a Trojan has a billing relationship with your mobile. Your laptop can’t send premium-rate reverse-billed SMSs but your phone can.
The value of all the data on your device means it is no longer just a phone. This is what propels companies to provide mobile device management (MDM): the ability to control what is on your mobile, to push new work tools to it and to wipe it if it is lost or stolen.
The same technology can be turned against you – as Android developer LSDroid found with its Cerberus anti-theft software.
This is archetypal MDM software designed to help you find a lost or stolen Android phone. It gives you remote control through a website which will tell you if the SIM card has been changed and sound an alarm, even if the phone is in silent mode.
What matters here is the security which controls who has access. This was done using random numbers and the phone IMEI (international mobile station equipment identity). Unfortunately this wasn’t enough and a blogger called Paul built an exploit that could break the security in a couple of hours. The problem was quickly fixed, but it showed that what you think is protecting your data might be doing the opposite.
The price of popularity
Android, being the type of phone chosen by the majority of users, is the one most under threat. Security expert Jon Sawyer from Applied Cyber Security compares this to the days when people claimed Macs were more secure than Windows.
“It was only because so many more people were targeting Windows that it looked less secure,” he says.
Sawyer has found a number of vulnerabilities in phones, among which perhaps the most spectacular was an LG vulnerability that could be made to look like a service update and so did not request permissions. This in turn could modify any file, opening up the phone to any kind of modification including rooting.
As a “white hat”, he contacted LG and waited six months until the flaw was fixed before publishing, but he bemoans the lack of feedback from the security teams at the handset manufacturers.
He also singles out BlackBerry for hostility to security researchers. According to Sawyer, vulnerabilities in Android are rarely the fault of the operating system but often what the individual manufacturers have done at system level.
Google’s Android security team is good, he says, although he would recommend upgrading to version 4.3 or later.
James Lyne of Sophos echoes this view. He says that however good Google’s security people are, Android is probably the weakest of the mainstream smartphone platforms.
He contends that BlackBerry is the most secure, both in its BB7 and BB10 incarnations – although for security you have to sacrifice the openness of the BB10 system and then you have to wonder what is the point of going to BB10 in the first place.
Lyne would put Apple and Microsoft in joint second place, but from very different perspectives. Apple checks apps before they go into the store and then is very quick to pull any malevolent ones that get through. Lyne cautions, however, that the “trust me” approach could come back and bite Apple.
“The lack of transparency means there is trust where it isn’t deserved,” he says.
He paints a scenario of malware that might jailbreak as it goes, spreading from iPhone to iPhone and putting the devices outside of Apple’s control.
Today’s mobile malware is very 1990s
That hasn’t happened but Lyne still prefers the PC model of security. He says that today’s mobile malware is very 1990s so all you need to do to prevent it is a simple reputation look-up.
But he warns that “mobile opens up old wounds that previously we’d closed on PCs” – smarter polymorphs and the like. Lyne says of all the operating systems Windows Phone is the best architected to cope with the threats we have not seen yet.