IT-Analysis.com
IT-Analysis.com Logo
Technology Security
Business Issues Channels Enterprise Services SME Technology
Module Header
Craig WentworthMWD Advisors
Craig Wentworth
16th April - Egnyte the blue touchpaper...
Louella FernandesLouella Fernandes
Louella Fernandes
11th April - Managed Print Services: Are SMBs Ready?
Louella FernandesLouella Fernandes
Louella Fernandes
11th April - The Managed Print Services (MPS) Opportunity for SMBs
Simon HollowayThe Holloway Angle
Simon Holloway
11th April - Intellinote - capture anything!
David NorfolkThe Norfolk Punt
David Norfolk
11th April - On the road to Morocco

Analysis

The Smartphone: a real bug in your bed (2)
Nigel Stanley By: Nigel Stanley, Practice Leader - IT Security, Bloor Research
Published: 18th February 2011
Copyright Bloor Research © 2011
Logo for Bloor Research

So will users' smartphones become infected with malware? The simple answer is yes and they are. Of course the Windows PC platform is still the biggest target for virus and malware authors as this produces the biggest “return on malware investment”. Due to poor security measures taken by users such as failing to patch their PCs or not using anti-malware there are now around 4 million PC-based viruses and worms out in the wild. Contrast this with the 400 or so viruses and worms targeting smartphones [1] and you can see the order of magnitude difference. But complacency is an enemy, and criminals are now exploring the smartphone market as a new and untapped source of devices waiting to be infected.

In April 2010 a pirated game was infected with malware, forcing the infected smartphone to dial out to premium international numbers unknown to the user. The first the user knew of the problem was the incoming phone bill at the end of the month. [2]

August 2010 saw an SMS-based Trojan for smartphones running the popular Android operating system. Called Trojan-SMS.AndroidOS.FakePlayer.a the malicious program penetrates smartphones running Android looking like a harmless media player application. Users are prompted to install a 13KB file and once installed on the phone, the Trojan uses the system to begin sending SMSs to premium rate numbers. [3]

Not only does this malware create havoc on the smartphone it can also take advantage of the voice capability of the device. This is where these threats start to raise very sinister security concerns far beyond those of the humble personal computer.

To prove the point about smartphone security last year, Veracode, the code security people, conducted an experiment to see how easy it is to infect a smartphone with malware. The coders at Veracode created a tic-tac-toe game (noughts and crosses) that ran, in this case, on a BlackBerry device. [4] [5] Not that they were picking on BlackBerrys—they could have done this attack on any smartphone as it simply used a bit of social engineering to get a user to download the software on to their phone. Nothing that advanced here; in fact if the user didn’t actively download the app and put in their passwords then the attack would have failed.
Once installed on the device the user happily played a game whilst in the background the malware was siphoning off their email contacts and SMS messages. It would have been trivial, at that stage, to turn the smartphone microphone on and have the device act as a bug.

David Cameron, the UK Prime Minister, carries a BlackBerry device and, in early 2011, he announced that he was following the cricket test match in Australia live on his BlackBerry whilst he was in bed. Consider the implications if this device was compromised and the Prime Minister was bugged in bed?

But no end of security education will prevent users from downloading apps if they really want them. Yes devices can be locked down, as is the case with many company issued BlackBerrys. Many security practitioners would agree that BlackBerry devices can be very well secured and these devices have been tested and approved by the UK security establishment.

But what employee in a “normal” business would agree to their personal device being locked down in such a way that they are prevented from downloading and running the latest game or app?

Is my smartphone based data secure?
Any CISO considering their smartphone security strategy should consider this data from the Get Safe Online website, a crime prevention website based in the UK [6]

Over 1 in 4 (28%) internet users use a smartphone to access the internet, rising to 50% amongst 18–24 year olds. Of these:

  • 71% use their phones to send emails or use messaging applications
  • 56% view and update their social networking profiles
  • 1 in 5 (20%) synchronise their handsets to a personal computer
  • Almost 1 in 5 (19%) use their mobiles to make purchases online
  • Over 1 in 6 (16%) manage their finances, including banking and paying bills
  • 1 in 5 (20%) have had their handsets lost or stolen

The statistics speak for themselves but we are seeing a lot of people using devices for financial transactions, with the issues that can bring. Also 20% have had their devices stolen—and these are their own devices they love and cherish! Would they take greater or lesser care over a company issued phone?

The next article in this series will look at voice data security and smartphone managment tools.

References (All accessed February 2011)
[1] Smartphone Malware Multiplies. [Online] 2010.
[2] Windows Mobile Trojan Poses As “3D Anti-terrorist action” War Game. [Online] 2010.
[3] First SMS Trojan detected for smartphones running Android. [Online] 2010.
[4] Is Your BlackBerry App Spying on You?. [Online] 2010.
[5] Smartphone security put on test. [Online] 2010.
[6] Getsafeonline website 

Advertisement



Published by: IT Analysis Communications Ltd.
T: +44 (0)190 888 0760 | F: +44 (0)190 888 0761
Email: