An ethical hacker's view on mobile malware and how to stop it

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

As our mobile handsets become more than just a way to make and receive phone calls their appeal to criminals increases. Mobile malware, once theoretical, is now very much a reality and a growing threat.

For the business user that accesses the corporate net for email, compromised devices can give criminals access to data that can prove lucrative in the right hands. For VIPs it could be a little more personal, as the smart devices broadcast their locations via GPS. Even for the man on the street, with the introduction of mobile payments apps, there's more to lose than just contact lists and photos.

DIRTY DOZEN: Most vulnerable smartphones

IN PICTURES: 12 'White Hat' hackers you should know

Malware on smartphones is used by criminals to make money. They steal information (contact details, emails, personal data or even financial information; they hijack browser sessions), interfere with online banking transactions and circumvent one time password (OTP) security procedures, or even send SMS messages to premium-rate numbers.

A worrying trend: Attacks are increasingly targeted at executives due to the valuable data they're carrying on their phones. Using a combination of SMS and social engineering tactics, hackers can spoof the phone number of a friend or a colleague to send an SMS asking the victim to click on a suspicious link, opening up the phone to attack.

To prevent malware spreading the mobile operating systems are pursuing a number of approaches. Apple and BlackBerry, for example, have introduced security protocols in tandem with a meticulous acceptance process for apps offered via their stores.

The picture is less tidy for Android. Perhaps because it currently has the highest market share, Android provides attractive returns for criminals. Another theory is that due to the openness of the platform and the existence of other markets from which to download apps, it's easier to infiltrate. Whatever the reason, the stark reality is that it attracts the most malware.

That said, as market share shifts and rogue programmers perfect their code, it would be foolish to think that any particular operating system will remain infallible indefinitely.

The best way to fight mobile malware is to defend against incursion, and in this everyone has a function to perform. As they're on the front line, phone users themselves must understand the risks, and the criminals' tactics, if they're to practice safe phone use:

* Step one -- are you already infected? It can be difficult for end users to know if they have any malware on their phones, but there are a few factors that can be indicative. Users should regularly check which apps are running. Anything suspicious should be deleted. Indicators that malware is present can also include decreased battery life (because there is something running in the background) or an increase in data use (as the malware transmits data from the phone).

* Step two -- block activity. To prevent premium-rate number scams, it is important to check your bill regularly for anything out of the ordinary or, better still, contact your provider and block this type of number.

* Step three -- prevent infection. There are a number of elements to this that, while not a guarantee, will help minimize malware when used together. Regardless of whether the handset is corporate or personally owned, organizations should encourage their workforce to practice these steps:

• Antivirus software for mobile phones is available to download, however it is argued that it can be ineffective.

• Settings on the phone can be changed to prevent installation of content that isn't from trusted sources.

• Just like spam mail, users have to be careful about following links sent from contacts within the address book.

• Apps should only be downloaded from bona fide marketplaces, such as the Google marketplace. The free ones, while attractive, could offer more than you bargained for.

• Permissions for apps should be checked before they are downloaded to ensure they are restricted from unwanted activity.

BYOD: There is no stopping employees' devices on your network

Businesses issuing staff phones should also consider:

• Installing antivirus software as standard.

• Looking for, and deploying, tools that can manage mobile devices in much the same way as traditional PCs.

• Thinking about device encryption capabilities to avoid data leakages resulting from device loss or left, and perhaps a solution that can remotely locate and destroy AWOL devices.

• Where possible, restricting and controlling what can and can't be done on the phones.

• If you can't stop it then create and communicate security policies that govern what data can, and can't, be accessed and stored. It is also essential that users understand why this is so important

Unlike viral desktop programs, phones aren't spreading infections from one to another or to other devices, so the spread of the threat is reduced. You have to either download a rogue app, or click on a bad link, to inject malware onto the phone. But that could change. If we don't get a grip on malware now, tomorrow we could be facing an epidemic as it's only a matter of time before criminals create malware that can and does jump between devices.

Today, while we still have the power to stop mobile malware, let's work harder and smarter to unmask the secret assassin.

www.alienvault.com

Read more about wide area network in Network World's Wide Area Network section.

This story, "An ethical hacker's view on mobile malware and how to stop it" was originally published by NetworkWorld.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies