Over the past few weeks I have been busy presenting and meeting various clients, IBM-ers and partners at our IBM Flagship event in Vegas, IBM Interconnect and one of the hottest topics around mobile was mobile malware.
This has become a key issue for almost every client I have met with over the past six months or so. No longer are the mobility conversations centred on corporate connectivity and data loss prevention, but rather they have evolved and extended to tackle another headache coined ‘mobile threat management’. Here, the questions always revolve around what malware does and how do we protect ourselves from devices on the corporate network that may have fallen victim to such exploits.
For one of my sessions at the event last week, I did a little research to dig up some statistics for what enterprises are most concerned about when building their mobile strategy. Shock, horror, mobile malware was up there with around 60 percent of the vote, (interestingly followed by concerns around data loss and unauthorised access) which leads me into what mobile malware can do and why you should care.
If you work in the enterprise, and even if you don’t, ‘Mobile Malware’ would make a great title for your next horror novel.
For a while, I understood mobile malware was a thing, I assumed that Android was the only affected platform (I’m more or less right there, Kaspersky and Forbes says 98 percent of malware is targeted at Android, but I didn’t really understand what it actually did.
Luckily, we have a hardcore security unit at IBM, so one question to them and I was schooled on the dangers of malware on mobile devices. I quickly learned that other than ripping off end users by messaging premium rate numbers and spamming their contacts list, malware is also often seen to gather data about users without their knowledge; capturing contact lists, emails, SMS messages, photos, call logs, location and browser history and uploading the data to some who-knows-what servers.
I then learned that the rabbit hole goes a lot deeper, as we have also seen a rise in more sophisticated malware, such as key-logging (think about how many passwords you type on your device) and malware capable of allowing hackers to remotely activate a device microphone and camera, enabling the malware to record conversations and watch your face as you ferociously swipe left in your favourite dating app. This is bad news for everyone, especially businesses that leverage mobile devices in their day-to-day events, where you may be transferring sensitive documents and emails, or storing corporate data on your device, (have you ever taken your phone into a meeting? Yeah…there could be a lot more people listening than you realise) - if a user’s device has been infected, there is potential for a pretty nasty result.
Now take a second to wipe the sweat from your brow and make sure you're sat comfortably as we jump into some examples of the three most popular malware exploits over the past year. These are usually hidden exploits within seemingly harmless or popular, cracked applications or drive-by-downloads:
NotCompatible - Android
This malware acts as a network proxy or botnet to allow attackers to send and receive traffic through the victims device for fraudulent purposes.
According to the BBC, phones infected with NotCompatible were enrolled into a network that is now being rented out to any crime group that needs a ready source of Android users.
… Compromised phones had been used in a variety of scams including sending spam, attacking Wordpress blogs and buying tickets for popular events in bulk that would then be resold at a significant profit.
Koler - Android
This is usually seen disguised as a media app that scans a victims device for “security issues” before reporting illicit discoveries, locking it, then attempting to convince the user to pay to unlock the phone or face “legal action” by displaying full screen messages posed as law enforcement (FBI etc.)
Once installed on a device, Koler opens a persistent window that covers the entire screen and displays a fake message from local law enforcement agencies accusing users of viewing and storing child pornography. Victims are asked to pay a “fine” using MoneyPak prepaid cards in order to regain control of their phones.
Spytic – Android, Ios (jailbroken)
Once on the device this malware intercepts users SMS and phone calls and uploads them to a remote server, it's also noted that this malware can also remotely monitor infected devices, allowing hackers to watch what you’re up to!
Whilst most of the problems sit on the Android side, there have been a couple of big iOS issues in the past year, including WireLurker.
According to the researchers, WireLurker looks for iOS devices connected via USB to an infected Mac (infected via downloading malicious code from the Maiyadi App Store, which is a third-party Mac app store in China), and then installs malicious third-party applications onto the device even without a jailbreak.
Where the heck are users finding this stuff anyway?
In a report published by Arxan Technologies, it’s stated that 97 percent of the top 100 paid for apps for Android have been cracked and are offered for free on alternative app stores (87 percent of iOS apps) – a major win for consumers right? Maybe, But I liken it to opening your door to receive a free pizza...from the local drug dealer. You could take it, then eat it, but you’ll agree that you’ll want to be a little reserved about doing so because you can't be sure about what's really in it.
The same goes for these cracked apps, because as a consumer you can’t be sure that they've not been injected with some malicious code – so you can take your free pizza and eat it, but the reality is you're risking your personal and corporate data by doing so.
One of the reasons I believe we see more issues on Android is partly due to the fact an Android device can install applications from anywhere, whereas on iOS you have to jailbreak your device first before you can access alternative repositories such as cydia.
Avoiding malware in your business
For home users, just be wary when downloading and installing applications from unknown sources. Don’t trust free applications (that would normally cost you money) and above all, stick to the Google Play and Apple App Store!