Mobile Phone Malware - Should You Be Worried?

We all know how important it is to be secure on our desktop and laptop computers. Malware protection is essential - you could be putting yourself at risk if you browse the web and you don’t have security software, such as AVG Antivirus or Microsoft Security Essentials installed. But what about mobile phone security? We’re all (well, almost all) using Internet-enabled phones nowadays, and the uptake of this technology is certainly not slowing. So do we need to secure our phones, and should we be worried about the threat of mobile-targeted malware?

Can your phone be compromised?

In short - yes. Just the same as your home computer, your smartphone can be attacked and compromised. Although the number of known malware targeting phones is nowhere near that of malware targeting computers, studies show that the volume of threats has been rising sharply over the last few years. Attacks are also becoming more and more sophisticated, as attackers realise the potential financial gains that are possible from infiltrating devices. The amount of personal information we have stored on our smartphones is substantial, and unfortunately, valuable.

Who is most vulnerable?

According to a report by IT security vendors Kaspersky Lab, 98.05% of all device-specific malware detected in 2013 targeted the Android platform. Android malware has increased by 600% in the last 12 months alone. This is due to not only the popularity of the OS, but also its open architecture in terms of app availability and its permissions approach to security. Anyone can submit an Android app to an unofficial, unregulated market, bypassing security checks and apps can ‘sneakily’ ask for all kinds of permissions.

How are mobiles infected?

In the past, mobile threats were largely distributed via Bluetooth and SMS, but as mobile broadband and wifi technology has advanced, security threats to mobile devices primarily derive from Internet-based sources.

Many threats are distributed using established methods that are device ambiguous i.e. non-specific to a home computer or mobile phone for example. This includes through spam, scams and phishing. An issue that can make mobile users more vulnerable is that it may be more difficult to judge the legitimacy of content on mobiles. We are so used to desktop display after many years of use, but mobile display may still be slightly foreign to us, and with less screen space on mobiles, it may be less clear whether a website or email is authentic. For instance, you can’t always see the full URL of a site on a mobile device, and this is something cybercriminals can, and do, exploit - making the visible part of a sites URL seem genuine.

Trojan apps are commonly used to target mobile users. These are applications that appear to be legitimate, but really contain hidden malicious code. The victim is tricked into installing an application laced with malware. Much of the time these are rogue apps, packaged to say they do something, but actually once installed they don’t. Perhaps more dangerously, some (a growing number infact) trojan apps are now fully functionable and ‘do what they say on the tin,’ but with malicious code added. This means that victims may keep the malicious application installed and remain unaware of the threat. Another concern is the availability of legitimate, harmless apps which are installed, but malicious code is later added to an updated version, which the victim is prompted to install.

Users should be particularly wary of trojanized banking apps - apps that are designed to completely mimic legitimate banking apps, but are engineered to pass on your details to an external entity, which can be extremely damaging. This is a trend which is on the rise, as cyber-criminals increasingly look to monetise their efforts, with Russian mobile device users being particularly targeted in 2013.

What are the risks of mobile malware infection?

As we use smartphones more and more, for more and more functions, the risk and repercussions of malware infection becomes more dangerous.

• Data loss: malware can modify or completely delete data such as photos, contacts, notes etc
• Lost functionality: malicious software can delete or edit files to make a device partially or completely unusable
• Communication interception: attackers can use malware to track and monitor SMS messages to a device, record voice communications and access browsing history
• SMS fraud: attackers can rack up huge phone bills by infecting a phone and controlling it to send SMS messages to a premium, expensive number
• Data theft: this risk is dependant on the data stored on a phone - data theft can include sending information such as: contacts, photos, financial information, passwords etc to a c&c (command and control) server
• Remote control: an attacker can use malware to gain complete control of a device, which even includes activating a camera or microphone, installing applications and sending spam

What can you do to stay safe?

• Be cautious when downloading apps - use an official app store or marketplace, check app reviews and, check and scrutinise app permissions during installation
• Keep OS and applications up-to-date (incase of bug and security fixes), uninstall apps you hardly use (which also frees up storage space)
• Be extra vigilant when browsing websites - check full URLs, do not visit dubious sources, install an ad-blocker app (ads are now apparently the biggest mobile malware risk), change browser setting to block pop-ups
• Don’t share personal information over a public (interceptable) wifi
• Backup data stored on your device, incase of infection

By simply being cautious - particularly Android users - you can avoid the risk of mobile malware infection and the potential data and financial losses associated with it. A problem with applying malware detection techniques used for home computers to mobile devices is power consumption: mobile devices have limited battery life and resources. But there are a few mobile security products currently on the market, including Kaspersky Internet Security for Android and McAfee Mobile Security. I think we are likely to see more emphasis put on mobile protection in the field of security in years to come, and mobile adaptive security products will be further developed and advanced.