2012: the year of the mobile threat
Smartphones
will become more dominant in 2012 and beyond, leaving PC shipments in the dust.
That will bring big benefits but also big risks. Taylor Armerding explains
Its benefits for user convenience and
productivity are obvious and irresistible - a smartphone can handle everything
from email to collaboration to video chat. It can serve as your GPS. It
can scan product barcodes. It can find and store your favorite songs, help you
take high-resolution photos and HD video and expand both your social and
professional network.
But it isn't very secure, which puts
users and the enterprises that employ them at risk.
A combination of relative
defenselessness and ubiquity means mobile devices are an increasingly tempting
target for attacks ranging from spyware to rogue applications.
Security experts say the industry is
aware of the risks. IBM's IT security research team, X-Force, predicts 33
software exploits targeting mobile devices in 2012. That may sound small, but
it's double the number released in the previous 12 months.
Many of the attacks will come through
the browser, which Anup Ghosh, co-founder and CEO of Invencea, described as
"a terrific attack vector for any malware writer". While each new
wave of browsers has better security built-in, there's no slowdown in the
number of vulnerabilities. Indeed, there are up to 75,000 variations of malware
per day.
"The whole model of detecting
attacks and then responding to them is fundamentally broken," said Ghosh.
The methods of attack are varied. They
can come with attachments to emails, with third-party apps that promise to
perform a useful service but end up harvesting your personal information, or
simply through opportunistic infections as you surf the web.
Current estimates are that one in 60
Facebook posts and one in 100 Tweets contain malicious attachments.
Who's
in charge here?
Gary McGraw, CTO of Cigital and a
co-founder of BSIMM (the Building Security in Maturity Model), an organization
that helps software developers build security into their products, believes
that the growing awareness of the threats means more effort will ne made to
improve security for mobile devices. But, he noted, "This is a very
complicated space. A lot of different people are responsible for different
parts."
Those involved In the making and using
of mobile devices range from network operators and device makers to chip
manufacturers and those who make mobile OSes.
"They're all thinking very
seriously about this problem," McGraw said. "But the business model
for mobile commerce hasn't been laid out. It's hard to make risk-management
decisions when you're trying to get ahead of your competitors."
McGraw agrees that users are
vulnerable, particularly to threats such as non-vetted third-party apps.
"You can wave your phone around and pay for your petrol - or maybe pay for
everyone's," he said.
Zach Lanier, principle consultant at
Intrepidus Group, agrees that security is sometimes left aside in the rush to
gain a competitive advantage. Developers are making the same mistakes they made
with desktop PCs a decade ago, he said.
"We're forgetting the lessons we
already learned," added Lanier.
Mobile security isn't an issue of
browsers, per se. Lanier believes that mobile devices are vulnerable, but not
inherently more so than desktops and laptops.
It is a matter of scale, he said.
"Let's say there is a bug, and the most current version of Android is
fixed. But everyone runs different versions of Android. So in sheer numbers,
they are more vulnerable"
Ultimately, staying safe online comes
down to people - the end users. If they can be tricked into opening a malicious
PDF file, technology can't block that.
McGraw and Lanier both believe
companies will become more active in mobile-device management in response.
Still, a "lack of savvy is not
going to go away," Lanier said. To which McGraw added: "You can't
protect people from themselves."
Is
Malware a threat to Android users?
Security vendors are playing on your
fears to try to sell you protection software for Android, RIM and IOS,
according to Chris DiBona, Google's open-source programs manager.
"They are charlatans and
scammers. If you work for a company selling virus protection for Android, RIM
or IOS you should be ashamed," said DiBona.
According to DiBona, none of the major
smartphone OSes has a virus problem similar to what the Windows and Mac
ecosystems experience. He dismissed the Android threats reported by the
security industry as little things that didn't get very far because of the
platform's sandbox model and other architectural features.
Security experts disagree with this
assessment and point out that the levels of Android malware have registered a
huge increase this year.
"Malware for Android devices is
one of the biggest issues in the mobile malware area today," said Denis
Maslennikov, a senior malware analyst at Kaspersky Lab. "The growth in
malware for Android over the past 5 months is significant. In June we
discovered 112 modifications of Android malware; in July, 212; August, 161; 559
in September: and 808 In October."
A similar trend was observed by other
antivirus vendors, with Trend Micro reporting a 1,410 percent increase in the
number of Android threats from January to July 2011. "The more important
figure is not the total number of malware, but the rate of increase. That
demonstrates current, active and sustained criminal interest in the mobile
platform," said Rik Ferguson, the company's director of security research
and communication.
The majority of Android malware
threats consist of Trojans, not traditional self-replicating viruses or worms.
However, these can be Just as damaging, if not more so, the security experts
said.
"It depends on your definition of
damaging. Is it recording and uploading voice conversations to a remote server,
stealing email and text message histories, or running up huge bills through
premium-rate text and voice scams? It all depends on the point of view of the
victim and the fallout of the infection," Ferguson said.
However, Android's security issues
aren't limited to malware alone. Like any users who access email and websites,
smartphone owners are vulnerable to platform-independent threats such as
phishing and advance-fee scams.
"What DiBona is missing is that
mobile security tools do much more than just antivirus. Antitheft, remote lock,
backup, parental control, web filter – these features are the main reason why
people buy mobile security products. They get antivirus as a bonus," said
Mikko Hypponen, the chief research officer at antivirus firm F-Secure.
DiBona acknowledged that there are
some cases where security software is beneficial, such as for enforcing certain
corporate policies on business devices. However, he strongly believes that
these should be sold independently. "Marketers that sell such things
sometimes tack on virus protection.“ That part is a lie," he said.
"Well I guess that's one way to
make a platform appear malware- free," replied Trend Micro's Ferguson in a
blog post. "Am I ashamed of myself? Not at all. I'd prefer to offer
protection against a growing threat to personal and business security than to
bury my head. In the sand and defend my stance with wild accusation."
Most malware researchers agree that
the openness of the Android platform, which allows installing non-vetted apps,
and - more importantly - the openness of the Android market, which lacks a
strict application-review process, contribute to its malware problem.
"The most important step that
Google may take in order to make Android more secure Is tighten
application-review policies to prevent malware appearing in the Android
Market," said Maslennikov, He pointed out that Trojans were found in the
Android Market on multiple occasions, and sometimes stayed there for weeks or months
before detection.
"We've learned that relying on
the users to follow best practices doesn't really work," said Ondrej
Vicek, the CTO at Avast Software. "For computer experts, the threat may
not be too high at the moment, but for the majority of people, the threat is
real," he added.
