In the beginning, as a famous book starts, there were PCs with Windows, and management saw them and was pleased. PCs proliferated throughout business and society like rabbits, and the good people of the world used them to play, work and learn. However, the dark side of society also saw a great opportunity to wreak havoc among the good people of the world. Soon after the computer virus, Trojan horse, and malware of all kinds were born. The good people responded with anti-virus and anti-malware software, and yet a new industry was born of the PC. And so, the battle has raged for decades.
Today, the war between good and evil has gained a new battlefield. But this theater of war is not focused on PCs, and common defenses don’t work. At the current time, more malware is written to attack mobile devices than are targeted at PCs. The Android OS is a malware target and a new report suggests that the situation will certainly worsen. According to a new report released by Kaspersky almost all (99.9%) of the new mobile malware detected in 2013 is designed to infect Android phones. The vast majority of the malware will be in the form of Trojan viruses which are often used to target specific groups, and SMS Trojans which are designed to steal money. Kaspersky reported an increase in all mobile malware as well. In the first quarter of 2013 the firm detected half the number of new malware that was detected in the entire year of 2012.
Why Android? It is simple – volume. Just as Windows was the predominant OS for PCs, Android has a majority of the mobile computing device market (or MCD’s as I named them in an article in the December 2012 ITAK). According to two analyst firms, 150 million tablets will be sold globally this year, with an estimated market value of $64 billion. IDC estimates nearly half of all tablets shipped in 2013 will use the Android OS. Any developer will tell you that it is most profitable to write code for the market leader. Malware developers are no different.
Clearly, the movement toward MCDs has drawn the attention of the malware community, cyber-criminals and their ilk. Worse, they are taking advantage of the new propensity for users to do everything (well almost) with their MCDs. To complicate matters, users are under a false sense of security when using their MCDs. After all, it’s not a PC, and only they get malware. (That’s kind of like believing that your phone calls and emails are really confidential.)
“Said the Spider to the Fly”
“But I’m careful,” you say. Unfortunately “careful” doesn’t cut it anymore. Distributors of mobile malware actively lure unsuspecting users into their web, often using established app stores. One recent report noted that cybercriminals are rapidly adopting new distribution methods and building Android-focused malware services. The number of mobile threats increased by nearly 50 percent during the first calendar quarter of 2013 and nearly all of those threats target the Android platform. In the past Android malware writers have tricked mobile users into installing malicious applications on their devices by passing them off as legitimate apps. According to security researchers, the new email-based distribution method now extends the risk of malware infection to Android users who are also regularly checking email from their phones and tablets.
Malware distributors often prey on the users’ basest instincts – getting something for nothing (A.K.A. free apps) and their prurient interests. For instance, Symantec discovered Android-based one-click-fraud apps that tempt victims with porn and then force the user to pay a ransom to avoid embarrassment. Worse, these apps appeared in Google’s app store in late January of 2013. Since then, the number has grown to over 200 published by more than 50 developers. But, the malware isn’t even stealthy. The user actually downloads the app, which is actually a vehicle to reach fraudulent porn sites. (Shame!) When it is launched the app opens the phone’s Web browser and takes the user to a site that claims to have information on the visitors and demands money to keep it private.
However, this is not the only example of how users invite the plague into their MCD. According to McAfee, as end users continually live their digital lives on smartphones and tablets, hackers are using innovative techniques to perform identity theft, commit fraud, and invade users’ privacy by accessing their mobile devices. The cyber-criminals use malicious apps, malicious software toolkits and drive-by downloads. The company also expects that the increasing use of Near Field Communication (NFC) technology will enable hackers to use NFC as a means for spreading malware. The report indicated that cybercriminals are inserting infected apps into legitimate app-sources including Google Play, and the Google app store. McAfee discovered that three quarters of the malware-infected apps were available from the Google Play store. The company estimates that the typical user has slightly less than a 20% chance of downloading a malware app. Nearly a quarter of the malware apps also contained suspicious URLs.
According to another study, the Android operating system is particularly vulnerable to malicious programs due to the combination of a lightly-regulated app store and an OS that allows applications significant access the underlying system of the device. The researchers discovered one malware title that they found to be “a significant development in the evolution of mobile malware.” Running inside multiple applications distributed by Google’s app store, the malware could have been installed in up to nine million Android mobile devices.
But, you say, I don’t use apps. It doesn’t matter. Even your digital camera isn’t safe. As camera makers have built-in Wi-Fi into their products, hackers have exploited the feature. Security researchers discovered that cameras with internet connectivity can be hacked and turned into spy cameras. In one exercise, the researchers were able to take complete control over the test camera. Furthermore, as cameras don’t keep logs, users will not be able to tell when a camera was illegally accessed. Even more disconcerting, the researchers discovered memory cards with WiFi connectivity are vulnerable as well.
If you like to use your personal MCD for business, don’t show your CIO this article. A malware-laden MCD can raise havoc inside an enterprise. For example, in California’s Anaheim Union High School District, the end of summer vacation was the start of malware season. Teachers and administrators, while off for the summer, used their school-issued MCDs to surf the web, read email, but rarely updated the MCD’s software. As they went back to school they brought malware with them. One piece of malware forced a complete re-install and upgrade of the district’s email software. Another infection required the district to shut down subnets to try to locate and isolate the virus. Each malware incident required hundreds of over-time hours, potentially causing other projects to slip.
To discourage staff from sourcing their own apps and bringing all kinds of malware to work, CIOs are moving to establish corporate app stores. According to a study conducted by Forrester study, over half of CIOs perceive shadow IT (the practice of employees buying their own software) as a threat to the enterprise. A separate Forrester study of nearly 10,000 workers found that the proportion of staff independently acquiring apps is about 20% of all employees. Forrester noted that the trend is becoming increasingly common, thus potentially exacerbating the overall risk to the enterprise’s IT infrastructure.
But regular rank and file employees are not the sole source of BYOD security problems. A Verizon report on data breaches noted that executives are most often targeted in “spear phishing,” attacks. Top level managers are targeted because they have access to proprietary information. Cyber-attackers target executives as they are typically the first people to be issued an MCD, and are exempt from company-wide security rules. According to the study they are also more likely than other employees to take a cyber-attacker’s bait, opening email or clicking links that can expose their firms to theft of proprietary data, intellectual property or personal information. Giving the boss a tablet or smartphone could be akin to giving the hackers the key to the front door of the company.
Privacy? What’s That?
There is another aspect of MCD security that doesn’t pose a risk to the device, only to the user’s privacy. This risk doesn’t use malware or viruses, but relies on adware and a “feature” built into the device itself. All too often users will unwittingly download adware onto their MCDs as part of a routine web-search. The adware interacts with the devices location services (GPS) and analyzes and reports the person’s movements. As this data is collected and correlated, the data is sold, allowing advertisers and others (competitors?) to profile the end user’s personal habits. This data can potentially be misused or exploited to the detriment of the individual.
Even worse, many locations passively capture the GPS signal and any other transmitted information (phone number, device identifier) and use it to track an individual’s movements throughout a building or finite location. Once again, this information can be sold and manipulated, all without the user’s knowledge or consent.
What’s a CIO to Do?
Most CIO’s would not take my approach of keeping the device devoid of apps, turned off and stored inside a lead-lined vault when not absolutely needed.
A more practical approach is to license one of the many mobile anti-virus applications that can scan the device for malware. MCD antivirus software proactively protects the device from malware through use of a firewall (monitoring incoming and outgoing data for malware) or through real-time malware scanning. Typically, the software scans the device’s ROM memory, text and email messages and web searches and downloads for malware. The software can also protect the data on the device in real time. It can encrypt email messages, calendars, contacts, files and provide password protection. MCD anti-malware software is available from the usual suspects, including Norton, Kaspersky and Trend Micro.
As is usually the case, education may be the best preventative. Educating employees about the dangers of careless downloads, “too-good-to be true” app offers, email contacts from people who just seem to be familiar and suspicious free apps can prevent a variety of infections. It’s kind of like washing your hands. A little prevention never hurts.