The Coming Wave of Mobile Attacks

The pace of innovation on mobile phones and other smart wireless devices has accelerated greatly in the last few years, adding features, speed and computing power. But now the attackers are beginning to outstrip the good guys on mobile platforms, developing innovative new attacks and methods for stealing data that rival anything seen on the desktop, experts say.

The pace of innovation on mobile phones and other smart wireless devices has accelerated greatly in the last few years, adding features, speed and computing power. But now the attackers are beginning to outstrip the good guys on mobile platforms, developing innovative new attacks and methods for stealing data that rival anything seen on the desktop, experts say.

For years there have been dire predictions from industry pundits about the coming wave of mobile malware, viruses and Trojans that would specifically target smartphones and PDAs, wreaking havoc on mobile devices. But that giant tide of mobile malware never materialized. There have been a few mobile viruses here and there, but for the most part attackers have decided to forego those kinds of attacks and instead have focused on stealthy techniques that give them unlimited–and unnoticed–control of the device.

Banker Trojans targeting platforms such as the iPhone and Windows Mobile have appeared in recent months, and fake mobile banking applications have shown up in the app stores of some mobile platorms, as well. Those malicious applications look exactly like the legitimate banking apps produced by major international banks and are designed to capture users’ online banking credentials.

This particular attack vector–introducing malicious or Trojaned applications into mobile app stores–has the potential to become a very serious problem, researchers say. Tyler Shields, a security researcher at Veracode who developed a proof-of-concept spyware application for the BlackBerry earlier this year, said that the way app stores are set up and their relative lack of safeguards makes them soft targets for attackers looking to maximize the effectiveness and reach of their malicious applications.

“App stores have good and bad things about them. Everything is in one place, which is nice. But the negative is that you have one point of distribution for potential threats,” Shields said. “If I can get past a single wall, I can potentially get lots of downloads very rapidly. How do users know the dangerous apps from the safe ones in the app store?”

As part of his research, Shields used the official controlled APIs provided by RIM, the BlackBerry’s maker, to develop his application, called txsBBSPY. He also signed the app using the keys provided by RIM. He didn’t try to get the appp into the BlackBerry App World store, simply because BlackBerry users can load apps from anywhere, so it wasn’t necessary.

But it likely wouldn’t have been much trouble for Shields to do so, given the security models employed by these app stores. The companies, such as RIM, Apple and Google, that maintain app stores make no guarantees about the safety or quality of the apps, so users download and install them at their own risk.

“Without fail, no one thinks for a moment about what goes on behind the scenes of these app stores,” Shields said. “The owners of the app stores have a great choke point for enforcing security, but they don’t want to slow down the number of apps being sold. If you read the fine print, it’s download at your own risk.”

Shields and other security researchers and industry executives say that developing malicious mobile apps is likely to be the most popular and lucrative attack vector for cybercriminals in the coming years. The convergence of powerful mobile computing platforms such as the iPhone, Android and BlackBerry with the growing popularity of app stores and phones as mobile payment systems makes these attacks a layup for skilled attackers.

There’s no percentage in devoting valuable resources for several weeks or months to put together a sophisticated phishing scheme or other scam in the hopes or bagging a few hundred victims when you can use that time to develop a malicious mobile banking or shopping app that could attract tens of thousands of downloads in a matter of days?

“There are extremely technical approaches like the OS attacks, but that stuff is much harder to do,” Shields said. “From the attacker’s standpoint, it’s too much effort when you can just drop something into the app store. It comes down to effort versus reward. The spyware Trojan approach will be the future of crime. Why spend time popping boxes when you can get the users to own the boxes themselves? If you couple that with custom Trojans and the research I’ve done, it’s super scary.

“And generally the same personal data that’s on a PC is on a mobile phone. People are dropping 32 GB cards in there and using their phones as media servers. They’re serious computing devices. Non-technical people’s jaws drop when they hear about this stuff. They realize it’s possible on PCs, but they still haven’t come to grips with their phones being attacked,” Shields said.

It’s a new day for mobile threats, and the attackers have a big head start.

Suggested articles

Discussion

  • Anonymous on

    "Banker Trojans targeting platforms such as the iPhone (...) have appeared in recent months"

     

    Really?  Because you seem to be the only 'expert' out there making that claim.  Can you point to one single instance of an iPhone App Store trojan or malware?  Nope, didnt think so.  

  • Anonymous on

    Good to see the Apple fanboys spreading the gospel where there are seeds of doubt. However: http://www.tomshardware.com/news/iphone-virus-botnet-bank-details,9136.html Still don't think so? Or do you have another scripted comeback?
  • entropy on

    Err, that tomshardware article is about a trojan that only works on jailbroken iphones, ie the trojan specifically did not get on the itunes app store.    

  • entropy on

    Not that it would necessarily be impossible to have some sort of call in an iphone app, but the odds are it would get caught in the vetting process, using private APIs tends to have apple look at the app very carefully, and if it got past the vetting process and a problem emerged, Apple could just hit the universal kill switch.

    It is a difficult issue: how paranoid do you have to be? Should iphone apps ask everytime a call is made?  That would get real tedious, almost vista like in annoyance.  

     

  • ewall on

    I'd prefer to see a item or class-level permissions model similar to those enforced for Facebook apps (ironic, no?)-- before "installing" it, you are asked whether you give permission to read your status, contact info, friends list, etc. Thus, it's pretty easy to see which apps are likely to abuse their power, because they ask for access to data that has nothing to do with the function of the app.

    If this model were more widely-used, it would be easier for people to protect themselves by applying a little common sense. Of course, there are always those who ignore the questions and warnings by default, but that will happen whether you ask them once (Facebook apps) or a thousand times (MS Vista).

  • Anonymous on

    Mobile phones are just micro computers, they contain memory and an OS, therefore they are hackable, no matter who makes them.

    When it actually gets hacked is not a matter of hack difficultity its a matter for numbers.  While iphones and apps are popular they still aren't as mainstream as banking websites.  Its still more economical for malicious hackers to target websites instead of web-enabled mobile phones.

    The simple fact is that as web-enabled mobile phones increase the number and complexity of phone targeted attacks will increase.

  • Anonymous on

    This article fails to mention the basic point of failure for the smartphones.  The end-user is ultimately the reason these attacks will be successful.  The platfom makes no difference.  Windows Mobile, Android, IPhoneOS, etc. are all great platforms and when used with the basic configuration without any 3rd party applications installed they will work securely.  Not that anybody I know ever uses them in this manner.  Educating the users will be the best way to mitigate these types of problems but they will never be completely eliminated.  They will be the ones that could download the rogue applications, jailbreak their phones and forget to update their software if it is not done automatically for them. 

  • Rikf on

    Apple appears to have the most vigorous app screening program today, but that is no guarantee the Apple screeners will never make a mistake. One poster mentioned that users should be responsible for making decisions about the safety of apps. On Android, there are over 100 capabilities an app can request, and a user is supposed to decide, by examining this list, that an app is safe? Users have not performed well at tasks like this. Symbion OS, used in more smart phones than iPhones and all Android phones combined, has had information stealing trojans that were signed by Symbion. Also, the granularity for capabilities is much simpler than Android, but this means that allowing access to any user database (contacts, email, etc.) provides access to all user databases in the case of Symbion OS. Symbion OS also allows the installation of any app, signed or not, and the user must decide if the list of capabilities is considered safe. Again, not something the average user is any good at doing.
  • EricDP on

    iPhones are definitely hackable. Even ones that aren't jailbroken. Just google for "cansecwest 2010 pwn2own" - lots of news reports about that zero-day hack. No computer is immune. It's just a matter of what the bad guys are targetting.

  • Anonymous on

    What about Trojan Dialers on phones which call international premium rate numbers. Does anyone foresee a mobile version of the circa. 2004 global PC dialer epidemic.

  • Ivn on

    When it actually gets hacked is not a matter of hack difficultity its a matter for numbers.  While iphones and apps are popular they still aren't as mainstream as banking websites.  Its still more economical for malicious hackers to target websites instead of web-enabled mobile phones.

     

    <a href=howtosoftmod-wii.co.cc>how to softmod wii</a>

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.