Since at least the time of the iPhone’s introduction in 2007, mobile phones have been moving toward their inevitable evolutionary destiny of becoming full-on handheld computers, complete with complex operating systems, the ability to run multiple applications and store large amounts of data. And for just as long, researchers have said that the attackers would begin focusing on mobile platforms as soon as they could figure out a way to make money on it. That time appears to be now.
The appearance last week of the Android SMS Trojan, which fires off multiple text messages to premium rate numbers controlled by the attackers, is the latest and perhaps most prominent example of efforts by online criminal groups to make money from attacks on mobile devices. But the Android Trojan isn’t the first such attack and it most definitely won’t be the last, experts say.
“I think it’s going to track right along with the market penetration of smartphones. As we see a higher percentage of smartphones, we’re going to see more attacks,” said Tyler Shields, a security researcher at Veracode. “That stuff will continue to increase because we’re seeing a high quality of targets. Everybody and their grandmother is buying a smartphone and it’s because they want the apps. We’ve hit that tipping point. It’s a completely untapped market where nobody is doing security.”
The Android SMS Trojan, which is known as FakePlayer, is a twist on a flavor of fraud that’s fairly common in Eastern Europe and Russia. The scams typically involve a drive-by download attack in which a piece of malware is loaded onto a PC. The malware, called an SMS blocker, then acts like a normal piece of ransomware, producing alerts that tell the user he must send an SMS message to a premium rate number in order to remove the dialog boxes and the ransomware. Other variations show a pornographic photo or a warning that the user’s Windows license has expired. But the demand is the same: an SMS message to a number that can cost $10.
The appearance of the FakePlayer Android Trojan can be seen as the opening of a new front in the war between attackers and defenders. The Trojan isn’t really a piece of traditional malware in the strictest sense of the word. It doesn’t take any malicious actions on the device itself, doesn’t make any changes to the smartphone’s OS or delete any data. Instead, FakePlayer is about one thing and one thing only: straight cash.
The evolution of attacks and malware targeting mobile devices is paralleling the history of attacks on PCs, but the attackers are moving at a much faster pace than the rate at which they developed new tactics for compromising desktop machines. The innovation that’s occurring in mobile attacks is outpacing the state of the art in mobile defenses by a wide margin right now, and much of that can be laid at the feet of the smartphone platform developers–Apple, Google, RIM, et al.–who are making precisely the same mistake that PC software vendors made decades ago: racing to jam more features into the platform and paying little attention to security.
“There are clear paralells between what’s happening on the mobile platform and the PC attacks in the flash worm days. People were testing the various platforms, like IIS and SQL Server, to see what was possible,” said Jon Oberheide, a security researcher and founder of security start-up Scio Security. “The attackers are feeling it out to see how much money it takes to get a return on their investment. They’re trying to see what issues can be exploited.”
One reason that attackers have turned their attention to smartphones recently is that desktop software vendors, most notably Microsoft, have added security mechanisms that have made exploitation more difficult. The addition of memory protections such as ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) to Internet Explorer have made memory-corruption attacks far more challenging, which has taken away some of low-hanging fruit of browser-based attacks.
On mobile platforms, these kinds of security mechanisms either are non-existent or not fully implemented. And recent attacks have shown that the mobile browser on devices such as the iPhone are becoming prime attack vectors. The most prominent example is the Jailbreakme.com scenario, in which a researcher set up a site that would jailbreak iPhones by chaining together a couple of previously unknown vulnerabilities affecting the iPhone. The payload in this case was benign–simply jailbreaking the iPhone–but an attacker easily could have set up a similar site that delivers a malicious payload.
“The actual chaining of exploits in that case was not trivial. It shows that an increasingly hardened OS is pushing up the level of exploitation to make this harder,” Oberheide said. “All of the hardening mechanisms being applied to desktops aren’t the greatest on mobile. A lot of platforms aren’t taking advantage of this. Maybe we’ll have developers doing this soon. They could tout it as a competitive advantage.”
But even in the Jailbreakme.com case, the return on the attacker’s investment of time and effort may be fairly low, as it would be dependent upon luring iPhone users to the site. The more problematic and easily executed attacks involve simply getting a malicious application into one of the mobile app stores, something that’s already become a problem.
Both Oberheide and Shields have experience executing this attack, albeit with benign proof-of-concept applications. Shields created a spyware app for the BlackBerry called txsBBSPY, that is able to intercept text messages and emails and track a user’s location. He then was able to get the app into the BlackBerry App World application marketplace with little effort. Oberheide performed a simlar trick on the Google Android Market with an app called RootStrap, an app that installs a rootkit on Android devices that periodically downloads native ARM code from a remote server. The app was disguised as a preview of a Twilight movie and more than 200 people downloaded it from the Android Market.
As things stand now, the relative weakness of the smartphone platforms’ security, combined with the app store problem, are making iPhones, BlackBerrys and other mobile devices prime targets for attackers. And experts don’t see a lot of hope on the horizon.
“There’s a choke point there in the app stores. Attackers are going to get their stuff into the app stores,” Shields said. “The vendors really need to do some analysis to ensure that the apps do what they’re supposed to do. But that’s easier said than done. If you look at the difficulty, what I did was the easiest of these attacks, Why spend time on advanced GSM research when you can get a malicious app into the app store so easily?”
“There’s no question it’s easy to slip something into the app store. Why discover a new vulnerability in Webkit to exploit and load up a rootkit when you can do this?” Oberheide said. “We’ve learned a lot about secure platform design in the last few years, but we have the same traditonal problem of getting features out the door instead of focusing on security. We could have started with a very secure platform, a hardened kernel and application stack. We could’ve done it. But in reality, no one cares what we do. It’s depressing.”