As malicious code for mobile devices begins to generate revenue for malware authors, the number of threats targeting smartphones and tablets is set to increase dramatically.
This is the view of Richard Broeke from specialist IT security firm Securicom.
“The vast functionality and connectedness of today’s mobile devices allows consumers to do on their phones pretty much everything that they do on a PC,” Broeke says. “Even sensitive transactions like online banking and shopping on mobile devices have almost become the norm. But, as people increasingly use their mobile devices to connect, browse, communicate, transact and shop, so the opportunities for criminals to steal and generate revenue from mobile users grow.
“Smartphones, small as they may be, are powerful computers in their own right. People store vast amounts of information on their smartphones from personal details, contact information and photos, to business emails and information. Unfortunately, because security software and patches aren’t as routinely applied as they should be, they are easy targets for criminals.
“Mobile devices have the added advantage of having a direct line to a payment system. That being the owner’s phone contract. This offers additional ways for criminals to extract or steal money from them,” he says.
Citing from statistics by Symantec, Broeke says there was a 58% increase in mobile malware between 2011 and 2012. This correlates with the increasing numbers of internet-connected mobile devices at play.
In 2012, there was a significant number of vulnerabilities reported that affected mobile devices. Symantec documented 415 vulnerabilities in mobile device operating systems in 2012, compared to 315 in 2011 and 163 in 2010 – an increase of 32%.
However, unlike with PCs, a higher number of listed vulnerabilities doesn’t indicate a higher level of threat because most mobile threats don’t use software vulnerabilities. Instead of exploiting vulnerabilities in mobile operating system software, most malicious code for mobile devices consists of Trojans that pose as legitimate applications. These applications, posing as legitimate apps or games, are uploaded to mobile application marketplaces in the hope that users will download and install them.
Interestingly, Apple iOS had the most documented vulnerabilities but it is Android which is the main target for mobile threats – accounting for 97% of new threats. This is because of its large market share, more open development environment and the multiple distribution methods available to applications that are embedded with malware. Information stealing tops the list of activities carried out by mobile malware, with 32 percent of all threats recording some sort of information in 2012.
But how do these threats affect the average user?
“Well it all depends on the ‘job’ of the malware that is unknowingly installed on your phone,” he says.
“Some pieces of malware are there to spy on users to gather information such as phone logs, user location and smses, while other pieces of code will install annoying adverts in the device’s photo albums and calendar, and sometimes even push messages to the device’s notification bar.
“Banking Trojans monitor devices for banking transactions, gathering sensitive details like passwords and account numbers. Then there is malware which causes a device to send out SMSes to premium-rate numbers. These costs are then charged to the user’s account. This is the quickest way for criminals to make money from mobile malware.
“So aside from a possibly degraded user experience and unusual charges on your phone bill, mobile malware could put you at risk of fraud and even identity theft,” he says.
Broeke says growing mobile threats are not only a concern for individuals, but for companies as well.
“Companies are by will or by default allowing their employees to use mobile devices for work purposes. The problem is that even if the devices are company-owned or employees’ own, they usually lack security features such as antivirus, encryption, access control and application control. When these aren’t managed, and employees are free to use mobile devices to store work emails, company data, and connect to the internet and company network, it puts company networks and information at risk.”
In much the same way that PC users have to be diligent about security, so should mobile users.
“Make sure that you have adequate security software installed on your mobile devices and ensure that you apply all security updates from your device manufacturer or service provider in a timely manner. Also, be aware of the risks of downloading rogue applications. If you are in any doubt as to the legitimacy of an application or game, don’t download it. Rather stick to apps from ‘official’ marketplaces,” he concludes.