Mobile malware hasn't yet grown to the problematic levels that once plagued Windows PCs back in the days before Trustworthy Computing. That doesn't mean mobile vulnerabilities aren't exploitable, though: Today's security researchers are not only creating and discovering proof-of-concept examples with real-world applicability, but they're finding in-the-wild samples, too.
Here's some of the most compelling evidence over the past year that shows mobile malware has bridged the gap from theoretical to practical.
One of the most successful banking Trojans of all time, Zeus, made the jump from PCs to mobile devices through the Zeus-in-the-mobile (Zitmo) spyware application. Prevalent on Android, Zitmo masquerades as a banking activation application and eavesdrops on SMS messages in search of the mobile transaction authentication numbers (mTANs) banks send via text to their users as a second form of authentication. Initially discovered in 2010, researchers last summer saw Zitmo gaining steam in the wild.
2. Mobile Botnets
Since 2009, Perimeter E-Security Research Analyst Grace Zeng has been exploring the possibilities of botnets consisting entirely of mobile devices. Naysayers told her it wasn't feasible, but last month she showed how realistic the possibility is with a presentation at WiSec 2012. Zeng presented her proof-of-concept design, which showed how devices could be infected through code hidden in games or system applications, and how command-and-control (C&C) communications could be passed through SMS made to look like spam. The hackers may well be ahead of her--researchers with NQ Mobile said last month that they discovered an Android bootkit that leverages root privileges and poses one of the first threats of mobile botnets in the wild.
3. CrowdStrike RAT Attack
Industry heavy-hitters George Kurtz and Dmitri Alperovitch made waves for their stealth startup CrowdStrike when they wowed the crowd at the RSA Conference in February by demonstrating how the company's research team reverse-engineered a Chinese remote access tool (RAT) to spy on a user's calls, physical location, apps, and data. The "end-to-end" mobile attack is delivered through a phony SMS message with a URL ostensibly leading to information about the user's need to renew service. The attack goes to show how thoroughly attackers can spy on users through commandeered mobile devices.
At a time when cybercrime has never been more prolific and sophisticated, budgets are being cut. In response, IT is taking a hard look using third-party services--outsourcing--to meet security challenges. Our Making The Security Outsourcing Decision report outlines the various security outsourcing options available. (Free registration required.)