When it comes to mobile security threats targeting our smartphones and tablets, unlike in biology, evolution isn't a good thing. Instead of "survival of the fittest" think "drug-resistant bacteria," because threats adapt to our ability to block and treat them faster than we can develop new palliatives.
Such threat evolution and the increasing sophistication of mobile device malware was underscored by two events this past week: first, a report from Lookout Mobile Security, a provider of mobile security software, and second, this year's Black Hat security conference. While the threats get more menacing, users seem just as insouciant as ever. According to a survey by online shopping site Retrevo, only a third of smartphone owners even realize their devices can be infected with malware, while a like third do nothing to protect data on their phones, and a shocking 51% of Android owners don't even use screen passwords.
The root of this apathy toward security stems from the evolution of the device itself. Unlike PCs, whose origins are complex, arcane, build-it-yourself machines only a programmer could love, smartphones trace their roots to one of life's simplest, single-purpose appliances: the telephone, a device even toddlers can operate. Thus, one can track progress in the PC as going in the direction of simplification (at least from the user's perspective; the guts of today's systems are unbelievably complex), while for phones, "improvements" have gone the other way, to greater complexity. We've turned miniaturized, wireless handsets into handheld computers rivaling the functionality, adaptability, and, yes, hackability of full-fledged PCs. As the capabilities, programmability, and "attack surface" of mobile devices mirror that of PCs, so too do the threats. The findings in Lookout's report, which is based on data from its Mobile Threat Network collected from more than 700,000 apps and 10 million users and thus is quite exhaustive and authoritative, are quite alarming.
Lookout found that Android users are now 2 1/2 times more likely to encounter malware than a mere six months ago and that Web-based threats affect 30% of them each year. Furthermore, the survey shows the number of malware-infected apps increasing fivefold, to 400, in the first half of this year. While the statistics are striking, the company's analysis of the social engineering and obfuscation techniques used to distribute mobile malware is even more sobering. Since iOS has a strictly curated distribution model, i.e. unless you jailbreak the device you can't install an app on the iPhone or iPad without going through the App Store, Apple devices aren't susceptible to malware-infected apps (although, as the JailbreakMe exploit proved, hackers can still do a lot via the Safari browser). Thus, the scary stuff is happening in the Android ecosystem, where the freewheeling, community-policed Android Market is easily booby trapped.
A common technique is what Lookout calls "repackaging." As the company puts it, "Repackaging is a very common tactic in which a malware writer takes a legitimate application, modifies it to include malicious code, then republishes it to an app market or download site. The repackaging technique is highly effective because it is often difficult for users to tell the difference between a legitimate app and its repackaged doppelganger." This tactic is easier to understand in pictures, so view the flow chart illustrating the process (on p. 13 of the PDF).
More insidiously, malware malefactors will sometimes pirate legitimate, paid applications and offer them for free, albeit with a nasty extra payload. This preys on and exploits users' trust to gain additional system permissions for the malicious code (recall that Android apps must notify users when accessing various system resources, a notification that most users approve with about as much thought as clicking through the license agreement on a software installer), and thus increasing its virulence. Update attacks are a variation on this theme in which the malware purveyor releases a free, untainted app to the marketplace as a Trojan horse. Once enough suckers install it, out comes an update that just so happens to include the malicious payload. Like all Trojans, this technique is particularly effective since most users configure their devices to automatically update installed apps. With enough patience, and a sufficiently compelling feature-set facade, hackers using this technique could infect hundreds of thousands of devices overnight.
Although malicious Android apps are the focus of Lookout's report, iOS owners can't be smug. Browser-based exploits, notably the aforementioned JailbreakMe site that can modify the iOS kernel, are an equal-opportunity plague. Malware is easily and efficiently distributed over the Web using what Lookout terms "malvertising," or advertising used to lure people into clicking through to a malicious site with a drive-by download -- namely a specially crafted page that starts downloading an app or document (e.g. a "specially crafted" PDF as per JailbreakMe) immediately, without user intervention.
Despite the sophistication of existing mobile malware exploits and distribution techniques, the people at Lookout believe this is just the beginning. "The mobile malware 'industry' is currently in its startup phase, with attackers experimenting with different distribution and revenue models. As the industry matures, we believe that there will be successful distribution and monetization patterns that emerge." Specifically, they see mobile malware being used to set up botnets, exploit mobile finance and payment systems, and abuse premium-rate text messages (essentially SMS 900-numbers). Being in the security software business and with a vested interest in sounding the alarm bells, Lookout obviously isn't an unbiased observer, but its conclusion that mobile malware is still in the nascent stages of dastardly development seems obvious.
So what's a smartphone user to do? A good start is applying some of that PC-honed skepticism to your mobile device usage. Don't download content, apps, or documents from untrusted sources like that Web link a friend just shared. Scrutinize the URL addresses for unfamiliar sites, particularly those asking for login information; don't get spoofed. Update your device firmware as soon as possible (unfortunately, for Android owners this is dependent on your carrier, and most are quick to roll them out). Finally, don't ignore odd behavior on your phone, such as strange incoming text messages, unexpected charges on your bill, suddenly sluggish performance, or decreased battery life.
In sum, when using a smartphone or tablet, apply the same watchfulness, vigilance, and skepticism you have when Web browsing or app downloading on your PC.