Damballa found that in the first half of this year, the number of compromised Android devices communicating with known criminal command and control (C&C) networks grew significantly, topping out at 20,000 devices on two particularly nasty weeks. This marks a disturbing milestone in the evolution of mobile malware, since until recently, mobile exploits typically didn't involve a persistent takeover of the device and active communication with a C&C botnet. As the report concludes, "two-way Internet communication now makes the mobile market as susceptible to criminal breach activity as desktop devices."
Magnifying the risk is the fact that, as Damballa points out, many of these devices also join corporate Wi-Fi networks, where they are largely flying under the radar of existing security protocols and thus are ready agents for spreading malware to other internal systems, even PCs.
Just how easy is it to create and control an Android botnet? This was demonstrated last winter at ShmooCon by Georgia Weidman (watch an interview describing the technique here and download her presentation here).
Weidman's code inserts itself into the phone's modem driver and the rest of the telephony stack, ingeniously using the SMS messaging protocol to control the underlying malware. SMS makes a great C&C channel, according to Weidman, since it's fault-tolerant (SMS queues messages for later delivery if the network is unavailable), hard for security teams to monitor (since it's operated by the telecom carrier), and, perhaps most importantly, power-efficient. That's critical because IP traffic, over Wi-Fi or 3G, is one of the biggest smartphone battery drains. By using a lightweight protocol like SMS, botnet operators can have a relatively chatty dialog with their slave devices without tipping the owners off that something might be amiss on their phones. The downsides are that SMS instructions are limited to 160 characters, and users may eventually notice messaging charges on their phone bills.
Installation follows the typical path of getting someone to install a Trojan app. Weidman sums up the significance of this attack vector: "If attackers can get the bot installed, they can remotely control a user's phone without giving any sign of compromise to the user." The malicious beauty of a smartphone or tablet bot is the very mobility of the host; its nomadic network transience exposes the malware to more victims ... sort of like a traveling salesman with tuberculosis.
With mobile devices the new frontier for cybercrime, some basic security advice bears repeating. Mobile malware is primarily spread through native apps, which largely explains why iPhone and iPad users are less vulnerable, shielded by Apple's curated App Store. In contrast, IT should educate Android aficionados to curb urges toward download promiscuity, since the Android Marketplace is open to anyone and doesn't perform any security checks before publishing an app. Sure, Android forces apps to inform users of the phone features it needs, but there is nothing to prevent it from abusing the privilege. Even seemingly benign capabilities, like being able to send SMS text messages, can be deviously employed, as Weidman's botnet software makes abundantly clear.
But iPhone users shouldn't get complacent. Apple's curated App Store provides a useful shield to native malware apps, but as the drive-by JailBreakMe exploit exposed, even iOS can be compromised.
Aside from being wary of new apps from unknown sources, it's also important to maintain good mobile device security hygiene:
-- Store as little data as possible locally -- it's impossible not to have your contact list and cached email and browser sessions on a smartphone, but avoid storing copies of sensitive business documents.
-- Encrypt data in storage and transit; use file encryption (or an encrypted file system as in iOS) for local storage and VPNs for network connections on unsecured links, namely public Wi-Fi hotspots.
-- Finally, use a mobile device management service, either an enterprise product such as AirWatch, MobileIron, or Zenprise, or a consumer-oriented service like Apple's Find My iPhone or Lookout for Android, that can track and remotely wipe a lost or stolen device.
See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.