While researchers acknowledge the threat level is currently only small, they predict that as the use of such devices to connect to company networks and conduct mobile commerce increases, so the criminal gangs responsible for commercially-motivated PC malware will start to increasingly target smartphones and other mobile devices.
“The rise in threats to mobile devices is definitely real, although still a very long way from epidemic proportions,” said Rik Ferguson, senior security advisor at IT security firm Trend Micro. “The real message is about preparedness, 2009 has seen a limited number of new threats, but a significant increase in their complexity and criminal intent.”
Fraser Howard, principal researcher at SophosLabs, agreed: “Security threats will continue to grow and target mobile users. In a recent Sophos poll, 97% of people believe the iPhone will suffer from further virus attacks in the future. We don’t believe that the presence of mobile malware will increase significantly in the coming year. However, the malware will become smarter and evolve into more sophisticated threats.”
So how severe is the problem today? 2009’s headline-grabbing attacks on Symbian smartphones and iPhones were self-propagating. The former spread by SMS , harvesting users’ contact details and automatically sending themselves on.
Some variants tried to scam users into sending premium-rate text messages, others directed them to websites where they were tricked into installing malware or giving away personal information. There have also been variants which harvested users’ IMEI numbers, valuable to those cloning phones for criminal purposes.
The iPhone threat began with a worm dubbed Ikee, which changed the wallpaper of an infected device to a picture of 1980s UK pop sensation Rick Astley. Later variants had more sinister payloads: One stealthily stole users’ personal information, another also directed bank customers in Holland to fake ‘phishing’ sites.
However, all the iPhone malware to date has only been able to infect users who have ‘jailbroken’ their iPhones, bypassing Apple’s fairly rigorous in-built security – and of those, only users who hadn’t changed the default system password were vulnerable. Blackberrys, meanwhile, have so far remained immune to infection and Google’s Android mobile OS has not yet grown big enough to prove an attractive target for hackers.
Nonetheless, researchers maintain that despite current low levels of infection, businesses should take the threat seriously. Ferguson said: “Most handset operating systems prevent unauthorised code from being run, but users can disable this.
iPhones have a relatively secure architecture which prevents applications from seeing files other than their own, but again some users jailbreak their iPhone and install unapproved, unexamined apps, opening security holes. One thing still protecting mobile OSs from exploitation is the fact there is no dominant vendor, so no obvious target to go after. Once an OS attracts criminal intentions, you can bet more flaws will start showing up.”
There is also the ongoing threat that mobile devices could be used to smuggle PC-based malware onto corporate networks. “It is entirely plausible that Bluetooth and TCP/IP could be used to infect PCs from handsets. But the biggest malware threat in the corporate environment is from mobile devices transporting purely PC malware such as ‘autorun infections’. This is malware that spreads by copying itself to any kind of removable drive, including mobile devices.”
So how should you protect yourself? For starters, ensure users switch to Bluetooth ‘hidden’ mode. Mobile anti-virus solutions are also beginning to emerge, but they considerably slow down device performance and current threat levels don’t warrant widespread installation. In addition, many attacks employ more subtle ‘social engineering’ methods to obtain information, such as phishing scams.
Howard said: “Education is key to protecting yourself no matter the OS you use. Users need to know the risks of the device they are using. And, of course, it is important to install security patches when they are made available.”
Ferguson stressed users should always look a gift horse in the mouth: “Never accept or install updates or applications you haven’t requested and don’t require,” he said. Otherwise standard safe computing and corporate security policies should apply equally to handsets as to PCs, he advises.
“Be careful where you click, never respond to requests for personal information and don’t open or execute unsolicited messages unless you’re sure of their authenticity. In addition, don’t disable key security features of your mobile device, and as a minimum install web filtering software and encryption.”