Mobile malware has grown increasingly malicious and financially motivated and you can't let it catch you off guard. In this series, Lisa Phifer explores the history of mobile malware and explains how it can sneak into the back door of your enterprise. Phifer also discusses on-device defenses for mobile malware and how to extend traditional desktop security best practices out to your mobile workforce. In the final section of this series we'll take a look at in-the-cloud mobile malware defenses which include enterprise sync servers, network gateways and wireless services that incorporate mobile malware filtering.
Mobile malware overview
On-device defenses for mobile malware
In-the-cloud defenses for mobile malware
|Mobile malware overview|
More than 400 mobile viruses have been documented to date, resulting in tens of thousands of infections worldwide. These numbers may pale in comparison with Win32, but Patrik Runald, Chief Security Advisor at F-Secure, believes they are a wake-up call. "At some point, the criminals now developing PC malware will start focusing on mobile devices," Runald said. "It's not a question of if, but when and how. I'm keeping a close eye on the iPhone -- it may be the tipping point that sets the mobile malware field afire."
That was then
Skeptics have long scoffed at the prospect of mobile malware. Why? The mobile market was too small to represent a worthwhile target. Mobile devices were too diverse and too limited to facilitate large-scale attacks. And mobile devices lacked the connectivity and infection vectors required to propagate malware rapidly, without depending on user interaction. To appreciate these impediments -- and how they're changing -- it's helpful to consider the history of mobile malware.
Palm Liberty was arguably the first, debuting back in August 2000. This Trojan posed as a patch to register Nintendo Gameboy emulator shareware but actually deleted all applications from the infected Palm PDA. Liberty failed to spread in the wild because it targeted a very small number of naïve users and immediately rendered any victims inoperable. In fact, Liberty was so unsuccessful that most antivirus companies begin their mobile malware signature lists with Cabir.
Symbian Cabir (the predecessor of 15 variants) was released in June 2004. This worm infects Symbian Series 60 smartphones by sending itself over Bluetooth connections. It requires the victim to open a messaging Inbox file and click Yes when prompted by the installer. Cabir then tries to spread by searching for nearby Bluetooth devices in discoverable mode. Although Cabir infections have been reported in more than 20 countries, most antivirus companies consider it low risk. Why? Cabir targeted a very popular device but propagated far too slowly, infecting just one phone per reboot. For most victims, Cabir's only adverse impact was battery drain.
Sibling Mabir had somewhat better reach, propagating over MMS instead of Bluetooth. Mabir listens for incoming MMS or SMS messages sent to the victim's phone, sending a copy of itself in an MMS response. Mabir overcame Cabir's geographic limitations (i.e., Bluetooth's short range), but still depended on social engineering and explicit user acceptance for activation.
In early 2005, Commwarrior (the predecessor of seven variants) improved on these techniques by searching both for nearby Bluetooth devices and sending itself via MMS to phone numbers in the victim's local address book. Commwarrior also sends randomly named files to avoid immediate user recognition and tries to covers its tracks afterwards. As a result, even though it still required user acceptance to install, Commwarrior was far more successful in propagating. More importantly, it caused financial damage by racking up MMS transmission fees. One operator reported that malware was responsible for 5% of its MMS traffic.
A pair of Pocket PC malware programs emerged around the same time as Cabir. Duts is a small, innocuous virus that runs on an ARM-based WinCE PDA. The user must invoke Duts and accept a threatening prompt ("Dear user, am I allowed to spread?") before the virus can attempt to append itself to all .EXE files in the current directory. Brador is an ARM-based WinCE trojan that copies itself to the Pocket PC's Startup folder, emails the victim's IP address to the author, then listens for incoming remote control commands. However, neither proof-of-concept propagated itself to other mobiles, nor were they installed without active user participation. Mobile virus writers quickly returned their attentions to the OS with the biggest market share: Symbian.
This is now
According to F-Secure's Runald, approximately 98% of mobile malware programs identified to date are designed to run on Symbian. "Series 60 second edition is the primary target," Runald said. "The third edition pretty much kills off malware because of code signing."
Code signing makes it possible for software publishers to digitally sign their work, using credentials issued by a formal certification program like Symbian Signed, Microsoft's Mobile2Market, or RIM's Controlled APIs for BlackBerry. Mobile operating systems have also been upgraded to incorporate access controls that can prevent OS file tampering and sensitive function invocation by unauthorized applications.
Code signing is not a panacea, however. To prevent unsigned application installation, something still needs to check that signature. Often, this task still falls to end users, many of whom willingly accept unsigned software, downloaded from unfamiliar websites. As mobile trojans and worms grew beyond proof of concept, new malware stopped blatantly announcing itself as Cabir and Duts did. Instead, mobile malware has grown increasingly malicious and financially motivated:
- Symbian Skulls is a major family of trojans with 31 variants. Skulls overwrites all of the device's applications with non-functional versions -- except for those required to communicate. Skulls propagates by installing new, improved versions of Cabir. Later variants added Flexispy -- a spyware program called "phones" that locks itself to resist removal and records voice calls and SMS text, relaying that private information to an Internet server.
- Symbian Pbstealer is a trojan that builds upon Cabir's Bluetooth propagation mechanism. To trick users into installing it, Pbstealer poses as a shareware address book compaction utility. Instead, Pbstealer sends a copy of the victim's local address book to the first nearby Bluetooth device that it can find.
- In February 2006, the first J2ME trojan emerged as Redbrowser, a Java applet that masqueraded as a shareware WAP browser that could retrieve Web pages for free. Instead, Redbrowser sent SMS messages to premium numbers in Russia at a cost of $5 apiece.
- In December 2007, the Symbian Beselo worm started to spread itself via Bluetooth and MMS. Beselo is similar to Commwarrior, except that installation files are not identified by the usual .SIS extension. Instead, Beselo files are named with .MP3, .JPG, or .RM extensions, fooling users into opening these phony multimedia files, thereby installing Beselo.
- In February 2008, a new WinCE InfoJack trojan appeared, packed inside legitimate application installer packages like Google Maps, posing as an optional add-on. InfoJack disables Windows Mobile's installation security so that other unsigned applications can be installed without warning. It then sends the victim's serial number, operating system, and other information to a website in China.
- In March 2008, Symbian Series 60 second edition devices were targeted by MultipleDropper, a malicious program that arrives via Bluetooth or MMS, then installs Commwarrior, Beselo, and a new trojan, Kiazha. After sending an SMS to the malware's author, Kiazha attempts to extort $7 (RMB 50) as ransom, to be sent by the user through the Chinese IM network QQ.
Back to the future
These examples demonstrate both roadblocks that have impeded mobile malware to date and several ingredients necessary for mobile malware to flourish in the future.
Symbian in general, and the Symbian Series 60 second edition in particular, remain favorite targets because the target population is large and those older devices harbor exploitable vulnerabilities. Newer Symbian devices, including Series 60 third edition, cannot actually run many of these trojan and worm installers thanks to Symbian OS 9 Platform Security features like Capability Management and Data Caging.
As smartphones grow more sophisticated, however, they are likely to harbor new vulnerabilities that could be exploited by malware. Runald expects the iPhone to draw mobile malware because of its growing popularity and its relatively feature-rich operating system.
"Symbian was a mobile OS from the start," Runald explained. "The iPhone runs a cut-down computer OS. As mobile manufacturers bring out more of these sophisticated devices, they may have vulnerabilities that would let malware be installed without requiring user interaction." The latter is an important distinction, since mobile malware has so far relied on social engineering and user installation.
Runald also noted that there will be an element of prestige involved in hacking the iPhone. To illustrate, consider last summer's rush to "jailbreak" the iPhone -- that is, enabling third-party applications on otherwise operator-locked devices. While "jailbreaking" is NOT malware, unlocked devices will let users install shareware of unknown origin. This creates more opportunities (and thus a far more lucrative market) for malware writers. A similar "jailbreak hack" was recently developed for Symbian Series 60 third edition, which could open the door for a new generation of Symbian trojans.
Symbian has also been a favored target because it is an open platform, with published APIs and readily available SDKs. Clearly, it is important for operating system vendors to harden these open platforms against attack -- and it should be noted that all major mobile OS vendors are moving in that direction. Experience shows, however, that new interfaces are not always fully debugged on first release. Runald believes that early SDK security holes could play a role in future mobile malware -- not just for Symbian but for Windows Mobile, iPhone and (eventually) Android.
Finally, 3G, Wi-Fi, and mobile Web coverage are creating friendlier vectors for malware propagation. Bluetooth is inherently limited because worms need crowds to spread -- for example, the Cabir outbreak reported at a large athletic event in Helsinki in August 2005. Mobile messaging has wider reach, but per-message fees play a role in curbing massive outbreaks over MMS or SMS. On the other hand, Wi-Fi and 3G services can deliver near-continuous and "unlimited" high-speed Internet connectivity. Furthermore, handhelds like the iPhone with GUIs that encourage mobile Web surfing present more opportunities for Web-borne malware to be delivered as Java applets, and so on.
These factors, along with overall growth in smartphone business usage, suggest that mobile malware will eventually morph from background nuisance to noteworthy threat. When will that happen? Only time will tell. Is this your most pressing mobile threat today? No. But given the cost of malware cleanup and mobile workforce dependency on mobile devices, you may want to start thinking about how to protect yourself. In the next section we take a look at past and present mobile malware defenses.
|On-device defenses for mobile malware|
As workforces grow increasingly dependent on smartphones, mobile threats warrant serious consideration. As discussed in the last section, barriers are falling fast, at precisely the time when mobile users are becoming a bigger, juicier target. When the mobile malware "tipping point" is reached, will your organization be ready?
Mobilizing your malware defenses
Conventional Win32 malware defenses are commonly deployed on the assets they protect: PCs. Antivirus scanners, host intrusion detection programs, personal firewalls, and email spam filters are all designed to stop viruses, worms, trojans and spyware that prey upon desktops and laptops. These "on device" defenses are generally accepted security best practices, widely used by both businesses and individuals.
Early mobile malware defenses started down this familiar path. Antivirus scanners emerged for PDAs well before Symbian Cabir grabbed headlines back in 2004. But some of those products were just too early and were discontinued before mobiles were widely used, when "proof of concept" malware lacked the teeth to pose real risk.
Today, mobile antivirus scanners are experiencing a market rebound, stimulated by smartphone sales -- especially to businesses. Mobile antivirus products are now available from popular Win32 antivirus vendors (e.g., F-Secure, McAfee, Symantec, Trend Micro, Sophos) and "mobile specialists" like SMobile and Airscanner. Mobile antivirus scanners are even available for iPhone and BlackBerry handhelds.
Mobile antivirus scanners are not just Win32 programs, ported to mobile operating systems, however. Mobile scanners must employ different signatures and behavioral analysis rules to detect malware written for each mobile OS and (sometimes) device model -- Symbian Series 60 second edition, for example. They must also understand the vulnerabilities inherent in each operating and file system, and adapt to mobile platform limitations.
For example, periodic background scans (as opposed to real-time virus detection) may be used to conserve battery life. Or files may be scanned only upon arrival over Bluetooth, Wi-Fi or 3G wireless. Signature updates must be performed over the different kinds of interfaces available on smartphones, such as SMS, MMS, ActiveSync or OMA DM. These are just a few attributes to consider when choosing a mobile antivirus scanner.
Most desktop antivirus products have now morphed into multi-function endpoint security suites. A similar evolution is under way in the mobile malware world.
For example, the most popular mobile applications are messaging (email, SMS, MMS), and most malware is conveyed by unsolicited messages. Anti-spam and SMS/MMS blocking utilities can therefore go a long way toward thwarting mobile malware.
Similarly, many contemporary mobile malware programs are trojans, downloaded and/or activated by (naïve) users. Application blacklist/whitelist policy enforcement programs can help prevent users from making such mistakes, while checking digital signatures issued to legitimate software vendors by certification programs like Symbian Signed, Microsoft's Mobile2Market, or RIM's Controlled APIs for BlackBerry.
Although most desktop operating systems include basic personal firewall capabilities, mobile operating systems still do not. But many smartphones are now connected full-time to the Internet over high-speed wireless connections like EV-DO and HSDPA. Mobile firewalls can help block malicious traffic -- inbound and outbound -- to prevent mobile worm propagation (e.g., Beselo) and spyware back-channels (e.g., Flexispy).
Security suites that combine most or all of these defenses are now available for just about every mobile operating system. Examples include SMobile Security Shield, McAfee Mobile Security, Symantec Mobile Security, F-Secure Mobile Security, and Airscanner Mobile Security Bundle (spotting a trend yet?).
Managing mobile security
Individuals and small businesses can deploy mobile malware defenses directly onto their own smartphones and PDAs. Many on-device mobile security products are sold as shrink-wrapped software or downloadable installers that require little or no configuration. They are also supplied by carriers as downloads and along with new smartphones.
Larger enterprises may want to provision and maintain mobile antivirus, anti-spam, intrusion detection, and/or firewall measures as part of a centrally managed mobile security solution. In that case, malware defenses can play a role in a bigger picture that includes mobile device activation, authentication, access control, encryption, activity monitoring, and backup/restore. For example, Sybase iAnywhere includes a security manager that can be used to deploy authentication, encryption, antivirus, and/or firewall defenses to a fleet of corporate mobile devices.
These on-device defenses may be relatively new products, designed for contemporary mobile operating systems, but they really extend traditional desktop security best practices into the mobile workforce. This is not only possible, but absolutely necessary, for certain security measures -- on-device encryption is a perfect example.
Some defenses could also be applied "in the cloud," however, to protect corporate networks, applications and data assets from mobile malware threats. We'll discuss those complementary approaches in the next section of this series.
|In-the-cloud defenses for mobile malware|
Mobile antivirus programs apply laptop best practices to PDAs and smartphones, but there are many other ways to protect corporate assets from mobile malware. Complementary "in the cloud" defenses include enterprise sync servers, network gateways and wireless services that incorporate mobile malware filtering.
Learning from experience
Our decade-long fight against Win32 malware has shown that PC-resident virus/spyware scanners and spam/phishing filters are necessary but inefficient. Keeping those programs and signatures current has become an onerous, time-sensitive chore.
Of course those PC-resident scanners and filters have not gone away. But most enterprises now back them with server-based and network-edge antivirus and antispam solutions. These added measures can stop most malware before it reaches desktops and laptops, increasing IT control, improving user productivity and reducing the risk of infection.
Fortunately, PDAs and smartphones are well-positioned to leverage enterprise server and network defenses. As wireless connectivity grows faster and more ubiquitous, most mobile threats will be delivered "over the air," passing through an enterprise mail server, mobile application gateway or remote access concentrator. Those enterprise-operated platforms provide a golden opportunity to apply centrally administered mobile malware defenses.
- If your business already blocks spam and phishing messages at a Microsoft Exchange, Lotus Notes or SMTP Server, those same measures can be applied to email sent and received by mobile handheld devices. Require mobile workers to check email using this secure path, and discourage or actively block mobile access to personal POP/IMAP mailboxes that bypass these corporate defenses.
- If your company uses a Web proxy, network firewall or unified threat management platform to block high-risk Web activity (e.g., visiting phishing websites, downloading spyware), consider using mobile browser proxy rules or VPN tunnels to redirect all handheld Web traffic through that same control point. Here again, the goal is to stop mobile users from getting themselves into trouble through unprotected Web surfing (including webmail).
From a traffic engineering perspective, such solutions are suboptimal. Back-hauling all mobile email and Web traffic through your corporate network increases bandwidth consumption and latency. Furthermore, today's network and server antivirus scanners may not spot mobile-specific viruses. However, these approaches let you take advantage of existing IT-managed defenses to defeat a big chunk of mobile malware, without requiring handheld software purchase, installation or maintenance.
Looking outside the box
Enterprise server and network security platforms lie beyond the reach of many small businesses. But all users -- even individual consumers -- can tap spam and phishing filters that accompany hosted email services provided by ISPs and wireless network operators. In some cases, those external antimalware services can actually deliver broader protection.
For example, today's smartphone and cell phone users spend more time communicating via text messages than email. Enterprise servers and firewalls can filter mobile email, but only wireless network operators have the vantage point to apply spam and phishing filters to those SMS and MMS messages -- including mobile-to-mobile messages.
According to Cloudmark chief technology officer Jamie De Guerre, over 30% of all mobile email messages processed in North America are now spam. In China, over 50% of SMS messages carried on mobile networks are spam; in Japan, that scourge tops 80%. Using a technology like Cloudmark Authority to block these unwanted messages inside the operator's network (including those from spoofed addresses) can reduce traffic load, intercarrier roaming costs and billing adjustments.
Doing so is clearly in the network operator's best interest, but why should employers care about SMS spam and phishing? Whether malware arrives by email, SMS or Bluetooth, it threatens the integrity of the mobile device and the privacy of any corporate data that resides on it. Mobile attackers have started to exploit SMS as a largely unmonitored and unprotected communication path. Targeted SMS identity thefts have already been launched against consumers with considerable success. Can "smishing" attacks aimed at the corporate executives who carry smartphones 24/7 be far behind?
Filtered messaging services can stem the tide of spam and put a damper on social engineering attacks, but they can't address every mobile malware threat all by themselves.
For example, the iPhone is ushering in a new generation of handheld devices that make mobile Web not just possible but palatable. As mobile Web traffic grows, network operators will need to batten down the hatches on this vector too, using in-the-cloud content security gateways to block Web-borne malware on behalf of their subscribers.
Moreover, in-the-cloud security services cannot mitigate threats that bypass corporate and provider networks altogether. Many mobile worms and Trojans to date have been propagated through Bluetooth peer-to-peer communication and removable memory cards. On-device defenses are the only reliable way to stop these "out of band" attacks.
The bottom line: Don't let handheld software budgets and mobile device management barriers stop you from addressing mobile malware threats. Take this opportunity to establish a first line of defense by reusing network and server countermeasures you already own and can easily control. Complement them with wireless network services that incorporate antimalware measures. That way, when the mobile malware tipping point finally arrives, you'll already have two out of three bases covered.
About the author: Lisa Phifer is president and co-owner of Core Competence, a consulting firm focused on business use of emerging network and security technologies. At Core Competence, Lisa draws upon her 27 years of network design, implementation and testing experience to provide a range of services, from vulnerability assessment and product evaluation to user education and white paper development. She has advised companies large and small regarding the use of network technologies and security best practices to manage risk and meet business needs. Lisa teaches and writes extensively about a wide range of technologies, from wireless/mobile security and intrusion prevention to virtual private networking and network access control. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.
This was first published in September 2008