Are You Ready for the Risk of Mobile Malware?

Credit EligibleAs a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

The recent news that Nexus One smartphone owners were unable to send or receive data is just a precursor to what security experts say is the next big threat to mobile phones and services - mobile malware.

According to Dr. Markus Jakobsson, a noted security expert in the field of phishing and crimeware, mobile phones -- especially smart phones -- pose the next big headache for security professionals. And financial institutions should be particularly concerned about risks to mobile banking.

"Hackers target data that can be turned into cash, and mobile banking services are a prime spot for them to target," says Jakobsson, principal scientist at the Palo Alto Research Center (PARC), a commercial innovation center.

User behavior is part of the challenge. People who won't open a strange attachment to an email on their PC don't take the same precautions with their phones. "People have not connected that phones are computers, and that means they can get infected," Jakobsson says. "Especially since it is a social device, users get things from their friends so much more often on a smart phone."

The other issue is pure security. "Cell phones are a higher risk because they aren't well protected," he says.

How Risky?

At present, the possibility of malware infecting mobile phones is low. "There is no mobile malware to speak of," Jakobsson says. "But once the magnitude of the problem goes up, the traditional measures used to detect malware on Macs and PCs will not be able to handle the load without draining a cell phone's battery."

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Worse, he says, the smart phone platform will surpass the regular Windows platform on computers and become the biggest target for hackers within three years. The projection by Credit Suisse analysts in 2009 saw the smart phone market expected to balloon to around 1.5 billion units. By comparison, worldwide unit sales of all mobile phones in 2009 were about 1.2 billion, and worldwide unit sales of all PCs in 2009 was projected to be about 300 million.

These numbers mean that the malware writers will seize the opportunity to target mobile phones, Jakobsson predicts. "Malware writers are just crooked businessmen," he says. "I imagine they are working overtime to create malware for the smart phone platforms."

There are already malicious applications being spread by hackers for the android and iphone platforms, trying to steal banking credentials from unsuspecting users.

Potential Solutions

There are currently two kinds of countermeasures that could be used to detect malware on a smartphone. The first is signature-based. "Think of it as a party, and you have a bouncer looking at everyone's ID's before they can get in the party," Jakobsson says. "If their ID shows that they've behaved poorly as a previous party, they won't let them in."

The second is a behavioral detection model that can be compared to looking at what people are doing while they are standing in line to get into a party. "If they are fighting or throwing up, the behavioral detection model will not allow them in."

The drawback to these countermeasures is both are extremely taxing on a phone's batteries, and will drain them if they have to check every attachment coming in, Jakobsson notes.

Software-based attestation has been researched for several years by several teams of computer scientists. Yet, all prior software-based attestation methods have proven unsuitable for use on handsets. Solutions designed for embedded devices for example, do not work on handsets. "The reason is that a malware agent on an embedded device cannot establish a radio connection to an external resource in order to cheat, whereas a malware agent on a handset can do that," he says.

Other solutions require too much computation for handsets, and are only practical on powerful computers. "And most of [the potential solutions] have been found to have some security flaw," Jakobsson says.

Experts: Mobile Security 'Meltdown'

Jakobsson isn't alone, warning of the potential dangers of unsecured smart phones.

Dr. Larry Ponemon, head of the Ponemon Institute, a noted privacy and information security research firm, also sees trouble ahead for entities seeking to secure their mobile phones. "Smart phones are computers with the capacity to capture and store significant amounts of information including network connection credentials," Ponemon says. "Our research shows that end-users of smart phones are more susceptible to surreptitious downloads -- including dangerous data stealing malware and botnets."

Also, organizations are finding it difficult to prevent end-users from downloading strange applications -- especially when the device is owned by them. "In short, this is a perfect storm for a security meltdown," Ponemon says.