David Emm, senior technology consultant at Kaspersky Lab UK, assesses the real dangers of mobile malware and airborne viruses and outlines what can be done and by whom to check their progress.
These days there's little you can do with a laptop that you can't do with a handheld computer or mobile phone. Which means that threats from viruses and malware traditionally associated with PCs are becoming of growing relevance to mobile users.
The trouble is, mobile devices are intrinsically less secure than PCs, operating outside the reach of traditional network security. But as they start to carry more and more valuable corporate data, the wireless devices and networks on which the mobiles ‘live' become a more attractive target for the writers of malicious code. The history of software development clearly shows that, time and time again, ease of access is delivered ahead of security…
Bluetooth
So how serious are the threats to mobile users and what forms do they take? Cabir, the first worm for mobile phones, appeared in June 2004 and has since appeared in more than 40 countries It targets mobile phones running the Symbian OS and spreads using Bluetooth. Cabir set the trend for mobile malware as Bluetooth is the most common method for wireless transmission to other smartphones, PDAs and also laptops. Research from a colleague of mine – Kaspersky Lab's Alexander Gostev – for InfoSecurity 2006 found that 23% of mobile devices running Bluetooth are smartphones, 80% of which support its ‘Object Transfer' function, required for the spread of mobile malware.
The number of Bluetooth-enabled devices left in this ‘discoverable' mode is a real concern, and it is this that has lead to the development of other malware following Cabir, like Comwar, Skuller, FlexiSpy, RedBrowser and others.
Trojans
We've also seen Trojans targeted at mobiles. A Trojan is a non-replicating program that appears to be legitimate but is designed to carry out some harmful action on the victim's computer. They can send, receive, execute and delete files, harvest confidential data from the machine, log activity on the machine and more.
Last April we saw the first Trojan spy for Symbian. Flexispy can take control of smartphones and send call information and SMS data to the author. And it soon became clear that the author was selling his creation to would-be phone spies for $50 a time.
Social Engineering
How fast is mobile malware growing? At the beginning of last year Kaspersky Lab was seeing between five and seven new threats per week, sometimes up to ten. This has now actually dropped to between three and five per week. But the threat isn't going away – those that exist are spreading, and we're also seeing major qualitative developments, as malware writers develop their creations.
We are increasingly tracking mobile malware that requires some level of user interaction – you literally have to accept or open the virus for it to take effect, just as with standard email attachments. You'd think this option would hold malware back from spreading but that's not been the case – virus writers will ‘socially engineer' their attachments to look enticing to open, typically with some sort of topical ‘hook'.
The Comwar worm uses MMS to send itself to all contacts in a phone's address book, costing its owner around €0.35 for each message. Comwar uses a variety of enticing subject headers and message texts to entice victims into running the code including:
– ‘3DGame 3DGame from me. It is FREE !'
– CheckDisk *FREE* CheckDisk for SymbianOS released!MobiComm'
– Free SEX! Free *SEX* software for you!
– Happy Birthday! Happy Birthday! It is present for you!
– Internet Cracker It is *EASY* to *CRACK* provider accounts!
We have found that 25% of users with mobile devices in discoverable mode accepted files transmitted to their devices using Bluetooth. The same research also discovered that this figure rose significantly when the filename contained the word ‘sex'.
Crime
While the malware threat to mobile devices is currently nowhere near that of the PC world, there's a clear potential for disruption to business systems. It's clear from developments during the last four years that the computer underground has realised the potential for making money from malicious code in a world where Internet connectivity has become central to business. Today's threats are largely geared towards making money illegally: through fraud, unwanted advertising (including spam), theft and misuse of harvested personal or corporate data (including for extortion).
As mobile devices now offer users the same capabilities as PCs, they also offer the same ‘rewards' for the criminal underground. The relative lull in numbers of new malicious programs for mobile devices during the last few months is unlikely to mean a decline in mobile malware. On the contrary, the increasing complexity of smartphones, coupled with the widening market for these devices and their use for conducting online transactions, will certainly bring in its wake further mobile malware, particularly ‘crimeware' programs used to make money.
Responsibility
So where does the responsibility for action lie? Work has to be done on all sides. Firstly, network administrators need to be aware of malware threats to the mobile devices on their network and need to adapt their vision of a network to more of an open-space, trans-perimeter environment. An environment in which threat protection must extend beyond a fixed workplace, to reach remote users and an increasingly mobile workforce.
At a policy level, businesses and network administrators need to make sure strict guidelines are in place covering remote working, and that all issues surrounding mobile devices are an integral component of their overall security strategy.
Users need to be aware of the ‘social engineering' tactics virus writers employ and – at the most basic level – not leave their phones in discoverable mode. And mobile manufacturers need to place increased emphasis on protecting their customers, while still enabling them to be always on, always no the move.
At the same time, companies like ours are tracking for new malware and charting the spread of existing threats. We can also offer systems to cleanse and protect mobile devices and in September launched a website optimised for PDAs and smartphones that contains a full encyclopaedia of mobile threats and how to protect against them.
The goods news is that – possibly for the first time – technological development is in step with the evolution of the threat. So while mobile malware is not commonplace right now, it is more than likely set to grow as corporate information is increasingly accessed on the move. And systems to combat it will grow at the same time.
The Operator's Role
Imagine if mobile networks were like the Internet is today…we'd have viruses all over the place. "Or would we?" asks Gijs van Kersen.
Mobile networks are becoming more and more like the Internet – sharing both its advantages and disadvantages.
On the upside, the move from circuits (GSM today) to packets (3G and beyond) creates a whole world of exciting new services for the consumer, for businesses and for the operators. These services promise new revenue streams for operators to offset dwindling voice revenues.
But, on the downside, all these value-added services will only be used if they can be offered reliably. Sophisticated devices will only become popular if they can be protected from infections.
It's clear that the role of security in mobile networks is crucial today, and will only become more so. And it's the role of the operators to protect their networks in order to protect handsets and their users.
Operators have a fantastic opportunity to learn from the experience of Internet providers, and build a security system from the ground up. It's in their interest – service take up will improve with reliable access, and they can also avoid a vast increase in helpdesk calls from irate customers.
To achieve this, the network needs to be designed with services and security in mind (not as an afterthought the first time a virus hits the network). Some key examples of best practice include:
Use MPLS VPNs in the backbone network: VPNs are used to separate the different network functions and thus make them less exposed to attacks. Also the impact of a flooding attack on one function can be limited by constraining the bandwidth available to each VPN.
Separate all network functions with firewalls: In-line stateful firewalls should be deployed on all GPRS interfaces: Ga, Gi, Gp, Gn. These firewalls should be able to look inside the GPRS Tunnelling Protocol (GTP). Firewalls should also be deployed between the UMTS core network (Media Gateways and Softswitches) and peripheral servers (billing, OAM, content servers).
Add in-line IPS systems on peering and server interfaces: Traditional GPRS firewalls leave the most vulnerable network part unprotected: the applications. Only stateful IPS (Intrusion Prevention Systems) close this vulnerability. All external interfaces (to the Internet, to other operators, to corporate VPNs) should be protected with advanced IPS, which look at the application protocols and drop offending traffic automatically. Also interfaces to the server farms should be protected with IPS, potentially in combination with application acceleration devices.
Deploy security applications on all smartphones: While most viruses and malware downloaded over-the-air can be detected in the network by IPS devices, some viruses can spread from device to device (e.g. using Bluetooth or infrared connections). All mobile devices that run an open operating system such as Symbian, Windows Mobile or PalmOS should be sold only with a built-in security application that includes firewall and virus detection, just like PCs.
While 100% protection is not possible without completely isolating the network (all car accidents would be avoided only if our vehicles could just do 0 kph!), these measures will significantly reduce the risk of attacks. Taking action now on mobile network and device security will pay huge dividends for all. If nothing is done, it will only be a matter of time before the first "mobile network brought down by attack" headlines are published…
Gijs van Kersen is Mobile Marketing Manager, Juniper Networks EMEA
