Ten years ago this March, the war on the mobile perimeter began – a worm called Cabir, the first instance of mobile malware, appeared in the wild, signalling the laying down of a whole new virtual battleground for cyber criminals. The worm affected phones running the once ubiquitous Symbian mobile operating system, and within a year had spawned whole families of Symbian viruses. By mid-2005, mobile trojans were already getting creative by spreading through mobile games and sending out premium SMS messages to take money from their victims for the first time.
Fast forward a decade, and mobile malware is more prolific than ever and growing in sophistication all the time. As the mobile landscape has broadened the pool of potential victims has expanded as well, and the rise of mobile working together with a lack of control over employees bringing their own devices into the workplace has been the malware writer’s dream come true. Symantec recorded a 69% growth in mobile malware instances between 2012 and 2013, and according to Kaspersky Lab nearly 145,000 new malicious mobile programmes were detected in 2013 alone- more than double that of the previous year.
Crafty new modes of attack, such as preventing a victim from accessing their data and demanding a ransom, are starting to be used to target mobile devices, with the first mobile ransomware trojan recorded in June this year. And we’ve already seen aggressive new breeds of malware able to take over a device’s screen, blocking input by the user.
‘Over the last few years we’ve seen malware, or more specifically its behaviour, change dramatically and I expect that to continue,’ predicts George Anderson, director at endpoint protection firm Webroot. ‘Modern malware is incredibly sophisticated in that it is built to ‘hide’ – it will infect a system and remain there, unnoticed and slowly impacting the business by stealing data, encrypting it or corrupting systems. Once it is spotted and the business acts to protect against that threat, developers then release a new variant of the malware.’
In an arena where attackers always seem to be one step ahead of their prey, IT departments are left to wonder how they can anticipate their next move in the ongoing fight to keep up, and how future generations of mobile malware will evolve. Experts have varying opinions on exactly what form these malware variants will take but they all agree on one thing- the opportunities for attack will grow as our devices become even more integral to our lives and businesses.
‘As mobile apps are rapidly becoming the preferred route to accessing bank accounts and stealing sensitive information, cyber-crime will ‘follow the money’, anticipates Anderson.
And as apps become the desired entry point for criminals, malware is getting far better at going undetected, taking the form of seemingly ‘innocent’ apps that secretly collect excessive amounts of information, or covertly jailbreak and gain control of the device. As consumers are increasingly accessing their social media profiles on the go, the risks of app-based malware look set to soar.
Tomorrow’s tech arms race
What we’ve seen to date is just the beginning- emerging mobile technologies such as identification tokens and mobile payments are opening bold new avenues of exploitation of our personal and financial data.
The whole point of mobile payments is to offer a quick and easy solution to making small payments with little additional authorisation- which can also be convenient for criminals.
‘Unfortunately, it is the ease and lack of additional authorisation which means that small payments can be extracted easily,’ explains Jonathan Jepson, head of mobile security for security specialists BAE Systems Applied Intelligence. ‘And whilst this may be a small amount per transaction it can amount to a lucrative scheme. It’s easier than pick-pocketing.’
It’s easy to see the attraction of this sort of technology for cyber criminals, but Jepson adds that these technologies can also be a tool to defeat cyber crime – ‘it’s about using the sum of the data to provide multi factor authentication to confirm the user is the true user.’
Biometrics is another technology designed to authenticate in a convenient way- but as it’s likely to be commonly used to authenticate payment in future, the need to protect the credential as well as ensure the operating environment is free of malware will be critical. As Brian Tokuyoshi, senior product marketing manager at Palo Alto Networks points out, the more of these technologies we add to our devices, the more information we are potentially giving hackers, and the more potential points of vulnerability we expose.
> See also: The mobile malware epidemic
‘The mobile device is perhaps one of the most environmentally aware computing platforms ever devised,’ says Tokuyoshi, ‘for nearly all of them already have the ability to ascertain location (through GPS or Wi-Fi positioning). It has onboard storage, communications (both over the network and sms), access to the user’s personal & business data, and the ability to record voice & video. The only thing that separates these tools from being used for productivity versus for surveillance & attack is the nature of the apps that run on it, and the motivations of the author.’
Businesses can go some way to protecting their customers’ data by ensuring they’re tackling potential weak points as early in the transaction process as possible.
The new reality
But as recent intelligence from analyst house Gartner asserts, prevention is just one step on the journey to mobile security. Companies need to acknowledge that there will be gaps in their endpoint protection and determined attackers will inevitably get in.
‘Today’s security strategies are dominated by a singular focus on breach prevention,’ says Jason Hart, VP cloud solutions at data protection firm SafeNet. ‘But, if history has taught us anything, it is that walls are eventually breached and made obsolete. With hacking attempts becoming almost a daily occurrence, being breached is definitely no longer a question of ‘if’ but ‘when’, so all companies need to adopt a ‘secure breach’ mind-set to ensure that data remains protected, should the worst occur.’
Therefore organisations need to make continuous detection and monitoring part of their security culture, staying on the ball beyond the all-important first layer of defence.
Signature-based anti-malware solutions are becoming less effective in particular when identifying apps with risky behaviour, ‘which is resulting in increased interest in behavioural analysis,’ explains Jared Carlson, principal researcher of application security company Veracode. ‘This compares an app’s behaviour against that of known malicious apps to identify the level of risk to the user.’
> See also: The advent of ‘insanely dangerous malware’
One thing is certain- today’s mobile security decisions need to be defined in different terms. The context, content and user of any given app across all traffic both web and otherwise have to be looked at, and detection and response has to be continuous.
Defence in depth
The best solutions for the mobile security problems of the next generation and beyond won’t be based on monitoring and detection in a vaccuum, however.
These tools ‘are best used as part of a defence-in-depth strategy and should be used to better identify what data and users are most at risk,’ emphasises Hart. ‘In that way, they can help enterprises identify new data to encrypt and what users need additional authentication measures.’
Defending in depth means taking a layered approach, with threat detection, monitoring and end point protection forming the strata. As Palo Alto Networks’ Tokuyoshi points out, though organisations are familiar with the ‘defend in depth’ tactic, they often struggle with this concept because there’s a fundamental disconnect between network security and endpoint security.
‘The ability to leverage the network to stop malware before it reaches the endpoint is a much better solution,’ he says. ‘The ability to leverage the cloud to gather malware samples and find new pieces of malware dynamically, combined with endpoint protection, is a much more effective approach to addressing security issues.’
One layer that can’t be neglected is the entry point to the mobile devices themselves- the human beings. No matter how sophisticated technology gets, good old fashioned social engineering is likely to be an issue for as long as there are people.
> See also: Old tricks appear in new malware
Mobile devices can make the detection of social engineering harder to spot, because users may not be as obvious of what the underlying URLs are behind a link when they receive a phishing email.
‘As a result, organisations often dismiss social engineering as something they can do nothing about, but getting the basics right, through user education and keeping your malware detection solution up to date, will provide a limited level of protection,’ says Jepson of BAE Systems Applied Intelligence. And as always, knowing about the breach is half the solution. ‘After that, it comes down to being able to identify when employees have been successfully targeted, and having a remedy plan in place that will mitigate the problem.’