Threats to mobile security

As people’s computing habits shift away from desktops and towards mobile devices, so has the attention of nefarious organisations trying to hack into their information. According to new research, smartphones and tablets are increasingly being targeted in spyware attacks, with many of the most popular platforms particularly susceptible.

Spyware has become a serious problem for computer users over the last 15 years, with increasingly advanced bugs designed to subtly attach themselves to users’ systems and glean particularly sensitive information.

The four typical types of spyware – Trojans, adware, system monitors and tracking cookies – are used to collect personal and often highly sensitive information from users – from bank details to emails. The capabilities of mobile-based spyware are equally worrying, with some able to tap into and record phone conversations, read SMS messages, and even record voice and video without the users’ knowledge.

This became a particular concern for companies that had highly sensitive information on their systems, which could be accessed by rivals through ‘cyber espionage’ – resulting in increasingly expensive and robust IT security platforms being implemented.

Going mobile
Now, new research by Israeli-based firm Lacoon Mobile Security has shown a stark increase in the number of mobile-targeted threats, creating greater risks for companies – especially those that allow employees to use their own smartphones to store company information.

Lacoon says there has been a rise in the number of Mobile Remote Access Trojan (mRAT) infections on smartphones, which have been able to bypass typical encryption services. mRATs are new types of spyware that mostly target third party applications users download onto their phones, but can also come in the form of email or SMS message attachments.

Lacoon conducted a series of tests with international mobile network providers that looked at two million users in October last year. It found that one in every 1,000 smartphone was infected: 52 percent of these phones were on Apple’s iOS platform, while 35 percent were found on devices running Google’s Android operating system.

The worry for users is that, although the likes of Apple and Google try to prevent people from having access to parts of their mobile operating systems that allow this sort of access, the latest wave of mRATs are capable of easily bypassing these barriers.

Getting around the guard
Companies use Mobile Device Management (MDM) solutions to manage and monitor the smartphones and tablets of their employees, attempting to ensure security is maintained. However, according to Lacoon, these are proving inadequate.

Ohad Bobrov, Chief Technology Officer at Lacoon Mobile Security, said in the report: “MDM solutions create secure containers that separate business and personal data on the mobile. The concept is to prevent business-critical data from leaking to unauthorised individuals.

…while the software may be installed on a single device, it can be used to target the whole organisation

“However, our research team demonstrated that mRATs do not need to directly attack the encryption mechanism of the secure container, but can grab it at the point where the user pulls up the data to read it. At that stage – when the content is decrypted for the user – the spyware can take control of the content and send it on.”

Lacoon says it tested the security of third-party apps to see if they could avoid the security protocols. Bobrov added: “To prove their point, our researchers adapted a similar method used by mRATs in the wild that intercept third-party applications such as [popular messaging service] WhatsApp.”

Business concerns
While the dangers posed to individual users are obvious, there are far greater concerns for organisations. Bobrov said: “The reason mRATs pose such a danger is that, while the software may be installed on a single device, it can be used to target the whole organisation for espionage purposes.”

Similar research was unveiled at last year’s RSA Conference in San Francisco. At the conference, which focused on IT security issues, two former executives at online security firm McAfee demonstrated how new remote access malware tools were becoming more prevalent and just how easy it was to access users’ smartphones.

George Kurtz and Dmitri Alperovitch, who have launched their own security firm called CrowdStrike, showed how a remote access Trojan was used to attack smartphones merely by sending a SMS message to a user. The hackers were able to record phone conversations, steal personal information, capture video, locate the user and track dialled numbers.

The pair carried out their demonstration on a phone running Google’s Android operating system and exploited a vulnerability in the WebKit-based Chrome internet browser. While this security flaw has since been patched, it shows the potential dangers posed by smartphones. WebKit-based browsers are common on all smartphone operating systems, including Apple’s own Safari.

Trojan war
Mobile Trojans are likely to multiply, as happened with those that spread across personal computers, because people’s computing habits have become ever more mobile, say Kurtz and Alperovitch. Users should become much more wary of the links they click on and what they download onto their smartphones – as well as maintaining the latest software pushed to them by their providers.

Bobrov echoes these thoughts, saying that, in order to ensure they maintain the security of their mobile devices, and therefore the sensitive data within them, companies must constantly be on top of what the latest threats are.

He said: “To mitigate these and other attacks aimed at the mobile devices utilised within the enterprise, organisations need to accurately assess the risk of mobile activity and actively protect against the emerging, targeted and zero-day attacks.”

Third-party software
Spyware became particularly prominent on personal computers as users became more accustomed to downloading software they had found on the web. Windows-based computers in particular were vulnerable to attacks, although a growth in spyware attacking Apple computers has occurred in recent years.

It has proven harder to attack mobile platforms, until now. Apple in particular has favoured a so-called ‘walled garden’ approach to its iOS operating system. All third-party software must pass through a stringent approval process with Apple before it can be downloaded from its App Store.

While this approach has ensured a limit to the number of Trojans and viruses attacking the iOS operating system, some more advanced users have bemoaned the restrictions Apple has placed on its smartphones.

Within days of Apple releasing its iPhone in 2007, software developers had set about creating an application store for users who didn’t want the confines of the official operating system.

The trouble with this newfound freedom was there was no longer the vetting process Apple so strictly employed, allowing potentially harmful applications onto the phone. There is an argument, however, that people willing to bypass Apple’s imposed restrictions should be aware of the risks it entailed.

Google, on the other hand, has taken a much more relaxed approach to vetting third-party applications. Android allows many third-party applications to be easily installed, although some power-users wanting more control have taken to ‘rooting’ the software (i.e. allowing themselves root access to Android’s subsystem).

As mobile computing becomes more advanced, so will the threats developing around it – much as they did during the personal computing boom of the last 15 years. While the likes of Apple, Google and Blackberry should ensure they swiftly plug any security flaws in their operating systems, businesses must be vigilant in how they manage their employees’ devices and what they allow those employees to do with them. Proper training and a robust MDM solution are vital to maintaining the highest levels of mobile security.