Today’s advanced mobile devices are well integrated with the Internet and have far more functionality than mobile phones of the past. They are increasingly used in the same way as personal computers (PCs), potentially making them susceptible to similar threats affecting PCs connected to the Internet.
Since mobile devices can contain vast amounts of sensitive and personal information, they are attractive targets that provide unique opportunities for criminals intent on exploiting them. Both individuals and society as a whole can suffer serious consequences if these devices are compromised. This paper introduces emerging threats likely to have a significant impact on mobile devices and their users.As mobile device technology evolves, consumers are using it at unprecedented levels.
Mobile cellular technology has been the most rapidly adopted technology in history, with an estimated 4.6 billion mobile cellular subscriptions globally at the end of 2009.Furthermore, technological advances have fueled an unprecedented portable computing capability, increasing user dependence on mobile devices and skyrocketing mobile broadband subscriptions. Mobile broadband connections rose by more than 850% in 2008,exceeding the number of fixed broadband subscribers.Mobile devices have become an integral part of society and, for some, an essential tool. However, the complex design and enhanced functionality of these devices introduce additional vulnerabilities.
These vulnerabilities, coupled with the expanding market share, make mobile technology an attractive, viable, and rewarding target for those interested in exploiting it.
In the past, malicious activity targeting mobile phones was relatively limited compared to that of PCs. The proprietary nature and limited functionality of the hardware and software architectures previously used by individual mobile phone manufacturers made this market a less than ideal target for mass exploitation. Current mobile devices have much greater functionality and more accessible architectures, resulting in an increase in malicious activity affecting them. These smartphones include the Apple iPhone, Google Android, Research in Motion (RIM) Blackberry, Symbian, and Windows Mobile-based devices.
In the past, malicious activity targeting mobile phones was relatively limited compared to that of PCs. The proprietary nature and limited functionality of the hardware and software architectures previously used by individual mobile phone manufacturers made this market a less than ideal target for mass exploitation. Current mobile devices have much greater functionality and more accessible architectures, resulting in an increase in malicious activity affecting them. These smartphones include the Apple iPhone, Google Android, Research in Motion (RIM) Blackberry, Symbian, and Windows Mobile-based devices.
Due to the similar functionality of mobile devices and PCs, the distinction between the two has blurred. Mobile devices have become equally susceptible to malicious cyber activity and will likely be affected by many of the same threats that exist for PCs on the Internet. The variety of sensitive information available from a mobile device is also potentially greater and more enticing than that of a traditional mobile phone or computer. Users are more likely to take advantage of the portability and convenience of mobile devices for activities such as banking, social networking, emailing, and maintaining calendars and contacts. The features of mobile devices also introduce additional types of information not typically available from a PC, such as information related to global positioning system (GPS) functionality and text messaging.
A multitude of threats exist for mobile devices, and the list will continue to grow as new vulnerabilities draw the attention of malicious actors. This paper provides a brief overview of mobile device malware and provides information on the following threats to mobile devices:
- Social engineering
- Exploitation of social networking
- Mobile botnets
- Exploitation of mobile applications
- Exploitation of m-commerce
Mobile Malware
Malicious actors have created and used malware targeted to mobile devices since at least 2000. The total number of malware variants significantly increased in 2004 with the public release of Cabir source code.Cabir is a Bluetooth worm and the first widespread sample of mobile malware. It runs on mobile phones using the Symbian Series 60 platform and spreads among Bluetooth-enabled devices that are in discoverable mode. The worm causes a phone to constantly attempt to make a Bluetooth connection, subsequently draining the battery. While this worm was an inconvenience to device users, today’s mobile malware is more insidious and often has more severe effects on devices and their users.
A recent and more nefarious example of mobile malware is the Ikee.B, the first iPhone worm created with distinct financial motivation. It searches for and forwards financially sensitive information stored on iPhones and attempts to coordinate the infected iPhones via a botnet command and control server. This worm only infects iPhones that have a secure shell (SSH) application installed to allow remote access to the device, have the root password configured as “alpine”—the factory default—and are “jailbroken.” A jailbroken iPhone is one that has been configured to allow users to install applications that are not officially distributed by Apple. Although Ikee.B has limited growth potential, it provides a proof of concept that hackers can migrate the functionality typical to PC-based botnets to mobile devices. For example, a victim iPhone in Australia can be hacked from another iPhone located in Hungary and forced to exfiltrate its user’s private data to a Lithuanian command and control server.
Spy software also exists for mobile devices, including some programs being sold as legitimate consumer products. FlexiSpy is commercial spyware sold for up to $349.00 per year. Versions are available that work on most of the major smartphones, including Blackberry, Windows Mobile, iPhone, and Symbian-based devices. The following are some of the capabilities provided by the software
Listen to actual phone calls as they happen
- Secretly read Short Message Service (SMS) texts, call logs, and emails
- Listen to the phone surroundings (use as remote bugging device)
- View phone GPS location
- Forward all email events to another inbox
- Accept or reject communication based on predetermined lists; and
FlexiSpy claims to help protect children and catch cheating spouses, but the implications of this type of software are far more serious. Imagine a stranger listening to every conversation, viewing every email and text message sent and received, or tracking an individual’s every movement without his or her knowledge. FlexiSpy requires physical access to a target phone for installation; however, these same capabilities could be maliciously exploited by malware unknowingly installed by a mobile user.
Cross-platform mobile malware further complicates the issue. The Cardtrp worm infects mobile devices running the Symbian 60 operating system and spreads via Bluetooth and Multimedia Messaging Service (MMS) messages. If the phone has a memory card, Cardtrp drops the Win32 PC virus known as Wukill onto the card. Two proof-of-concept Trojans, Crossover and Redbrowser, further show how widespread attacks could simultaneously hit desktops and mobile devices. Both Trojans can infect certain mobile devices from PCs.
SMS, MMS, Bluetooth, and the synchronization between computers and mobile devices are all examples of potential attack vectors that extend the capabilities of malicious actors. Inherent vulnerabilities exist in modern mobile device operating systems that are similar to those of PCs and may provide additional exploitation opportunities. For example, the most recent Apple security update for iPhone OS 3.1.3 provided fixes for scenarios where playing a maliciously crafted mp4 audio file, viewing a maliciously crafted Tagged Image File Format (TIFF) image, or accessing a maliciously crafted File Transfer Protocol (FTP) server could result in arbitrary code execution. To help mitigate malicious activity affecting known vulnerabilities, users should install security patches and software updates as they become available.
Social Engineering
One of the more common methods of spreading malware on the Internet is through social engineering. Most malicious activity is often successful because users are deceived into believing it is legitimate. Exploitation by social engineering is extremely lucrative and will likely significantly increase in the mobile market.
Phishing is the criminal act of attempting to manipulate a victim into providing sensitive information by masquerading as a trustworthy entity. This technique is a well-established, significant cyber threat, and mobile devices provide unique opportunities for phishing, including variants such as vishing and smishing.
Vishing is the social engineering approach that leverages voice communication. This technique can be combined with other forms of social engineering that entice a victim to call a certain number and divulge sensitive information. Advanced vishing attacks can take place completely over voice communications by exploiting Voice over Internet Protocol (VoIP) solutions and broadcasting services. VoIP easily allows caller identity (ID) to be spoofed, which can take advantage of the public’s misplaced trust in the security of phone services, especially landline services. Landline communication cannot be intercepted without physical access to the line; however, this trait is not beneficial when communicating directly with a malicious actor.
Smishing is a form of social engineering that exploits SMS, or text, messages. Text messages can contain links to such things as webpages, email addresses or phone numbers that when clicked may automatically open a browser window or email message or dial a number. This integration of email, voice, text message, and web browser functionality increases the likelihood that users will fall victim to engineered malicious activity.
Regardless of the communication medium, users must ensure that any exchange of information occurs between their intended parties. Links contained in suspicious or unsolicited emails and text messages should be avoided, and to help prevent disclosing sensitive information to an unintended party via voice communication, users can initiate the phone call to a known, trusted number.
Exploitation of Social Networking
Social networking sites, such as Twitter and Facebook, have become mainstays of electronic information sharing. Information sharing often occurs with an unwarranted, inherent trust among users, as they blindly share and accept data from unauthenticated parties. Uniform Resource Locators (URLs) are constantly being exchanged within social networks as users share items of interest. Since a Twitter user is limited to 140 characters when posting an update, sharing a brief statement accompanied by a traditional URL may be impossible. The capability to significantly shorten a URL is provided by several different websites and is often integrated in social networking applications to happen automatically. Shortened URLs are invaluable in this case because they allow a URL with 137 characters to be shortened to 17 characters. For example:
http://brainstormtech.blogs.fortune.cnn.com/2010/02/12/help-wanted-obamas-twitterer-filibusterers-need-not-apply/?source=cnn_bin&hpt=Sbin
These services provide value, but they also make cyber criminals’ goals much easier to achieve. Since the original URL is completely replaced, a user cannot know the destination of the shortened link without clicking on the link. Legitimate URLs are indistinguishable from those that are malicious, providing phishers with an effective cover. This tactic could lure a victim into unwittingly downloading malware or visiting a fraudulent site. It is highly likely that unsuspecting users would not think twice before clicking on the URLs.
Over the course of 2009, Facebook and Twitter experienced a 112% and 347% increase in mobile users, respectively.This growing trend in mobile social networking provides an avenue for the exploitation of mobile devices.
Mobile Botnets
A botnet is a set of compromised computers, or bot clients, running malicious software that enables a “botherder” or “botmaster” to control these computers remotely. A botherder or botmaster can design a botnet to perform certain actions, such as information stealing or launching a denial of service, and issues commands to the bot clients from a command and control (C2) server. Since mobile networks are now well integrated with the Internet, botnets are beginning to migrate to mobile devices, as seen with Ikee.B.
Due to their ability to support rich content, MMS messages have a body field where Extensible Markup Language (XML) messages can be hidden. Waledac, a web-based Internet botnet, uses XML messages to communicate. Unlike with Internet communication, Internet Protocol (IP) addresses are not used when exchanging SMS or MMS messages. Instead, mobile devices have an International Mobile Subscriber Identity (IMSI) and Mobile Subscriber Integrated Services Digital Network Number (MSISDN). These numbers are used to authenticate, register, and identify mobile network subscriptions by mapping the device to a phone number. The IMSI is embedded in the device hardware or contained on a removable card such as a Removable-User Identity Module (R-UIM) card in Code Division Multiple Access (CDMA) networks or a Subscriber Identity Module (SIM) card in Global System for Mobile Communications (GSM) networks. The MSISDN represents a phone number and is used to route communication to the subscriber. Domain Name System (DNS) also does not exist on mobile networks, making the use of advanced networking techniques such as fast flux and multi-homing impossible in mobile networks. However, since mobile devices can have constant connections to the Internet, they can potentially be utilized like any other computer while maintaining all of their functionality within a mobile network.
Mobile devices using the Internet may be assigned dynamic private IP addresses that are inaccessible from the Internet, preventing a botmaster from communicating directly with a compromised host. Web-based botnets circumvent this obstacle by having bot clients poll web servers for further instructions. Any additional obstacles presented by using SMS or MMS messages to communicate could also be circumvented by adapting a web server to accommodate SMS and MMS functionality by creating a proxy that understands this type of communication and has a connection to the Internet. The capability to run a web server on the iPhone has existed since at least mid-2007.
Compromised text messaging services could have severe consequences. In the aftermath of the recent earthquakes in Haiti, reputable charity organizations experienced a massive surge in text message donations. For example, a mobile device user could donate $10 to the American Red Cross by texting HAITI to 90999. In less than 48 hours, donations reached $5 million and accumulated at a rate of $200,000 per hour. A mobile botnet could be configured to send text messages to a donation number set up for nefarious purposes. The donations could be small enough that a victim may not recognize the extra charge on his or her bill. The same concept could potentially be exploited in voting scenarios that leverage mobile devices or to carry out distributed denial of service attacks.
Exploitation of Mobile Applications
Mobile applications, commonly called apps, provide enhanced convenience and functionality. Developers have created myriad mobile applications for various uses and activities, which is contributing to the proliferation of modern mobile devices. Anyone can potentially develop and distribute mobile applications with little oversight, making apps a potential attack vector for cyber criminals.
Several major banking institutions provide legitimate mobile applications that allow customers to conveniently check balances, pay bills, transfer funds, or locate automated teller machines (ATMs) and banking centers. However, banks are not the only ones creating banking-related apps. In early 2010, Google found potentially fraudulent banking applications in their Android Market. An anonymous developer known as “09Droid” sold a collection of banking applications that were not authorized by the banks for which they were seemingly developed. It is unclear if the apps were used to gain access to users’ confidential banking information. 09Droid published applications for approximately 40 different banking institutions, all of which Google removed from the Android Market.
A similar incident occurred when Symbian unwittingly distributed the Sexy Space mobile worm as a legitimate, digitally signed application.This malware steals subscriber, device, and network information from victims and has the capability to build a botnet. It propagates via spam text messages that are sent from a compromised device to the victim’s contacts. The messages, exchanged at the expense of the victims, contain a link to a website hosting malicious applications that will infect the phone if executed. Currently, the Sexy Space mobile worm affects only Symbian mobile devices.
Exploitation of M-commerce
M-commerce, or mobile e-commerce, is another growing trend with mobile devices. Consumers can use mobile devices from any location to research product information, compare prices, make purchases, and communicate with customer support. Retailers can use mobile devices for tasks such as price checks, inventory inquiries, and payment processing. For example, Apple Retail Store employees use modified versions of the iPod Touch that allow them to scan barcode labels and accept credit card payments from customers.
The ability to read credit cards with a mobile device is not limited to retailers alone. A quick search for “credit card” in the Apple App Store reveals a number of different applications for accepting credit card payments. Third-party iPhone attachments for swiping credit cards are also available. “Square” is a small device that plugs into the iPhone’s headphone jack and can transfer credit card swipe information to the supporting application. It also allows users to authorize payments in real-time via text message.The Mophie “marketplace” is another credit card reader for the iPhone that will be available soon.
Smartphones’ credit card reader functionality has the potential to enable criminal activity such as “skimming” and “carding.” Skimming is the theft of credit card information using card readers, or skimmers, to record and store victims’ data. This activity is often accomplished in conjunction with otherwise legitimate transactions. Carding is the process of testing the validity of stolen credit card numbers. It can be done on websites that support real-time transaction processing to determine if the credit information can be successfully processed. The capability of a single compact hand-held device to perform each of these tasks will further enable malicious intentions.
Best practices to help protect mobile devices:
-
Maintain up-to-date software, including operating systems and applications;
-
-
-
-
-
Set Bluetooth-enabled devices to non-discoverable to render them invisible to unauthenticated devices;
-
-
-
-
-
