The fact that smartphones and tablets don’t need antivirus software or regular software updates is a major reason for their popularity. That could soon change, however, as security companies report evidence that criminals are getting close to finding efficient and profitable ways to compromise many mobile devices at a time.
If that happens, many more people would be exposed to mobile malware, and Apple and Google could be forced to regularly push out security updates for their mobile operating systems just as Microsoft does for Windows.
Smartphones and tablets don’t support the kind of criminal ecosystem associated with desktop and laptop computers. With PCs, people make money by using malicious Web pages and weaknesses in browsers and other software to install malware that steals login details or sends spam.
Criminals haven’t yet figured out a reliable business model for mobile, says Chris Astacio, a researcher at security company Websense. So far, attacks on mobile devices have been limited by the need to distribute malicious apps through mobile app stores, where Apple and Google take measures to screen out malware and quickly remove anything that does slip through.
Astacio believes that attackers will soon deliver mobile malware through Web pages instead, essentially the same approach that drives most infections on conventional computers. In a presentation last week at the RSA security conference in San Francisco, he reported evidence that the software currently causing most infections on laptops and desktops—according to figures from both Websense and another security company, AVG—could soon target mobile devices, too.
That software is Blackhole, which Astacio is investigating. It’s an example of an exploit kit, a package used by criminals to install malware onto people’s computers when they visit a compromised Web page. Blackhole, found on some NBC websites last month, assesses a victim’s computer so as to covertly offer them malware they are vulnerable to. The kit is an efficient way to distribute moneymaking malware at large scale.
While reverse-engineering the latest version of Blackhole, Astacio noticed that the software now specifically looks out for iPhones, iPads, and Android devices. Astacio believes Blackhole’s developers are preparing to target mobile devices with malware that can take control of a phone or tablet through its mobile browser.
“This all comes down to efficient hacking for mobile attackers—you already have the infrastructure set up for exploit kits to profile and target mobile devices,” says Astacio. “Mass mobile compromises seem to be the natural progression.”
Jaime Blasco, who leads the malware research labs at security company AlienVault, agrees with Astacio’s gloomy prediction. “The bad guys haven’t found the right way to get money from the user,” he says, “but probably it will happen.”
Mobile operating systems, particularly Android, are not particularly difficult to make malware for, says Blasco, and there are signs that criminals are working to adapt methods used to target PCs. “We have found samples of Zeus and SpyEye on mobile,” he says. Those are two common malware packages that have infected millions of desktops and laptops and that steal banking credentials. Blasco says that he believes so-called “ransomeware,” software that locks up access to data and demands payment to release it, will appear on mobile devices, too. Personal data on smartphones such as contact books, text messages, and photos could be a lucrative target.
Some malware for mobile devices has already appeared that could have a significant impact if coupled with the large-scale distribution offered by Blackhole. An Android app found recently by security company TrustGo on 100,000 phones in China spends victims’ money by abusing an SMS-based payments system. It was distributed and infected 100,000 phones in China through an alternative to Google’s app store popular in the country. Last fall it was found that some Samsung Android phones could be taken over through their browser, and other researchers have demonstrated similar attacks (see “How a Web Link Can Take Over Your Phone”).
Kevin Mahaffey, chief technology officer and cofounder of mobile security company Lookout, believes that new, profitable malware will eventually force Apple and Google into copying Microsoft’s approach to protecting its Windows operating system. In 2005, the company released a reinvented update tool for its operating system, which at the time was troubled by frequent new security problems. “Microsoft stopped everything to build Microsoft Update,” now a core part of Windows, says Mahaffey, and created a sophisticated workflow able to act quickly to patch new problems.
Apple and Google currently issue patches for their mobile operating systems only a handful of times each year, so many people can remain exposed to a vulnerability even long after a fix has been developed. Updates to Android devices are particularly rare because mobile carriers choose when to pass along Google’s latest upgrades to their users and many often choose not to.
“To constantly have to update those devices is a business decision they don’t want to have to make,” says Astacio.
When designing an embedded system choosing which tools to use often comes down to building a custom solution or buying off-the-shelf tools.