Stoking worries that smartphones and tablets represent the next frontier for malware, security researchers have discovered a vast botnet on over a million devices in China. The Chinese news agency Xinhua and the BBC report that the botnet makes it so that smartphones can be hijacked remotely, potentially for denial-of-service attacks or other malevolent purposes.
Android devices are reportedly more vulnerable than Apple’s devices, due to the openness of the Android Marketplace. Malware typically finds its way onto an unsuspecting user’s phone or tablet via an app download. Android dominates the Chinese market, which is showing explosive growth; China has almost half a billion mobile users (420 million, more precisely) per the China Internet Network Information Center.
Mobile malware is not anything new, but the scope of the threat reported here appears to be unprecedented in mobile. As recently as September of 2011, it was big news to find 20,000 Android devices communicating with known criminal command and control networks on a given week, per InformationWeek’s Kurt Marko. One of the worst Android botnets to date was called Rootstrap; it was reported to have reached 100,000 compromised devices about a year ago. Back in 2009, it wasn’t uncommon to find headlines–in this publication, say–like “Mobile Malware Isn’t So Bad, For Now.”
White hat hackers have shown how easy it is to create Android malware. Hacker Georgia Weidman, for instance, illustrated how malware can worm its way into a phone’s modem driver. Oftentimes, the SMS messaging protocol can be used to control the malware, explains IW’s Marko, since SMS is operated by carriers (and therefore harder for security teams to monitor) and because it’s power-efficient: “botnet operators can have a relatively chatty dialog with their slave devices without tipping the owners off that something might be amiss on their phones,” he writes.
One of the most thorough–and frightening–reports on mobile malware came from Damballa Labs back in 2011. Even then, said Damballa, the mobile market had become “as susceptible to criminal breach activity as desktop devices.” This should almost go without saying, but phones’ and tablets’ very mobility can make them doubly scary as potential malware vectors; consider, too, the implications of the “bring your own” trend, where workers prefer to use their personal devices in office settings.
What can you do to protect yourself against this mobile malware scourge? Chinese authorities have said it’s a good idea to look at your data and call logs to see if anything unusual has cropped up. Marko further recommends that you minimize the amount of data you store locally (particularly sensitive documents), encrypt data when you can, and that you use a mobile device management service like AirWatch or Zenprise.
Naturally, be cautious before downloading any app. If you find yourself completely unable to check your app-downloading impulses, then it’s worth noting that the iOS ecosystem has maintained a pretty strong firewall against these problems, due to its “walled garden” approach to its network. That’s not to say that Apple’s track record is spotless here, though; remember the JailbreakMe exploit?
When designing an embedded system choosing which tools to use often comes down to building a custom solution or buying off-the-shelf tools.