mobile security

I took the time to read McAfee Avert Labs’ top ten security threats for 2007. The section on mobile security caught my eye:

More mobile attacks

Mobile threats will continue to grow as platform convergence continues. The use of smartphone technology has played a pivotal role in the threat’s transition from multifunction, semi-stationary PCs to palm-sized “wearable” devices. With increased connectivity through BlueTooth, SMS, instant messaging, email, WiFi, USB, audio, video and Web, there are more possibilities for cross device contamination.

2006 saw efforts by mobile malware authors to achieve PC-to-phone and phone-to-PC infection vectors. The PC-to-phone vector was achieved with the creation of MSIL/Xrove.A, a .NET malware that can infect a smartphone via ActiveSync. Existing phone-to-PC vectors remain primitive in nature at this time, such as infecting via removable memory cards. However, McAfee expects that this next stage will be achieved in 2007.

SMiShing, which involves taking the techniques of phishing by email and porting them to SMS (SMiShing instead of phishing), is also expected to increase in prevalence. In August 2006, McAfee Avert Labs received its first sample of a SMiShing attack with VBS/Eliles, a mass mailing worm that also sends short message service (SMS) messages to mobile phones. By the end of September 2006, four variants of the worm had been discovered.

In addition, for-profit mobile malware is expected to increase in 2007. While most of the malware Avert Labs has run across includes relatively simple Trojan horses, the outlook has changed with the J2ME/Redbrowser Trojan. J2ME/Redbrowser is a Trojan horse program that pretends to access Wireless Access Protocol (WAP) web pages via SMS messages. In reality, instead of retrieving WAP pages, it sends SMS messages to Premium Rate numbers, thus costing the user more than intended. A second J2ME, Wesber, appearing in late 2006, also sends out messages to a premium SMS number.

Late 2006 saw a flurry of spy-ware offerings in the mobile world. Most are designed to monitor phone-numbers and SMS call-logs, or to steal SMS messages by forwarding copies to another phone. One spyware in particular, SymbOS/Flexispy.B, is able to remotely activate the microphone of the victim’s device, allowing someone to eavesdrop upon that person. Other spyware can activate the camera. McAfee expects that the offerings of commercial spyware targeting mobile devices to grow in 2007.

It is easy for such reports to over-simplify and tar all mobile devices with the same brush. The same statement written for the PC world wouldn’t fly.

In the PC world we have Linux, Windows, BSD or OS X * just as in the mobile world we have various S60 incarnations, Windows Mobile/Pocket PC and a whole host of other proprietary mobile OS’s – all of which are very different beasts.

Analysts in other leading companies said this exact same thing last year, perhaps with the exception of IBM who pointed out:

However, other much-hyped security trends are unlikely to break out in 2006, including attacks on VOIP (voice-over-IP) systems and on mobile devices

Whilst I agree with some of what is written, I would like to emphasise that some mobile OS’s are more vulnerable than others. And layer 8 will probably continue to be the most effective attack vector – as is the case on the PC side.

* Well, sort of

Powered by Gregarious (41)

Whilst analysts in Gartner and McAfee are busy looking into their crystal balls to find where attacks will focus in the following year, I noticed two very interesting articles (here and here) on the Symi Weblog. In my opinion they raise some very interesting questions that have not been commented on, and are ones which I think are highly valid.Ollie Whitehouse has pointed out on a number of occasions that Microsoft’s sharing of code between traditional desktop Windows and it’s mobile counterparts is a risky business, and one that could set the software giant up for a continuation of it’s Patch Tuesdays and Zero Day Wednesdays.

His argument is based around the fact that whilst Microsoft are continuously patching the desktop incarnations of Window’s, the mobile side which is using a lot of the same code is going un-patched.

This leaves open a lot of unanswered questions.

Whilst Windows Mobile is not the most popular Smartphone OS, it is increasing in popularity. And as smartphone’s proliferate, so will the attention level of hackers and malicious code writers interest in a given OS.

So is Windows Mobile/BC/Pocket PC edition following in the footsteps of it’s predecessors? With regards mobile threats, are we at the stage today with the mobile devices like we were in the early nineties with Windows 3.0/3.1? Is this code reuse and lack of patching going to cause problems further down the line?

Could this be a case of those who do not learn from history are doomed to repeat it.

And whilst in recent years Microsoft has started to take security a lot more seriously, is there enough focus on the mobile side?

Powered by Gregarious (41)

I read on McAfee’s Mobile Security Blog about a new so called ‘multidropper’ spyware package which appears to be the first of it’s kind. A multidropper is essentially a wrapper in which other packages are placed. It uses the embedded SIS command from the Symbian Packaging Standard which when executed tells the wrapper to install embdedded package a, b, c and so on.

From reading between the lines (for legal reasons I believe), creator of this malicious package has signed up an account with Flexispy and embedded their package within a .SIS file.

However, as our friends at McAfee rightly point out, Flexispy accounts are by default tied to one IMEI unless the account holder purchases a multi user license

Can I install on several phones at simultaneously?
Yes. If you have a multi user licence, you can install FlexiSPY on multiple devices, and have all the call activity recorded into your account. Please contact support for details. As a convenience for our Customers, we allow two separate devices to report to one account for the first 30 days following purchase. After this period, accounts using multiple phones to one account must purchase a multi user licence, or their service is temporarly suspended

So when McAfee state that it is unlikely that the author of the spyware is the original account holder, I assume this implies that s/he also has access to a multi user account? Judging by the above FAQ statement I would say multi user accounts have a higher cost associated with them, that they are not high in number and are approved on a case-by-case basis. This means the attack vector has one huge flaw and can be cut dead at any time. Together with McAfee, I am also of the opinion that the current incarnation of Mobispy/A will not be going very far anytime soon.

Powered by Gregarious (41)