In one of our recent posts, we talked a little bit about the history of malware and the increasing problem of malware reaching smartphones and other devices that we embed ever more deeply into our day-to-day lives. Now, let's have a look at the current threats and some practical advice for protecting your mobile devices.
To recap, the term malware refers to a whole host of software that does bad things to computers—viruses, worms, spyware, ransomware, etc. It's all nasty stuff that the bad guys want to get on your devices for reasons that increasingly tend towards real, financially motivated crimes rather than the pranks and technical one-upmanship common in the past. Operating systems vendors, antivirus companies, IT departments, and ultimately you put a lot of time and money into keeping malware off of your computer and devices.
Traditionally, malware has been limited to our desktops and laptops, but that's not the case any more. Nowadays, our phones, TVs, cars and even refrigerators are really full-blown computers with Internet connections, and they're all, to varying degrees, susceptible to malware. Malware on smartphones is a particularly large threat right now and that is the subject of this article—mobile malware.
We'll be focusing specifically on the two most common phone platforms, Google's Android and the Apple’s iOS.
Mobile Malware History
We've been using smartphones for quite a while, so one obvious question is: Why hasn't mobile malware already been a big problem like PC malware? It actually has been a problem, but the outbreaks that we have seen so far haven’t been anywhere near as prolific as PC-based malware outbreaks of the past.
There have been several incidents of mobile malware outbreaks, but for the most part they've been limited to jailbroken devices, where users have intentionally bypassed limitations and security features built into the phone’s factory operating system, and within overseas markets like China. So far, we haven't seen anything as widespread and dangerous as the PC-based CryptoLocker ransomware hit Android or IOS, but it's probably not very far away. Android has in fact already had a ransomware app that would take over a user’s device until they paid up $500, though its release was quite limited.
One of the primary reasons that malware has had such a slow start on mobile platforms is that both Apple and Google were able to start from scratch, with modern security principles in mind, when developing their Android and IOS operating systems. PC operating systems, Microsoft Windows most particularly, have historically been encumbered by the need to maintain backwards compatibility with older hardware and software that may not play nicely with modern security features that new operating systems would ideally enforce. Smartphone developers, on the other hand, were able to start from scratch relatively recently with all of the lessons learned from PC operating systems to guide them.
This allowed them to very quickly integrate security features such as App Store walled gardens, sand boxing, automatic updates, ALSR and PIE executables very quickly in the operating systems, giving them a significant advantage over their PC counterparts. That advantage is starting to wear thin now though, with hackers developing increasingly sophisticated attacks to subvert the various protections.
App Store Screening
All modern mobile device platforms take a walled garden approach to software installation—specifically, most software for these devices is delivered through vendor-controlled stores like the App Store on iPhone or the Google Play Store on Android. By default, Android and iOS restrict any software from being loaded on the device, except via the App and Play Stores. Providing these stores makes the process of finding apps easier for users and it also gives the upstream companies a chance to enhance security. Contrast this with the traditional approach for loading PC-based software—double-clicking any executable file without much regard for source or safety—and the increased security of this approach is obvious.
Both the Google and Apple screen apps for malicious code before allowing the apps to be mass distributed through their respective stores. This type of screening is technically challenging and imperfect, though it’s certainly helpful for keeping obviously misleading or malicious apps out of these official distribution channels.
While App Stores do a decent job of filtering out the worst apps, you should still try to be careful about the apps that you load onto your phone. It can be pretty hard to do, but try to make sure that you only install apps from companies you trust. If a website you rarely visit demands that you install their app, you're probably better off skipping it. While iOS and Android try to inform you of the permissions that you grant to any given app after install, any app actually installed on your device will generally have a lot more access to your phone and its data (think: your private data as well as other data tracked by your phone like your location and habits) than just browsing to a web page.
Also, be on the lookout for fakes when you do go to install an app. For example, if you're trying to install Twitter on your phone and the first result you get is some app that's got the Twitter icon but only 1,000 downloads and is made by a company other than Twitter, Inc., you definitely don't want to tap Install.
Permissions that apps are granted should be considered as well. Both Android and Apple users will be familiar with the permissions popups that new apps often flash upon being run for the first time—things like asking for permission to access contacts, the camera, and your phone’s location. While these popups are good and helpful, many users simply don’t understand or don’t bother reading them, opening the the door to a whole host of vulnerabilities. This phenomenon is especially true on Android, which was mildly famous for having simple flashlight apps that would flash a screen asking for a broad range of unnecessary permissions when run.
Fortunately, Google is adopting a more user-friendly way of requesting permissions in the next version of Android that should help make unreasonably pushy apps more obvious and easier to reject on a case-by-case basis. They've also added a built-in flashlight toggle, which, bizarrely, may actually make an appreciable dent in the amount of spyware that gets loaded on phones.
Just like on PCs, it's important to keep a phone's operating system and installed apps up-to-date with the latest security fixes. The good news there is that phone vendors have made this process relatively easy and mostly automated. As you're probably aware, all phone platforms check for updates periodically and are configured by default and prompt you before installing intrusive updates. You should be OK, just approving those updates as they come, but it's also a good idea to occasionally manually check for them.
Of note, Google's Android recently got some bad press for not releasing security updates in a timely fashion for many phones, and rightly so. One of the outcomes from that whole debacle is that several Android vendors have pledged to begin releasing monthly updates, which is something long overdue.
Google is also attacking this problem from another angle by releasing more and more functionality through the Play Store rather than as a part of the core operating system. That way, those features can be updated for security as well as feature enhancements through the normal app update process rather than needing a full phone OS update—while OS updates can be slowed down by phone vendors and carriers, app updates through the Play Store happen automatically for everyone.
All but a few models of smartphones have built in restrictions that lock down low level system settings and key apps so that even the phone's owner can't change them. For example, your iPhone isn't going to let you uninstall Safari and your Android might not let you shut off that annoying startup sound. Via a process called rooting or jailbreaking though, the phone's owner can subvert those restrictions and get access to make all types of changes.
The problem with jailbreaking is that doing so disables or greatly weakens many of the phone's built in security features. That copy of Angry Birds that could only annoy you with advertisements before? Well, now that your phone is jailbroken, it can steal all of your email, text messages and passwords and upload them to some random server in halfway around the world. No kidding. Some of the programs that can be used to perform the jailbreaking process are disreputable themselves and will load unremovable malware directly on the phone during the process.
So, while it may be a fun exercise for the very technically inclined, we strongly recommend that you do not load any rooting or jailbreaking software on your devices. It’s unfortunate that phone vendors don't give users more control over their devices out of the box, but the potential costs of jailbreaking are far too high for any device that you use day-to-day in your real life.
If you're not sure that your business is doing everything it should to protect itself from mobile malware, contact us and see how we can help.
For similar posts check out our master list of Cyber Security blogs.