June 15, 2010
There is no silver bullet when it comes to security and there is no mobile platform that is immune to security risks. As we wrote in a TechCrunch update to the recent iPad breach, more personal data was potentially at risk than initially reported. This incident is just a reminder that no mobile platform is immune to security risks. Your mobile device has a tremendous amount of personal information and, in the increasingly networked world of mobile, both carriers and third-party web services have access to this data and often more.
As mobile devices become more sophisticated and access even more personal data, there’s an increasing incentive for cybercriminals to attack. The mobile device is much more exposed than the traditional PC. Threats can come from all directions, targeting the device directly over SMS, Bluetooth, Wi-Fi, web browsers, apps, and e-mail.
We expect to see a lot more attention paid to this in the near future – our data shows that there was a doubling of threats to smartphones between December and April of this year alone. With the increase of smartphones and our ongoing dependency on them in our daily life, it’s no surprise that there will be a stronger focus to protect them.
June 4, 2010
In the first few months of 2010, we at Lookout saw a noteworthy shift occurring. Mobile malware and spyware are becoming increasingly prevalent, as a Wall Street Journal article, “Dark Side of Phone Apps” reported today.
At the same time, an article in Slate referred to the “End of Malware.” While new operating systems like Android, Chrome and iPhone may be an improvement over the Windows desktop of the past, our data tells us that malware is alive and well on the smartphone. It could be the end of malware on the desktop, but it it is just the beginning for malware on the smartphone.
Across our installed base, we’ve gone from seeing 4 pieces of malware and spyware per 100 phones per year in December 2009 to 9 per 100 phones per year in May 2010. That’s more than double the prevalence of malware and spyware on smartphones in less than 6 months.
With the rate at which smartphones are growing, and with the number of apps being downloaded projecting to reach 50 billion, it is no wonder that malware is also increasing. Hackers are also waking up to the fact that people are doing more with their smartphone: downloading apps, using their phone for mobile banking and payments, and storing more personal data on their phones than ever before. Smartphones are now a lucrative target for hackers.
As always, we recommend keeping your smartphone protected by downloading a mobile security app like Lookout. If you love your smartphone, set it free… from malware that is.
Click to enlarge image
June 3, 2010
The Wall Street Journal featured an article that highlights the growing risks to smartphone users. Read the “Dark Side of Phone Apps” here, or see excerpt below.
Dark Side Arises for Phone Apps
Security Concerns Prompt Warnings
By SPENCER E. ANTE
As smartphones and the applications that run on them take off, businesses and consumers are beginning to confront a budding dark side of the wireless Web.
Online stores run by Apple Inc., Google Inc. and others now offer more than 250,000 applications such as games and financial tools. The apps have been a key selling point for devices like Apple’s iPhone. But concerns are growing among security researchers and government officials that efforts to keep out malicious software aren’t keeping up with the apps craze.
In one incident, Google pulled dozens of unauthorized mobile-banking apps from its Android Market in December. The apps, priced at $1.50, were made by a developer named “09Droid” and claimed to offer access to accounts at many of the world’s banks. Google said it pulled the apps because they violated its trademark policy.
The apps were more useless than malicious, but could have been updated to capture customers’ banking credentials, said John Hering, chief executive of Lookout, a mobile security provider. “It is becoming easier for the bad guys to use the app stores,” Mr. Hering said.
Unlike Apple or BlackBerry maker Research In Motion Ltd., Google doesn’t have employees dedicated to vetting applications submitted to its Android store. Google said it removes apps that violate its policies, but largely relies on users to alert it to bad software. “We check reactively,” said a Google spokesman. “There is no manual bottleneck.”
As more companies, governments and consumers use wireless gadgets to conduct commerce and share private information, computer bad guys are beginning to target them, according to government officials and security researchers.
“Mobile phones are a huge source of vulnerability,” said Gordon Snow, assistant director of the Federal Bureau of Investigation’s Cyber Division. “We are definitely seeing an increase in criminal activity.”
The FBI’s Cyber Division recently began working on a number of cases based on tips about malicious programs in app stores, Mr. Snow said. The cases involve apps designed to compromise banking on cellphones, as well as mobile “malware” used for espionage by foreign nations, said a person familiar with the matter. To protect its own operations, the FBI bars its employees from downloading apps on FBI-issued smartphones.
The vulnerability of mobile computing is also a concern for the U.S. Air Force, which worries about theft of military information or the use of personal details to scam or extort airmen and women.
In March, the Air Force barred users of all service-issued BlackBerrys from downloading apps. Research In Motion said its technology allows customers to enforce such group-wide security measures.
The move followed a sharp rise in questionable activity aimed at Air Force smartphones, including attacks that tried to exploit mobile Web browsers, said a military official who helps oversee the defense of the Air Force’s networks.
About a year ago, the Air Force saw fewer than a dozen attacks targeting its phones each month. In May, the Air Force saw more than 500, the official said, though none of the probes was successful.
“We all see this tipping point coming,” said Peter Tippett, who oversees an investigative-response team that studies computer crime at Verizon Business, a unit of Verizon Communications Inc. that serves corporations. “There is a lot of activity to figure out how to make it less likely that a financial transaction would be exploited” on a mobile phone, he said.
The financial services industry says it is working with app-store operators to ensure mobile-banking apps are authentic. “Customers should be able to know who they are dealing with,” said Leigh Williams, president of BITS, an arm of the Financial Services Roundtable, a banking industry advocacy group
Some security experts believe Google’s Android Market is more vulnerable than other app stores since Google doesn’t examine all apps before they are available for users to download.
A Google spokesman said the company has put in place security measures, such as remotely disabling apps found to be malicious and requiring developers to register with its Checkout payment service, and argued there’s no evidence for claims that its store poses a greater risk than others.
.Apple vets applications before they appear in its App Store, but risks still exist. In July 2008, Apple pulled a popular game called Aurora Feint from its store after it was discovered to be uploading users’ contact lists to the game maker’s servers. More recently, it yanked hundreds of apps it said violated its policies, some out of security concerns.
“Consumers should be aware that iPhone security is far from perfect and that a piece of software downloaded from the App Store may still be harmful,” wrote software engineer Nicolas Seriot in a research paper detailing iPhone security holes that he presented at a computer security conference in February.
Apple CEO Steve Jobs, speaking at the All Things D conference this week, said his company’s employees carefully curate the store. “We have a few rules: has to do what it’s advertised to do, it has to not crash, it can’t use private APIs,” or application programming interfaces, he said, adding that 95% of submissions are approved.
“Apple takes security very seriously,” a spokeswoman said. “We have a very thorough approval process and review every app. We also check the identities of every developer.”
Apple’s iPhone itself isn’t immune to mobile threats, either. Since 2008, security experts have identified at least 36 security holes in the phone’s software, according to a review of the National Vulnerability Database maintained by the Department of Homeland Security. One, identified in September 2009, could have allowed hackers to learn someone’s username and password from messages sent to servers when browsing the Web.
Some victims are now more cautious. Sara Dellabella, a car saleswoman in Cuba City, Wisc., said she doesn’t download as many apps on her MotorolaInc. Droid phone, which uses Google’s Android software, after a malicious game her son downloaded from the Android Market wiped out all of her text messages and personal notes. “It just rips your heart out,” she said. “I am being more vigilant now.”
June 3, 2010
A number of Samsung S8500 Wave phones have shipped with a memory card containing malware that will automatically run when connected to a computer running certain versions of Windows. The Wave, which is the first phone running Samsung’s new Bada operating system, shipped with a 1GB memory card containing an infected file called “slmvsrv.exe” that uses the Windows autorun mechanism to attempt to start automatically whenever it is connected to a computer. Thankfully, the newest versions of Windows do not automatically execute code from removable memory cards, limiting the damage mostly to older computers.
After early reports of the malware, Samsung has confirmed that only a single production run of phones for the German market was infected.
The Wave is the second phone this year to come preloaded from the factory with malware. We previously reported about an Android device from Vodaphone shipped with PC malware with a similar autorun mechanism. With such incidents seemingly not isolated to a single carrier or manufacturer, it’s likely that there will be future occurrences of pre-pwned phones to come. While all incidents so far have included PC malware that is configured to automatically run when a phone is connected to certain versions of Windows, it’s not hard to imagine a situation where the pre-loaded malware affects the mobile device.
Lookout currently checks memory cards for files that will cause them to autorun and gives you the option to remove the autorun functionality on a suspicious memory card, preventing it from infecting PCs automatically.
If you notice anything suspicious on your phone, remember to email security /at/ lookout /dot/ com and we’ll be happy to help you out.