The Coming Wave of Mobile Attacks

by Dennis Fisher

The pace of innovation on mobile phones and other smart wireless devices has accelerated greatly in the last few years, adding features, speed and computing power. But now the attackers are beginning to outstrip the good guys on mobile platforms, developing innovative new attacks and methods for stealing data that rival anything seen on the desktop, experts say.

For years there have been dire predictions from industry pundits about the coming wave of mobile malware, viruses and Trojans that would specifically target smartphones and PDAs, wreaking havoc on mobile devices. But that giant tide of mobile malware never materialized. There have been a few mobile viruses here and there, but for the most part attackers have decided to forego those kinds of attacks and instead have focused on stealthy techniques that give them unlimited--and unnoticed--control of the device.

Banker Trojans targeting platforms such as the iPhone and Windows Mobile have appeared in recent months, and fake mobile banking applications have shown up in the app stores of some mobile platorms, as well. Those malicious applications look exactly like the legitimate banking apps produced by major international banks and are designed to capture users' online banking credentials.

This particular attack vector--introducing malicious or Trojaned applications into mobile app stores--has the potential to become a very serious problem, researchers say. Tyler Shields, a security researcher at Veracode who developed a proof-of-concept spyware application for the BlackBerry earlier this year, said that the way app stores are set up and their relative lack of safeguards makes them soft targets for attackers looking to maximize the effectiveness and reach of their malicious applications.

"App stores have good and bad things about them. Everything is in one place, which is nice. But the negative is that you have one point of distribution for potential threats," Shields said. "If I can get past a single wall, I can potentially get lots of downloads very rapidly. How do users know the dangerous apps from the safe ones in the app store?"

As part of his research, Shields used the official controlled APIs provided by RIM, the BlackBerry's maker, to develop his application, called txsBBSPY. He also signed the app using the keys provided by RIM. He didn't try to get the appp into the BlackBerry App World store, simply because BlackBerry users can load apps from anywhere, so it wasn't necessary.

But it likely wouldn't have been much trouble for Shields to do so, given the security models employed by these app stores. The companies, such as RIM, Apple and Google, that maintain app stores make no guarantees about the safety or quality of the apps, so users download and install them at their own risk.

"Without fail, no one thinks for a moment about what goes on behind the scenes of these app stores," Shields said. "The owners of the app stores have a great choke point for enforcing security, but they don't want to slow down the number of apps being sold. If you read the fine print, it's download at your own risk."

Shields and other security researchers and industry executives say that developing malicious mobile apps is likely to be the most popular and lucrative attack vector for cybercriminals in the coming years. The convergence of powerful mobile computing platforms such as the iPhone, Android and BlackBerry with the growing popularity of app stores and phones as mobile payment systems makes these attacks a layup for skilled attackers.

There's no percentage in devoting valuable resources for several weeks or months to put together a sophisticated phishing scheme or other scam in the hopes or bagging a few hundred victims when you can use that time to develop a malicious mobile banking or shopping app that could attract tens of thousands of downloads in a matter of days?

"There are extremely technical approaches like the OS attacks, but that stuff is much harder to do," Shields said. "From the attacker's standpoint, it's too much effort when you can just drop something into the app store. It comes down to effort versus reward. The spyware Trojan approach will be the future of crime. Why spend time popping boxes when you can get the users to own the boxes themselves? If you couple that with custom Trojans and the research I've done, it's super scary.

"And generally the same personal data that's on a PC is on a mobile phone. People are dropping 32 GB cards in there and using their phones as media servers. They're serious computing devices. Non-technical people's jaws drop when they hear about this stuff. They realize it's possible on PCs, but they still haven't come to grips with their phones being attacked," Shields said.

It's a new day for mobile threats, and the attackers have a big head start.