A while back a malicious program called DroidDream was found on the Google Marketplace. The thing about DroidDream is that it exploited a vulnerability that gave it root access. Now contrast how Google treats security software. Security applications are not allowed to have root access. The truth is that the most popular mobile platforms (and Windows Mobile 7 also) will not allow security software to run at the same system level that exploitable bugs in their operating systems will allow malicious software to run in. This means that security vendors don’t get a second chance. If the malware gets by the first time, and for some users it will no matter whose product you use, it has virtually perfect cloaking. On a PC you can book there are remediation techniques to get past rootkits, but on most mobile platforms if you boot in safe mode you may not have booted clean and won’t run security software at a system level.
The problem is even more difficult when you consider the ease in which malware and phishing attacks can occur on mobile devices due to the information that mobile devices hide from users. A recent article at Techworld talks about a study done by researchers at the University of California in which they discussed 15 techniques that cybercriminals can use to trick you into giving them your username and password to a variety of sites. There’s the old saying “fooled me once shame on you, fooled me twice shame on me”. I’m not sure what it is for fooled me 15 times!
Quite simply, virtually none of the visual indicators that help even a moderately savvy novice computer user make informed decision are present on mobile devices. The only reason banks and other financial institutions offer mobile banking applications is for marketing and they know they can recoup the fraud losses through ATM and other fees. Mobile devices remain far too insecure a platform to be conducting commerce on if you are installing applications from unknown developers. Downloading apps from official channels, such as Android Market, only means that the odds of installing a malware-laden app are reduced, not eliminated.
The situation with mobile devices is a bit bleak right now and the only saving grace is that cybercriminals are still ramping up their attacks against mobile devices. If the criminal element focused on mobile devices with the same resources they have attacked the Windows platform then it is probable that mobile malware and phishing would be at epidemic levels.
So, here are some tips to stay a bit safer using your mobile device.
First, set you phone to lock and require a password when you are not using it. If you don’t lock your phone and lose it, then any accounts you automatically log into are compromised and that usually puts your friends at risk from criminals impersonating you.
If you are going to provide log in credentials only do so for applications provided by the site vendor. This means you download the Facebook app written by Facebook, the twitter app written by Twitter, the Yahoo messenger app written by Yahoo.
Do not install apps from unknown developers. Since you probably are going to do this, then don’t do any online banking from your mobile device. I have a variety of apps on my Android that I think are probably perfectly fine, but since I don’t really know the developer I won’t access financial data from the device. There is a risk with using Facebook, etc., but that is where I draw the line.
If you click on a link in an email, then don’t provide log in credentials. It is a calculated risk to click on links in any email, but when doing so on a mobile device the odds are far more heavily stacked against you. Even with a computer, you should never provide a username and password when you arrive at a web page from a link in an email. Always open the browser and type in the name of the trusted website and then provide the credentials.
Mobile devices are still fairly primitive from a security standpoint and vendor driven policies heavily stack the odds in the cybercriminals favor. Be cautious about what you are doing on that phancy phone!
Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America