By Samuel Greengard
As the post-PC era takes shape, and smartphones and tablets go mainstream, these devices are rapidly becoming a target for malware and spambots that have in the past infected personal computers. In October, the FBI issued a warning that mobile users should be on alert for attacks directed at their devices, which are susceptible to malware delivered through links in e-mails and text messages.
Loozfon and FinFisher are two of the biggest threats. The former program steals data, and the latter is used for spying and can take over a phone.
In fact, the risk of mobile malware is growing. Andrew Conway, a researcher at security services firm Cloudmark, recently offered a blog post describing a new Trojan that is used to create a simple SMS spam botnet.
Conway noted that the software—the first of its kind—infects handsets “to spread spam and invitations for other users to download the infected apps.” Once infected, he says, “a phone will be used to silently send out thousands of spam SMS messages without your permission to lists of victim phone numbers that the malware automatically downloads from a command and control server.”
The Trojan apps were downloaded from Hong Kong-based sites offering free games, including The Need for Speed, Most Wanted, Angry Birds and Star Wars. Those who install the “spamvertised” application add their device to the growing botnet.
An infected phone can send out thousands of spam SMS messages without the permission or knowledge of the device owner. The Zombie device then remains connected to the command and control server via HTTP.
So far, Cloudmark has recorded a peak rate of approximately a half million SMS spam messages per day. While this sounds ominous, Conway says that it represents a fairly limited threat.
“Compared to PC botnets, this was an unsophisticated attack,” he writes. “However, this sort of attack changes the economics of SMS spam, as the spammer no longer has to pay for the messages that are sent if he can use a botnet to cover his costs. Now that we know it can be done, we can expect to see more complex attacks that are harder to take down.”
Meanwhile, security and anti-malware firm Trend Micro indicated in its third quarter 2012 report that mobile malware on the Android OS had swelled approximately sixfold from April to September, when the number of attacks rose from 11,000 to more than 175,000. These include spambots and spyware; tollware that surreptitiously send text messages to services that charge a fee; and apps that secretly record phone calls and intercept texts used to authenticate financial transactions.
For IT executives coping with a BYOD environment, it’s imperative to take these threats seriously and ensure that devices are protected.
“Mobility delivers huge gains, but also makes life a lot more difficult,” states Chenxi Wang, vice president and principal analyst at Forrester Research. “Many organizations don’t have even basic security such as encryption and DLP [data loss prevention] in place. They also don’t spend adequate time educating employees about risks.”
