Traditional
malware is relatively easy to spot - well, ok, I am sure most security
vendors would disagree, but it is. Compared to mobile malware - I did
say “relatively”, didn’t I?
Why
is mobile malware so different to regular “desktop” malware? Well, for
a start, there’s the environment. Even on our most lightweight laptops,
we’re willing to leave an antivirus running 100% of the time. Sure
we’ll bitch and moan about it slowing the whole show down from time to
time (usually poor software, or underwhelming tin... but still...) , but
in the end, it stays. On our ‘phones however, small is king (don’t get
me started on “phablets”, if I wanted to walk around with a plasma telly
in my pocket i’d shoplift at dixon’s). Small devices mean small
batteries, and we generally can’t afford to keep cpu chewers around
“unnecessarily”. This means that anti-malware often takes a back seat:
most users won’t run it.
Second
up, there’s the homogeneity of the devices. Android often gets slated
for a “fragmented platform”, but if you’re looking to have the same
fundamental attack vectors, mobile is a great place to be. This was a
criticism levelled at the Microsoft environment 5 years ago, but while
Windows is still highly popular, the software stack is much more varied -
Outlook is no longer de-facto, and nor is IE. iOS is going to give you
even more of a predictable basis for attack, so as a malware author,
it’s a great place to be. Our user has less control of the OS too,
coming behind the vendor and the network in the pecking order - often a
good thing, less rope to hang one’s self, but it means any AV has less
foothold in the OS, and makes it hard for the user to spot “interesting”
issues: the diagnostic tools aren’t readily available.
Finally,
we come to the killer feature - the ability to make calls. If I “own”
(or pwn, if you’re 17) your PC, you’re going to make me work to turn a
profit: I can sell it, but for peanuts, I need 1000s. You probably don’t
have your bank details in a text file on the desktop (do you? If so,
please send your IP address on a postcard...), or at least I can’t rely
on it. Your phone, however has the ability to spend money on your behalf
right out of the box by placing calls to premium numbers, or signing up
to text services. Even the appstore is more likely to be an easy place
to slyly spend your coin than anything I can find on your PC.
So
- before this post becomes “TL;DR”, i’ll leave you with a few tips on
how to avoid getting your phone hacked (russian mafia style hack, rather
than lazy journalist style hack)...
Rule
Zero: The fundamental rule of safety - if it looks too good to be true,
that’s because it is. If an app is normally 70p, and there’s a free
copy offered: pony up, you tightwad. Best case, the free/cheap one’s ad
supported, worst case, it’s worse. If an app offers you something for
nothing that you know normally costs money, well, you’re paying
somewhere. See also: Free lunch, existence or otherwise thereof.
Rule
One: Check the permissions. Both iOS and Android apps will state what
the app is allowed to do. Be especially cautious with things that could
cost you money. Sadly, most things need network capability for something
or other, so that’s not really a good red flag, but think: does this
app need this permission? Why?
Rule
Two: Follow the crowd. Wildebeest know there’s safety in numbers, and
you should too. If an app has many users it is more likely to be kosher,
but if an app is brand new to the app store and has very few downloads,
tread carefully - especially if it looks like a mature app. Check the
reviews while you’re at it.