Monday, March 25, 2013

Mobile Malware: 3 Key Differences and 3 Top Tips

Traditional malware is relatively easy to spot - well, ok, I am sure most security vendors would disagree, but it is. Compared to mobile malware - I did say “relatively”, didn’t I?

Why is mobile malware so different to regular “desktop”  malware? Well, for a start, there’s the environment. Even on our most lightweight laptops, we’re willing to leave an antivirus running 100% of the time. Sure we’ll bitch and moan about it slowing the whole show down from time to time (usually poor software, or underwhelming tin... but still...) , but in the end, it stays. On our ‘phones however, small is king (don’t get me started on “phablets”, if I wanted to walk around with a plasma telly in my pocket i’d shoplift at dixon’s). Small devices mean small batteries, and we generally can’t afford to keep cpu chewers around “unnecessarily”. This means that anti-malware often takes a back seat: most users won’t run it.

Second up, there’s the homogeneity of the devices. Android often gets slated for a “fragmented platform”, but if you’re looking to have the same fundamental attack vectors, mobile is a great place to be. This was a criticism levelled at the Microsoft environment 5 years ago, but while Windows is still highly popular, the software stack is much more varied - Outlook is no longer de-facto, and nor is IE. iOS is going to give you even more of a predictable basis for attack, so as a malware author, it’s a great place to be. Our user has less control of the OS too, coming behind the vendor and the network in the pecking order - often a good thing, less rope to hang one’s self, but it means any AV has less foothold in the OS, and makes it hard for the user to spot “interesting” issues: the diagnostic tools aren’t readily available.

Finally, we come to the killer feature - the ability to make calls. If I “own” (or pwn, if you’re 17) your PC, you’re going to make me work to turn a profit: I can sell it, but for peanuts, I need 1000s. You probably don’t have your bank details in a text file on the desktop (do you? If so, please send your IP address on a postcard...), or at least I can’t rely on it. Your phone, however has the ability to spend money on your behalf right out of the box by placing calls to premium numbers, or signing up to text services. Even the appstore is more likely to be an easy place to slyly spend your coin than anything I can find on your PC.

So - before this post becomes “TL;DR”, i’ll leave you with a few tips on how to avoid getting your phone hacked (russian mafia style hack, rather than lazy journalist style hack)...

Rule Zero: The fundamental rule of safety - if it looks too good to be true, that’s because it is. If an app is normally 70p, and there’s a free copy offered: pony up, you tightwad. Best case, the free/cheap one’s ad supported, worst case, it’s worse. If an app offers you something for nothing that you know normally costs money, well, you’re paying somewhere. See also: Free lunch, existence or otherwise thereof.

Rule One: Check the permissions. Both iOS and Android apps will state what the app is allowed to do. Be especially cautious with things that could cost you money. Sadly, most things need network capability for something or other, so that’s not really a good red flag, but think: does this app need this permission? Why?

Rule Two: Follow the crowd. Wildebeest know there’s safety in numbers, and you should too. If an app has many users it is more likely to be kosher, but if an app is brand new to the app store and has very few downloads, tread carefully - especially if it looks like a mature app. Check the reviews while you’re at it.

No comments:

Post a Comment