So let’s talk mobile security, everybody has one, some people have more than one and mobile phones are a major risk when it comes to security – so it’s important to be aware of how to protect yourself and how to incorporate mobile devices into your organisation’s mobile security policy.
These days most people have a smartphone and these phones allow you to pretty much do anything on them – from email, to IM, Web browsing to WAP, these mobile devices effectively form an extension to your corporate network. Now before we move on, I know I covered a lot of this in my previous post, but I will go into some more detail here.
Protecting your Smartphone
Like any device that stores data or connects to the internet you need to take data security seriously. To get started:
- Password protect your device and change this password every 60 days.
- Delete your browsing history.
- Delete your system cache.
- Delete your picture cache.
- Delete your network cache.
- Delete your installation log.
- Delete your viewed SMS.
- Delete viewed email from your phone.
- Verify the applications you download before you install them.
- Scan the operating system for trojans, malware,etc.
- Turn-off Bluetooth when not in use.
- Use anti-virus software and keep the definition file up-to-date.
- Use a firewall.
- Encrypt your data!
Common mobile Antivirus (AV) products
Most AV companies now have a mobile version of AV and or Firewall for your mobile devices – Trend, McAfee and Kaspersky to name a few. There are also free versions out there like NetQin Anti-Virus and NetQin Mobile Guard.
Antivirus should be the first part of your mobile security policy.
Ok so let’s get into the nitty-gritty of it all.
Over the past few years there has been much speculation about when mobile malware will start to proliferate, well in the second quarter of 2012, McAfee found the biggest increase in malware samples detected in any of the last 4 years. Over the past 12 months there has been some interesting developments concerning mobile malware.
Let’s look at some of the trends. First off we look at the mobile malware lifecycle.
The mobile malware lifecycle
A few years ago mobile malware spread by Bluetooth; MMS; SMS, infecting files modifying/replacing icons; locking memory cards; and installing fake fonts. Now new technology has been adopted by cybercriminals.
This includes DDoS (damaging user data); disabling an operating system; downloading silent files from the internet; silent calling PRS/International numbers; infecting USB sticks; and stealing mobile banking user login and password credentials.
Mobile attack vectors
Mobile malware writers have a hard task to deliver their malicious payloads considering the multitude of mobile operating systems that are in the market. Consider the PC world and the main player is Microsoft – consider the mobile world and you have Symbian, Apple, BlackBerry, Android, Microsoft Windows Phone 7 and Bada (Samsung) to name a few. See below to see the mobile threats by operating system. One would expect this change i.e. Windows Phone 7 (Microsoft) partnered with Nokia a little while back so this platform along with Android will continue see major advances in malware propagation over the next few years.
According to a report by McAfee, the amount of mobile malware in 2012 increased by 1.5 million since Q1 2012. This shows us that attackers are making major shifts towards mobile devices and attack vectors.
Source: McAfee Threats Report Q2 2012
Here are some recent cell phone malware attacks as reported by darkreading.com
Title: FakeInst SMS Trojan and its variants
Attack vector: Malicious app with hidden spyware
FakeInst disguises itself as popular apps like Instagram, Opera Browser, [and] Skype, and sends SMS messages to premium-rate numbers
It is selected because it has been widely infected. There are many variants in the FakeInst family, such as RuWapFraud, Depositmobi, Opfake, and JiFake
Sixty percent of total Android malware Security Firm TrustGo found, belong to the FakeInst family. Geographically, it mainly exists in Russia. There are also samples found from all over the world.
Attack vector: Mobile apps/SMS
SMS Zombie, as per August this year had already infected 500,000 devices in China so far.
The malware works by sending SMS messages to China Mobile’s online payment system and “top-up” designated accounts.
The good news for Android users outside China is that people who don’t live in that country have little to worry about from the zombie scourge. The vector of attack for the malware is to exploit a vulnerability in the mobile payment system used by China Mobile.
Attack Vector: Websites
Discovered by Lookout Mobile Security in April, NotCompatible is the first piece of mobile malware that used websites as a targeted distribution method
NotCompatible is automatically downloaded when an Android browser visits an infected website. The downloaded application is disguised as a security update in an attempt to convince the user to install it.
If it successfully installed, NotCompatible can potentially be used to gain access to private networks by turning an infected Android device into a network proxy, and can be used to gain access to protected information or systems
Attack Vector: Mobile Apps/SMS
Bundled in with legitimate applications, Android.Bmaster was spotted on a third-party Android app market earlier this year. The majority of the infected victims were Chinese users. Once on the device, the malware swiped sensitive data from the phone, including the Cell ID, location area code, and IMEI (International Mobile Equipment Identity) number, and caused users to send SMS messages to premium numbers
LuckyCat was the name given to a campaign of targeted attacks that struck the aerospace and energy industries in Japan as well as Tibetan activists and others. To broaden their attack, the perpetrators have brought the attack to the Android platform.
Once installed, the application displays a black icon with the text “testService,” and opens a backdoor on the device to steal information.
Worth noting, all these malware/spyware instances required user action to permit the application to install and run.
Source: Mcafee Quarterly threat Report Q2, 2012
I think I have got the message through, Mobile AV is extremely important. Also ensure that you have a separate data card in your device for saving / installing apps to mitigate any potential outbreak affecting your phone OS partition.
Ok so we talked about encryption in post 1, but I thought I would cover a few of the products out there. A lot of the mobile OS’s now come with this function built in, but there are a few third party products as well.
For Android, whisperCore is a great and FREE (for personal use) product available http://www.whispersys.com/whispercore.html
Windows Mobile 7 and Mobile 6 have free inbuilt encryption, a great post on WinMo 7 Encryption by Microsoft’s Rob Tiffany can be found here: http://robtiffany.com/windows-phone-7/dont-forget-to-encrypt-your-windows-phone-7-data?utm_source=twitterfeed&utm_medium=twitter
Secubox is another application available for Windows mobile devices, but it is not free: http://www.aikosolutions.com/
iPhones have a built in encryption method in the OS you can utilise, but see the app store for additional encryption and firewall/AV apps.
Having your device encrypted mitigates the possible threats of data loss and should always be turned on.
As part of a company’s mobile security policy, you should look to standardise on mobile devices. Not only does this make purchasing easier, but from a sysadmin, support and security point of view it reduces costs dramatically. I’ll admit I am biased and I preferWwindows mobile based devices overall, and why the heck not? I can control these devices through group policy, most of the phone’s functionality is fully controlled and I can remotely wipe the device. Food for thought?
Another option is if you are going to allow all employees to have any device they want, look to implement something like AirWatch MDM to centrally manage and control.
Just remember the more diverse the devices, the more money, time and effort it will take to secure them.
If not in use, turn it off! Not much more to say here… see this post for comprehensive information on bluetooth security.
I am not going to go into too much detail here but a Firewall is a must when it comes to mobile devices, some OS’s have it built in, a lot don’t.
CA, Sophos, and a whole range of other AV / security vendors provide versions of firewall for mobile devices. Some are free some are not, the bottom line… Firewall and AV are a must for any mobile device and should be in your mobile security policy.