Mobile malware still small, but 'malnets' to rise up
No room for complacency
By Taylor Armerding | CSO | Published: 10:56, 13 February 2013
Mobile device operating systems are still more secure than those of desktop or laptop computers. But today's mobile spam and phishing attacks will increasingly be delivered via mobile malware networks.
Blue Coat Systems' 2013 Mobile Malware Report, released earlier this week, which analysed requests from 75 million users worldwide, found that mobile threats are still a relatively small percentage of overall traffic, and mobile malware that breaks into the operating system of the phone is "still in its infancy."
But Sasi Murthy, Blue Coat's senior director of product marketing, said that as cybercriminals adapt to the behavior of mobile users, those threats will increase and become more varied.
With 70% of employees surveyed across the corporate network using a personal smartphone or tablet, according to an IDG Global Mobility Study, this is an attack surface much to big to ignore.
In particular, the report said that malnets, which are well established in the desktop world, are jumping to mobile. Malnets are built by infecting a user's computer with a Trojan. That compromised computer is used by a botnet to lure new users by various means such as spam email. That infrastructure is then used to launch wider attacks.
The report said that before 2012, "malnets primarily served malicious Java apps and made little effort to expand." But in February 2012, malnets targeting mobile users showed noticeable activity.
In 2012, mobile traffic to malnets increased to 2% of overall malnet traffic. This growth is further evidence that mobile malware is poised to make an impact in 2013," the report said.
It said the growth was driven by eight unique malnets in 2012. Three - Narid, Devox and Criban - targeted mobile devices exclusively while the others expanded to include mobile devices. "Narid and Devox are no longer active malnets. Criban continues to show a low level of activity with 83 new hosts over the past year. The maximum number of hosts used in a given day was three," the report said.
The report cited one attack in which the malicious download was recognised by only 10 of the 41 antivirus engines in VirusTotal. "During the same week that this attack occurred, one of the mobile malware malnets used 38 domain names and another used 14 domain names for(a variety of sites that were involved in attacks," it said.
The vulnerability to malware, at least according to some experts, is not due to major holes in mobile operating systems. David Rogers, a mobile security expert and owner of Copper Horse Solutions, said mobile OSs and their underlying hardware "are getting very advanced in terms of security."
Dirk Sigurdson, director of engineering for Mobilisafe at Rapid7, said that doesn't mean they are safe. "Devices are typically required to be updated by employees, since patches can't be pushed by organisations. Because of this, a high percentage of devices are running out-of-date firmware with OS-level vulnerabilities," he said.
But Rogers said the major problem is that developers need to be better trained in how to develop secure software. "In most cases the tools and libraries they use are not designed to help them make the right security decisions, resulting in very basic flaws which have serious security consequences," he said.
The result is that users have a tougher time spotting classic mobile threats. The Blue Coat report notes that, on mobile devices, URLs are not fully displayed, that users are taught to expect mobile websites to look different than the desktop versions, and that mobile versions of websites are often developed and hosted by third parties. Given this, users are conditioned to going to strange URLs.
The report noted the problem is worse on Android devices because of "the unregulated apps market and diversity of Android-based devices."
Eric Maiwald, research vice president, security and risk management at Gartner, called it an "ecosystem problem," noting that Apple's iOS devices are deployed, "within an ecosystem that includes a single, central, app store."
The user is not always helpless, however. Some of the problem is because convenience trumps security. "If logging into a VPN is cumbersome or provides poor performance, a user will find another way to send out documents. That method won't always be secure or even compliant with regulations," the report said.
Changing that behavior is difficult to impossible, Maiwald said. "You can provide incentives and disincentives, but without some drastic actions, users can still behave in ways that circumvent security controls in many cases."
Rogers said some of the responsibility for that lies with developers, who he said"should not just consider the technical security of an application but make security as friendly and seamless as possible from the user's perspective."
Murthy said the key is to deploy security software that blocks threats at the source. She said mobile users should expect attacks to increase, particularly with the use of malnets.
"We're not seeing a lot of mobile exploit kits yet, but when they put them together, the infrastructure is in place," she said, adding that malnets can become active and then shut down to escape notice, "almost like sleeper cells."