杏吧原创

Phone invaders: The rise of mobile malware

Your most intimate companion may be betraying you. Smartphones are lucrative targets for cybercriminals and keeping them true might not be as easy as we hoped
Phone invaders: The rise of mobile malware

(Image: Raymond Beisinger)

Your most intimate companion may be betraying you. Smartphones are lucrative targets for cybercriminals and keeping them true might not be as easy as we hoped

IT鈥橲 2 am. Do you know what your smartphone is up to? It may not be sleeping faithfully beside you. Seduced by a server far away, it springs to life and betrays your trust, giving away your secrets and running up quite a tab.

For many, the nightmare is a reality. In 2011, for example, a cybercriminal in China gained control of hundreds of thousands of phones, remotely directing them to send premium-rate text messages, call premium toll numbers and play pay-per-view videos while their owners slept on obliviously.

Other phones develop late-night gambling habits. In 2012, journalist wrote about her friend, Mike, who caught his phone playing online poker. It then used his credit card to order wrinkle-removal cream, which arrived on his doorstep a few days later.

Our phones have become intimate companions. We interact with them on average 150 times a day, according to last year鈥檚 , an annual report by internet analyst Mary Meeker. They know who our friends and colleagues are. They know our passwords and banking details. They hold the keys to our digital lives. But our intimacy fools us into a false sense of security. 鈥淵ou think 鈥極h, this is just a phone鈥,鈥 says , a mobile security researcher at Royal Holloway, University of London. 鈥淪o you鈥檙e less inclined to think about security and privacy issues.鈥

Legions of cybercriminals, however, most certainly are thinking about these things. That little phone is a computer, just as hackable as a PC. As with computer viruses a decade ago, many security experts think that malware for mobile devices is set to explode. But this time round there鈥檚 no easy fix 鈥 especially when we are a big part of the problem.

Easy money

With nearly 2 billion smartphones in use today, malicious software is rapidly becoming an easy way to make money for thousands of cyber attackers around the world. Producing malware is a fully fledged industry, with attacks more likely to be written by office drones than basement dwellers. 鈥淚n many countries, involvement in cybercrime pays well, while the risks are very low,鈥 says Igor Muttik, a researcher with security software company McAfee. 鈥淵oung people may do it if they are unable to find a good job.鈥

What are they after? 鈥淢ost mobile malware is looking for your money,鈥 says Roman Unuchek, a malware analyst at Kaspersky Lab in Moscow, Russia. From nuisance ads that pop up unbidden on your screen to credit card theft and even ransom, criminals have many ways to extract money from a phone. Take the hijacked network of phones in China. At that scale, says Eric Chien at antivirus company Symantec, whoever was behind it was raking in millions of dollars a year. And they may still be at it. 鈥淗e hasn鈥檛 been caught as far as we know,鈥 says Chien.

Identity theft is another big concern. Phones carry our most personal digital possessions: logins, passwords, contact lists, photos. Then there鈥檚 the mass of sensors, from GPS to accelerometers, which can be used to tell where we are and what we are doing. 鈥淲e have a lot of data on our phones,鈥 says Chris Hadnagy, CEO of security firm in Brooklyn, Pennsylvania. 鈥淚t鈥檚 a very attractive target for an attacker.鈥

Phones running Google鈥檚 Android are by far the worst hit, with 98 per cent of mobile malware targeting the operating system. That鈥檚 partly because Android has the largest share of the market, running on 80 per cent of phones by some estimates. But mostly it鈥檚 down to the different philosophies at Google and Apple. Both companies police their official app stores. Unlike Apple, though, Google is happy for you to install apps from other sources, too. Android phones give a lot more freedom, but pass on a lot more risk.

There are many ways bad code can break in. Wi-Fi and Bluetooth connections, weblinks, emails, text messages and app downloads are all unlocked windows and unlatched doors. Another ploy is to copy an existing app, hide malware inside, then present this evil twin on an app store as a free clone of the original.

The malware menagerie is full of exotic beasts (see 鈥Attack of the phones鈥). Some rack up bills via premium-rate services, others lock you out of your phone until you pay a fee for a 鈥渇ix鈥. Then there are versions of classic PC attacks like banking Trojans, now the fastest-growing mobile threat. These trick you into entering your bank details into fake login screens. Compromised phones can also be yoked into botnets, where they might be used to mine bitcoins, for example. These have all been spotted in the wild. Even sneakier attacks have been demonstrated in the lab. at City University London warns about the danger of two or more malware apps 鈥渃olluding鈥. Harmless on their own, they avoid detection. Together, though, they can work as a covert team to steal data.

The problem is made worse by the easy availability of 鈥渆xploit kits鈥 鈥 collections of ready-made apps that take advantage of known vulnerabilities. They can be bought online and customised with minimal know-how.

So what can we do? It turns out that protecting a phone is a trickier technical problem than protecting a desktop machine. Solving it might even require a rewrite of the way phones are designed.

On the plus side, mobile systems have built-in safeguards. Smartphone apps don鈥檛 have the same kind of access to the core operating system as most computers do. Apps are 鈥渟andboxed鈥 so that they can access a shared pool of data, like contacts or saved text messages, but they cannot look at data that belongs to another app. This makes it harder for a piece of malware that hitchhikes along with, say, a flashlight app to access the passwords saved in your banking app.

The trouble is that the same design that hobbles apps also hobbles antivirus programs. Typical antivirus software relies on unique 鈥渟ignatures鈥 found in the code of malicious programs. When you download or install a program, the software scans the code and flags up if it contains a malicious signature. This works for known threats, but attackers often use tricks such as polymorphic code, which changes after each install, to fool signature-based approaches.

This is where sandboxing turns out to be a hindrance as much as a help. On a desktop machine, antivirus programs can monitor what other programs do and identify suspicious behaviours, such as when a program tries to install additional code without the user鈥檚 knowledge. But because smartphone antivirus apps are sandboxed, they can鈥檛 look at what other apps are doing, so can鈥檛 catch malicious programs in the act.

Catching the culprit

One way to spot mobile malware without needing a signature is to look for other telltale signs that something鈥檚 not right. at the University of Helsinki in Finland, for example, found that infected phones had shorter battery lives than clean phones by more than an hour on average.

That might alert you to a general problem, but it doesn鈥檛 finger the culprit. To do that, Cavallaro and his colleagues have had to take a step back. To get round the sandboxing limitation, the team uses emulators 鈥 virtual recreations in software of a smartphone鈥檚 hardware and operating system. Running emulators on a PC gives them a view of the whole system and lets them reconstruct an app鈥檚 behaviour from low-level activity such as which registers in the processor it accesses or which files it opens and writes to. They then match this basic behaviour to higher-level activity such as sending a text message. It鈥檚 like trying to recognise a face in a digital picture just by looking at the pixels. The idea is that future antivirus software could detect malware from its low-level activity alone, without having to open up one app to another.

This kind of analysis is hard, though. Fully characterising the behaviour of arbitrary programs is theoretically impossible. Alan Turing pointed this out in 1936 when he showed that you cannot write a computer program that tells you whether any other program will eventually stop running. In practice, this means that there are too many possible ways a program might play out, and it can be hard to know where to look for threats.

Again, Cavallaro and his team think they have a workaround. To find the most relevant parts of an app鈥檚 activity to analyse, they are assembling a collection of 鈥渢races鈥 鈥 sequences of actions like swipes and button taps 鈥 made by people as they use an app. This method can鈥檛 cover all the possible ways a program might behave, but it captures the most common. 鈥淵ou explore the main, most significant pathways,鈥 says Cavallaro. 鈥淭hose are the most attractive for an attacker to use.鈥

The upshot of all this work will be a system called CopperDroid, which automatically analyses Android malware. The hope is that, backed by CopperDroid, antivirus software for smartphones will be a lot more effective. Even so, without better access to the core resources of the phone, the software will never match its desktop counterparts, says Cavallaro.

But getting that access means rewriting the basic design of most smartphone operating systems. Android, at least, is open-source, meaning anyone can contribute changes to the system. Cavallaro hopes that his changes might eventually be incorporated into an official Android release.

That still leaves us with a problem, though. We are the ones who install most malware on our phones. Every time we download a new app, we are the weakest link in the chain.

It doesn鈥檛 help that software designers offload so much of the security burden onto users, says Lorrie Cranor, director of the CyLab Usable Privacy and Security Laboratory at Carnegie Mellon University in Pittsburgh, Pennsylvania. She points to Android鈥檚 permission system, which asks people to decide whether or not to grant an app permission to send text messages or view their contacts. With around 150 different permissions possible, she says, people often don鈥檛 understand what they are agreeing to.

That鈥檚 assuming we even care. A 2012 study of Android phone users showed that only 17 per cent paid attention to permission requests when installing apps and only 3 per cent could correctly answer questions about what the permissions meant. Results like these give rise to a classic joke among security experts: given the choice between dancing pigs and security, people will choose dancing pigs every time.

鈥淕iven the choice between dancing pigs and security, people choose the pigs鈥

There is hope, however. 鈥淭he user is not the enemy,鈥 says Devdatta Akhawe at the University of California, Berkeley. It鈥檚 just that we often don鈥檛 have enough information to make safe decisions by ourselves. Can we be nudged in the right direction? A team of Google researchers recently found that presenting warnings in red and using aggressive language such as 鈥淭his will hurt your computer鈥 was much better at making people think about what they were doing than calmly worded messages.

But warnings, however well-designed, will never be an ideal solution. 鈥淚f you have a hazard, the best thing to do is to remove the hazard,鈥 says Cranor. Warnings should be a last resort. For a start, too many alerts can lead to 鈥渨arning fatigue鈥. Akhawe has found that people tend to click through warnings more quickly the more frequently they are shown, but spend more time on warnings that are shown rarely. 鈥淎fter a while the user just gets tired and stops caring,鈥 says Akhawe.

Smartphones, smarter users

Serge Egelman at the University of California, Berkeley, thinks we should get rid of many warnings and permission requests altogether. Instead, people should be allowed to see which apps are responsible when their phone starts behaving badly. Even telling people which apps are draining the most juice from their battery 鈥 a feature in the new version of Apple鈥檚 iOS 鈥 could give them a better idea of what鈥檚 going on under the hood.

Fewer security decisions would mean fewer chances to shoot ourselves in the foot, but that doesn鈥檛 mean we can download with reckless abandon. We still need to be smarter about what we install on our phones, says Hadnagy. 鈥淧hones are small and they feel like they鈥檙e not computers, so we鈥檙e more prone to click things and try things.鈥

Hadnagy urges us to think critically about what apps are asking from us: 鈥淲hy does Sudoku need access to all of my contacts?鈥 There鈥檚 a reason free apps are free: if we don鈥檛 pay upfront, app makers might make us pay another way. And if we can鈥檛 resist that Flappy Bird clone, Hadnagy recommends not keeping passwords or other sensitive information on our phones, and to keep our operating systems and apps up to date.

鈥淎sk yourself: Why does Sudoku need access to all my contacts?鈥

There is no perfect solution, says Hadnagy. 鈥淚 have every possible protocol to keep my phone secure,鈥 he says. 鈥淒oes that mean I鈥檓 100 per cent protected? No. But I鈥檓 not the low-hanging fruit.鈥

App and operating system designers may help us to make better security decisions, and smarter antivirus software can backstop the occasional evening of wanton downloading. But when the party鈥檚 over, and we wake up next to a phone we hardly recognise, we will only have ourselves to blame. It only takes one bad app to spoil the whole damn bunch.

Attack of the phones: A malware menagerie

Skulls

Malware for Symbian phones that stops other apps working and replaces all icons with a skull. It then spreads the damage to your contacts via text message.

DroidDream

A Trojan found hiding inside more than 50 apps on Google鈥檚 official app store in 2011. Once installed, it was set up to run in the middle of the night and download other malware in secret. Google had to remove the infected apps and use a kill switch to wipe infected Android devices remotely.

Ikee

Infects 鈥渏ailbroken鈥 Apple devices and spreads to others via Wi-Fi. Replaces your phone鈥檚 wallpaper with a picture of the singer Rick Astley.

0bad

Super stealthy and multi-tasking, it exploits a subtle error in Android code. Capable of an array of attacks, from using premium-rate services to installing other malware, it has been described as the 鈥淪wiss Army knife鈥 of Trojans.

Svpeng

A new kind of banking Trojan emerging in Russia that tricks users into entering bank details, which it sends to cybercriminals. It prevents antivirus programs from deleting it, and even stops users from resetting their phone to factory settings.

Topics: Computer crime / Crime / Forensics