Mobile security: a growing concern
After attending some conferences at MWC12 about the future of smartphones and other mobile devices connected to the Internet, we ‘ve realized that security is becoming one of the challenges that developers and users will have to handle with in the future. Although there have not been reported too many cases of malware or massive attacks in mobile devices, the issue is breaking into the agenda at the same time that NFC mobile payment systems are offering reliable and user-friendly platforms.
Actually, since the technology already allows it, the first barrier for the spreading of NFC mobile payment systems is, precisely, the security. In other words, the ability of the developers of that payments platforms to ensure users’ data privacy and security as well as the ability to explain it to their potential users.
However, security doesn’t concern just payment platforms, even though that’s the issue which is putting it into the agenda. We wanted to learn how’s the state of the topic. For this reason we attended Kaspersky Labs Press Conference “The Mobile Environment as a Paradise for Cyber Criminals”. Eugene Kaspersky, CEO and Co-Founder of Kaspersky Labs started the conference with a simple question: “Malware in smartphones, is it real or a hype?” The question itself reveals that there’s some susceptibility with this topic. Mr. Kaspersky stated that they’ve been keeping track of the evolution of threats and attacks to mobile devices, as they did in the 90s with PCs. It seems that there’s a shared pattern: some steps that makes predictable an explosion of malware attacks in the short-term. Actually, he said that explosion has already started as this graph shows:
Source: Kaspersky Labs Presentation at MWC 2012
What’s more, Mr. Kaspersky explained that there’s no substantial differences between traditional desktop devices threats and mobile threats: DDOS, spam (specially via SMS), banks accounts theft, identity fakes or phishing (which becomes smishing in mobile devices) among others. Actually, Denis Maslennikov and Vicente Díaz, Senior Malware Analysts from Kaspersky Labs, tried to demonstrate the audience with their analysis results that mobile malware is becoming a real problem, not an occultism issue. And, by the way, prove that they aren’t “charlatans”, as some critics have asserted.
In summary, they keep showing evidences of the inminent explosion of malware and attacks to mobile devices. What’s more, they explained that the most common attacks they’ve registered in smartphones so far have been Trojan-SMS, Backdoor and Trojan-Spy. A Trojan is basically “malicious code into a legitim app code” which is more difficult to detect for the security system of the app markets. That’s precisely what happened on February 2011: some malware yanked the Android market. Some others not-so-well-known attacks have been reported since then.
Putting all these evidences together, Mr. Kaspersky considers that there’s (already) a real threat for our mobile devices. He believes that the same tools for fighting virus and malware on desktop devices should be used to protect our mobile devices: anti-virus, firewalls, parental control, anti-spam… Obviously, after introducing the facts, Kaspersky Labs presented their new apps for battling malware:
A set of tools to prohibit children from visiting unsuitable or potentially harmful websites. The solution allows to set specific categories of websites to be restricted. Potentially malicious resources such as phishing websites or those distributing harmful to devices are blocked automatically (Web Filtering). KPC permits either allowing or restricting usage of certain apps installed on a device (APP Control).
Kaspersky Tablet Security KTS gives protection against all kinds of cybercriminal activity, specifically designed for Android-based tablets. It includes anti-virus, protection from alicious and fraudulent software in real time, with cloud protection, that’s it, inmediate reaction against new and emerging threats. What’s more, it detects and block dangerous URLS and websites, including phishing websites. There’s a web management platform for remote control of a device. Finally, it includes anti-theft security features: find, block, data wipe and mugshot the thief.
My opinion on the subject
Well, I’m not going to discuss the reliability of graphs and data collected by Kaspersky Labs. They’re professionals and, at least, they deserve that respect-treatment from all of us. What’s more, they’re trying to prove something that we all (in different degree) agree: malware and attacks to mobile devices are meant to increase in the next months/years.
I only cast doubt on some points of that hypothesis: we cannot equate 100% PCs & Mobile threats. There are different parameters involved. First off, most of the attacks to PCs where to commercial non-opensource OS like Windows and their products. In most of the cases their purpose was to break its security system and free harm. We have to bear in mind that Android is an open-source linux-based OS. Even though the Android code is fully accessible for the “bad guys”, there’s also a whole community of “good guys” who can voluntarily fix any irregularity. What’s more, open-source OS users are more security conscious (like another Kaspersky Lab Analyst stated once). However, in mobile devices Android is the OS which sees most infections, despite of being an open-source system. What’s more, the nature of the attacks to mobile devices are less gratuitous. In other words, it’s not just to break security systems and free harm: it’s more about attacking the wallet. Mobile devices, specially smartphones, give an economic reason to the cyber criminals for developing malware and trying to place it into the Android Market. The following graph shows percentage of infections by platform:
Source: Kaspersky Labs Presentation at MWC 2012
In short, from my point of view, we aren’t in such a state of emergency, despite of the graphs. From my point fo view, malware and attacks on Android will increase, although due to the open-source nature of the OS, the attacks will be specially oriented to Bank Account Theft, SMiShing or any other type of “attack to the wallet”. Besides the malicious code, we will realize a growth in other soft-attacks like more confusing pay per built-in credits in kids-like apps with no re-funding policy. Finally, the permissions will play a main role in the evolution of the attacks to mobile devices (as we explained in this post and this other), since they’re a legitimate breach in our devices security.
Emmanuel Lund, writer at AndroidZoom.com and sightseer at MWC12