The general vector of cyber attacks has started to change. The world is seeing a move from money to information, and smartphones cannot be left out of the equation, as they store huge amounts of data.
Speaking at the Kaspersky Lab Virus Analyst Summit, in Malaga, Spain, this week, senior malware analyst Denis Maslennikov said targeted attacks on these devices can be defined as those that aim to steal corporate data stored on a smartphone.
He said although there is no public information available about these attacks, there are several possible scenarios. “Gartner's report on mobile sales to end-users revealed that smartphone sales are growing. They are powerful instruments and a tool for a variety of purposes. 'Consumerisation' is happening at a rapid rate. Personal devices are used to check work e-mails and suchlike.
“Your device contains a lot of interesting things - calendar meetings, contacts, e-mails, SMS messages, GPS co-ordinates, photographs. In a nutshell, your device is you.”
Maslennikov said 2010 saw 65% more mobile malware than 2009, and the first six months of 2011 are already equal to the whole of last year. “Most malware is targeting Android, due to its growing popularity. This is even though the first malware for Android was only discovered in 2010. Criminals target the most popular platforms.”
Victim selection
He said there are several possible scenarios, in terms of targeted attacks. “The first step would be profiling the target. They need to find someone vulnerable, from a physical point of view too. They use social networks for social engineering, because a lot of information about individuals is stored there.”
Next, added Maslennikov, is retrieving a phone number of the potential victim, something that is incredibly easy, often easier than an e-mail address. “Following this, they would need to retrieve a device model, which is also very simple to do. Think of signatures in e-mails, tweets - 'Sent from my iPhone, or BlackBerry'.”
Once the attacker has retrieved this basic information, there are several possible scenarios. “A cyber criminal could physically follow the target to say a coffee shop after work. They can see if you're using the wireless or online, and can 'sniff' your information. The lesson here is don't use public WiFi on corporate devices.”
Maslennikov said should fraudsters have no success in this endeavour, they could try to get physical access to the device, by pick-pocketing, or as people are generally quite careless, stealing devices that are left unattended.
“Devices left unattended are soft targets. If you leave your device somewhere, you cannot see or control it; an attacker can download malware, steal data and suchlike.”
He cites a recent example of this, whereby the UN nuclear agency investigated reports from its experts that their cellphones and laptops were possible victims of a hack by Iranian officials, who were reportedly looking for confidential information while the devices were left unattended during inspection tours in the country.
Another factor making attacks fairly easy is that many people use weak passwords that can be easily brute hacked. Swipe locks too can be easily circumvented.
In terms of attacking devices remotely, he said there are several elements to make malware of this nature successful. “The malware would have to be able to mask itself really well and have the ability to read data stored on a smartphone. Thirdly, it must be able to retrieve GPS co-ordinates, where the user has been, and where are they now.”
Lastly, it must be able to communicate with a drop-zone, where stolen data is sent.
“Has it been done?” he asked. “Yes. Data was read by a threat called Monitor.AndroidOS.Flesp. GPS co-ordinates were hacked through another dubbed Monitor.AndroidOS.Tapsnake. Disguise was accomplished through a Trojan-Spy.AndroidOS.Geinimi, and communication with a drop-zone through Backdoor.AndroidOS.Rooter or DroidDream.
“In order to successfully deliver the malware, criminals will use social engineering tricks to get the victim to click on a link, via an SMS spam message, e-mail spam message, or for example, an IM spam message.”
Even those only using trusted sources should not be fooled, he explained. “There have been several cases of malware in the Android Market, for example. Some were available for a couple of months before it was discovered.”
Blackmail alert
The result can be really harmful if information was stolen or accessed. Data can be sold to competitors or third parties, or a ransom can be demanded for the information. “The cyber criminal could also publicly disclose the information to harm the victim's reputation, or in my mind the most dangerous scenario, they could erase or modify the information.”
In conclusion, Maslennikov said there are several ways to suppress targeted attacks on smartphones. “Firstly, don't use public or untrusted WiFi networks if they won't have WPA2 encryption; 3G or 4G is more secure. Secondly, always keep an eye on your device, and use a strong screen lock password or a tricky swipe lock.”
He stressed that remote wipe software should be mandatory for all corporate devices. “Make life harder for a remote attacker by updating OS and third-party software regularly, and read all permissions carefully. Be logical; for example SMS, sending for 'media player' is not necessary; be aware of disguised malware.
“Ignore all SMS and e-mail spam messages, especially those containing URLs, and use encryption for all critical data. Most importantly, avoid jailbreaking or 'rooting'.”
Share