Compound Threats
The rise in popularity of the smartphone means that it is fast becoming an attractive platform for sophisticated malware exploitation, with the real potential for criminal gain through use of SMS shortcodes and premium rate calls. When combined with the lack of public awareness of threats, and the implicit trust that mobile users have for mobile messages, smartphones are the growing medium of choice for abuse.
In 2010, the number of new handset viruses have increased by a third, however it is interesting that there are wide variations within this.
- New platforms like Android have seen large increases caused by both the newness of the OS, but also the greater potential in functionality and lower signing restrictions.
- Other platforms such as Symbian are having a decline in new malware targeted exclusively at them, despite no change in their security model.
This indicates that attackers are reacting to the changes in the smartphone market and looking to target the handsets which give the greatest user base with the lowest commercial and technical barriers to exploitation.
Through 2010, the key changes have been the emergence of the Compound Threat – where mobile malware are taking advantage of the full capabilities of a mobile operating system and network. Such examples are:
April 2010: Windows Mobile: First instances of a legitimate game that was subsequently hacked to include a premium rate dialler that would place calls through to international numbers including Antartica and the Dominican Republic, running up unexpected costs for the subscriber.
July 2010: Talking TomCat – a freeware app for iPhone which pops up adverts that have hidden links that generate a call without the user realising.
September 2010: Adult Media Player app for Android that is promoted via website links, and after downloading and installed will download and play movie clips, but in the background will generate SMS to shortcode numbers without user knowledge, at up to $6 per message.
However, it is not just the new smartphones that are at risk. Java enabled handsets have been the dominant platform for mobile viruses in 2010. This means that not only are all Smartphone handsets are susceptible to these viruses (in addition to platform specific attacks), but also the more commonly available feature-phones as well.
Even the cheapest of handsets – available from £10, come with the capability for receiving SMS, and thus at this price point have bring the social challenge of ensuring their users are kept safe from unsolicited and fraudulent communication.