
(Image: Raymond Beisinger)
Your most intimate companion may be betraying you. Smartphones are lucrative targets for cybercriminals and keeping them true might not be as easy as we hoped
IT’S 2 am. Do you know what your smartphone is up to? It may not be sleeping faithfully beside you. Seduced by a server far away, it springs to life and betrays your trust, giving away your secrets and running up quite a tab.
Advertisement
For many, the nightmare is a reality. In 2011, for example, a cybercriminal in China gained control of hundreds of thousands of phones, remotely directing them to send premium-rate text messages, call premium toll numbers and play pay-per-view videos while their owners slept on obliviously.
Other phones develop late-night gambling habits. In 2012, journalist wrote about her friend, Mike, who caught his phone playing online poker. It then used his credit card to order wrinkle-removal cream, which arrived on his doorstep a few days later.
Our phones have become intimate companions. We interact with them on average 150 times a day, according to last year’s , an annual report by internet analyst Mary Meeker. They know who our friends and colleagues are. They know our passwords and banking details. They hold the keys to our digital lives. But our intimacy fools us into a false sense of security. “You think ‘Oh, this is just a phone’,” says , a mobile security researcher at Royal Holloway, University of London. “So you’re less inclined to think about security and privacy issues.”
Legions of cybercriminals, however, most certainly are thinking about these things. That little phone is a computer, just as hackable as a PC. As with computer viruses a decade ago, many security experts think that malware for mobile devices is set to explode. But this time round there’s no easy fix – especially when we are a big part of the problem.
Easy money
With nearly 2 billion smartphones in use today, malicious software is rapidly becoming an easy way to make money for thousands of cyber attackers around the world. Producing malware is a fully fledged industry, with attacks more likely to be written by office drones than basement dwellers. “In many countries, involvement in cybercrime pays well, while the risks are very low,” says Igor Muttik, a researcher with security software company McAfee. “Young people may do it if they are unable to find a good job.”
What are they after? “Most mobile malware is looking for your money,” says Roman Unuchek, a malware analyst at Kaspersky Lab in Moscow, Russia. From nuisance ads that pop up unbidden on your screen to credit card theft and even ransom, criminals have many ways to extract money from a phone. Take the hijacked network of phones in China. At that scale, says Eric Chien at antivirus company Symantec, whoever was behind it was raking in millions of dollars a year. And they may still be at it. “He hasn’t been caught as far as we know,” says Chien.
Identity theft is another big concern. Phones carry our most personal digital possessions: logins, passwords, contact lists, photos. Then there’s the mass of sensors, from GPS to accelerometers, which can be used to tell where we are and what we are doing. “We have a lot of data on our phones,” says Chris Hadnagy, CEO of security firm in Brooklyn, Pennsylvania. “It’s a very attractive target for an attacker.”
Phones running Google’s Android are by far the worst hit, with 98 per cent of mobile malware targeting the operating system. That’s partly because Android has the largest share of the market, running on 80 per cent of phones by some estimates. But mostly it’s down to the different philosophies at Google and Apple. Both companies police their official app stores. Unlike Apple, though, Google is happy for you to install apps from other sources, too. Android phones give a lot more freedom, but pass on a lot more risk.
There are many ways bad code can break in. Wi-Fi and Bluetooth connections, weblinks, emails, text messages and app downloads are all unlocked windows and unlatched doors. Another ploy is to copy an existing app, hide malware inside, then present this evil twin on an app store as a free clone of the original.
The malware menagerie is full of exotic beasts (see “Attack of the phones“). Some rack up bills via premium-rate services, others lock you out of your phone until you pay a fee for a “fix”. Then there are versions of classic PC attacks like banking Trojans, now the fastest-growing mobile threat. These trick you into entering your bank details into fake login screens. Compromised phones can also be yoked into botnets, where they might be used to mine bitcoins, for example. These have all been spotted in the wild. Even sneakier attacks have been demonstrated in the lab. at City University London warns about the danger of two or more malware apps “colluding”. Harmless on their own, they avoid detection. Together, though, they can work as a covert team to steal data.
The problem is made worse by the easy availability of “exploit kits” – collections of ready-made apps that take advantage of known vulnerabilities. They can be bought online and customised with minimal know-how.
So what can we do? It turns out that protecting a phone is a trickier technical problem than protecting a desktop machine. Solving it might even require a rewrite of the way phones are designed.
On the plus side, mobile systems have built-in safeguards. Smartphone apps don’t have the same kind of access to the core operating system as most computers do. Apps are “sandboxed” so that they can access a shared pool of data, like contacts or saved text messages, but they cannot look at data that belongs to another app. This makes it harder for a piece of malware that hitchhikes along with, say, a flashlight app to access the passwords saved in your banking app.
The trouble is that the same design that hobbles apps also hobbles antivirus programs. Typical antivirus software relies on unique “signatures” found in the code of malicious programs. When you download or install a program, the software scans the code and flags up if it contains a malicious signature. This works for known threats, but attackers often use tricks such as polymorphic code, which changes after each install, to fool signature-based approaches.
This is where sandboxing turns out to be a hindrance as much as a help. On a desktop machine, antivirus programs can monitor what other programs do and identify suspicious behaviours, such as when a program tries to install additional code without the user’s knowledge. But because smartphone antivirus apps are sandboxed, they can’t look at what other apps are doing, so can’t catch malicious programs in the act.
Catching the culprit
One way to spot mobile malware without needing a signature is to look for other telltale signs that something’s not right. at the University of Helsinki in Finland, for example, found that infected phones had shorter battery lives than clean phones by more than an hour on average.
That might alert you to a general problem, but it doesn’t finger the culprit. To do that, Cavallaro and his colleagues have had to take a step back. To get round the sandboxing limitation, the team uses emulators – virtual recreations in software of a smartphone’s hardware and operating system. Running emulators on a PC gives them a view of the whole system and lets them reconstruct an app’s behaviour from low-level activity such as which registers in the processor it accesses or which files it opens and writes to. They then match this basic behaviour to higher-level activity such as sending a text message. It’s like trying to recognise a face in a digital picture just by looking at the pixels. The idea is that future antivirus software could detect malware from its low-level activity alone, without having to open up one app to another.
This kind of analysis is hard, though. Fully characterising the behaviour of arbitrary programs is theoretically impossible. Alan Turing pointed this out in 1936 when he showed that you cannot write a computer program that tells you whether any other program will eventually stop running. In practice, this means that there are too many possible ways a program might play out, and it can be hard to know where to look for threats.
Again, Cavallaro and his team think they have a workaround. To find the most relevant parts of an app’s activity to analyse, they are assembling a collection of “traces” – sequences of actions like swipes and button taps – made by people as they use an app. This method can’t cover all the possible ways a program might behave, but it captures the most common. “You explore the main, most significant pathways,” says Cavallaro. “Those are the most attractive for an attacker to use.”
The upshot of all this work will be a system called CopperDroid, which automatically analyses Android malware. The hope is that, backed by CopperDroid, antivirus software for smartphones will be a lot more effective. Even so, without better access to the core resources of the phone, the software will never match its desktop counterparts, says Cavallaro.
But getting that access means rewriting the basic design of most smartphone operating systems. Android, at least, is open-source, meaning anyone can contribute changes to the system. Cavallaro hopes that his changes might eventually be incorporated into an official Android release.
That still leaves us with a problem, though. We are the ones who install most malware on our phones. Every time we download a new app, we are the weakest link in the chain.
It doesn’t help that software designers offload so much of the security burden onto users, says Lorrie Cranor, director of the CyLab Usable Privacy and Security Laboratory at Carnegie Mellon University in Pittsburgh, Pennsylvania. She points to Android’s permission system, which asks people to decide whether or not to grant an app permission to send text messages or view their contacts. With around 150 different permissions possible, she says, people often don’t understand what they are agreeing to.
That’s assuming we even care. A 2012 study of Android phone users showed that only 17 per cent paid attention to permission requests when installing apps and only 3 per cent could correctly answer questions about what the permissions meant. Results like these give rise to a classic joke among security experts: given the choice between dancing pigs and security, people will choose dancing pigs every time.
“Given the choice between dancing pigs and security, people choose the pigs”
There is hope, however. “The user is not the enemy,” says Devdatta Akhawe at the University of California, Berkeley. It’s just that we often don’t have enough information to make safe decisions by ourselves. Can we be nudged in the right direction? A team of Google researchers recently found that presenting warnings in red and using aggressive language such as “This will hurt your computer” was much better at making people think about what they were doing than calmly worded messages.
But warnings, however well-designed, will never be an ideal solution. “If you have a hazard, the best thing to do is to remove the hazard,” says Cranor. Warnings should be a last resort. For a start, too many alerts can lead to “warning fatigue”. Akhawe has found that people tend to click through warnings more quickly the more frequently they are shown, but spend more time on warnings that are shown rarely. “After a while the user just gets tired and stops caring,” says Akhawe.
Smartphones, smarter users
Serge Egelman at the University of California, Berkeley, thinks we should get rid of many warnings and permission requests altogether. Instead, people should be allowed to see which apps are responsible when their phone starts behaving badly. Even telling people which apps are draining the most juice from their battery – a feature in the new version of Apple’s iOS – could give them a better idea of what’s going on under the hood.
Fewer security decisions would mean fewer chances to shoot ourselves in the foot, but that doesn’t mean we can download with reckless abandon. We still need to be smarter about what we install on our phones, says Hadnagy. “Phones are small and they feel like they’re not computers, so we’re more prone to click things and try things.”
Hadnagy urges us to think critically about what apps are asking from us: “Why does Sudoku need access to all of my contacts?” There’s a reason free apps are free: if we don’t pay upfront, app makers might make us pay another way. And if we can’t resist that Flappy Bird clone, Hadnagy recommends not keeping passwords or other sensitive information on our phones, and to keep our operating systems and apps up to date.
“Ask yourself: Why does Sudoku need access to all my contacts?”
There is no perfect solution, says Hadnagy. “I have every possible protocol to keep my phone secure,” he says. “Does that mean I’m 100 per cent protected? No. But I’m not the low-hanging fruit.”
App and operating system designers may help us to make better security decisions, and smarter antivirus software can backstop the occasional evening of wanton downloading. But when the party’s over, and we wake up next to a phone we hardly recognise, we will only have ourselves to blame. It only takes one bad app to spoil the whole damn bunch.
Attack of the phones: A malware menagerie
Skulls
Malware for Symbian phones that stops other apps working and replaces all icons with a skull. It then spreads the damage to your contacts via text message.
DroidDream
A Trojan found hiding inside more than 50 apps on Google’s official app store in 2011. Once installed, it was set up to run in the middle of the night and download other malware in secret. Google had to remove the infected apps and use a kill switch to wipe infected Android devices remotely.
Ikee
Infects “jailbroken” Apple devices and spreads to others via Wi-Fi. Replaces your phone’s wallpaper with a picture of the singer Rick Astley.
0bad
Super stealthy and multi-tasking, it exploits a subtle error in Android code. Capable of an array of attacks, from using premium-rate services to installing other malware, it has been described as the “Swiss Army knife” of Trojans.
Svpeng
A new kind of banking Trojan emerging in Russia that tricks users into entering bank details, which it sends to cybercriminals. It prevents antivirus programs from deleting it, and even stops users from resetting their phone to factory settings.
This article appeared in print under the headline “Phone invaders”