Will 2012 Be the Year of the Cellphone Virus?

I know I'm not the first blogger in the antivirus arena to go on record as saying that I think cell phones and tablet PCs are ripe for the pickin' by the virus and malware writers.

What's clear though is that more folks like us (i.e. people who are *not* employees of the top antivirus manufacturers) are beginning to start beating this drum, too.

PCWorld's Dan Tynan wrote a piece back in November 2011 called, Mobile Malware Epidemic Looms. Now there's a piece in the NYTimes. Build Up Your Phone’s Defenses Against Hackers.

No disrespect to mainstream media, especially the NY Times, which I love, but c'mon... by the time this kind of thing hits The Times, it's arguably already old news. Certainly, it's well beyond the point of being "theory."

The opening sentence of Dan's piece in PCWorld says it all,
I know it’s a tad early for new year predictions but I’m going to beat the rush and make mine now: 2012 will be the year of mobile malware.
At the risk of offending the sensibilities of some of my readers who think they're immune, let me ask a few questions about what you do with your phone.

(N.B. For brevity, I'm lumping smart phones and tablet PCs into one category "phones".) With your phone do you...
  1. Use bluetooth?
  2. Browse the web?
  3. Send or receive email?
  4. Send or receive text messages?
  5. Charge via a USB connection?
  6. Charge at public charging kiosks?
  7. Use QR / "Scan Me" codes?1
If you answered "Yes" to any (and I mean any) of these questions, congratulations, you're at risk.

Now, shift gears for a second and think about not just the ubiquity of the cell phone but the utility. Not only are cell phones everywhere, they're *really* useful, which makes them all the more ubiquitous, which makes them even more useful, and so on.

And, now for the deathblow in the argument against cell phone antivirus software.

Phones are computers. Period.

If there's a microprocessor in it, it's a computer. And, I don't care how much time, money, energy, blood, sweat, and tears a manufacturer has put into their phone. It only takes one oh-so-subtle mistake by a well-intentioned programmer to make the code vulnerable to traditional malware attacks.

Consider this. Just to create the homepage of our site (and just the homepage) takes over three thousand lines.2 And that doesn't even count the code your web browser had to have to understand how to display our site properly for you.

My point: even if you have no clue how many lines of programming it takes to make a cell phone, rest assured it takes millions. Many, many millions. We ourselves are always finding and fixing little errors and typos throughout our site. If we have a hard time finding them in our own back yard, imagine how hard it is for a programmer to think about what problems they're going to encounter when millions of customers start using phones in millions of different ways.

Every mistake, no matter how subtle is a possible virus entry point. Maybe it'll never be discovered. Maybe it will. But in millions of lines of code, there are lots of opportunities for mistakes.

Next is the issue of "social engineering," where you're just out-and-out tricked into running malicious code. Maybe you click, "Yes" accidentally. Maybe you didn't understand what was going on and clicked, "Yes." Regardless, you clicked, "Yes" and installed something evil onto your phone.

What's it going to do?

Who knows? For starters it is a PC. The problem is, it's a whole lot more, too. It's a phone. It's a camera. It's an MP3 player.

Common things (so far) for cell phone malware are things like secretly calling 900 numbers, listening for credit card numbers, stealing contact information, logging keystrokes at your bank, brokerage, and credit card accounts... and the list goes on.

No matter how you look at it, cellphone viruses are here and cellphone antivirus software is a must. Android. iPhone. Blackberry. Windows. Palm. It doesn't matter what platform your phone (or tablet PC) runs, rest assured, it's vulnerable to viruses. Today.

How convinced are we? We're putting our own R & D money on the line: fitting right in line with our regular PC antivirus reviews, we're working on our own cellphone antivirus review site. No launch date just yet, but if what we've already seen in terms of mobile malware is any indication, it had better be soon.
1 QR / "Scan Me" codes are those funny square scan code things that are popping up everywhere offering everything from discount coupons to manufacturer direct purchasing.
2 For some more perspective, we estimate--conservatively--that since 2006 our site has produced well over 1,000,000 lines of code. And that's just the site itself.


Android Malware, Adobe Exploits, Spam Volume & More in the McAfee Quarterly Threat Report

In their most recent McAfee Threats Report, antivirus & security software vendor McAfee covers a lot of ground in the malware arena.

Here are the highlights:
  1. Android is now the most highly targeted platform for mobile / smartphone malware.
  2. More successful legal actions are being taken against cybercriminals
  3. 22% increase in malware samples over 2010
  4. On pace for 75 million malware samples by the end of 2011
  5. Fake antivirus software continuing to grow
  6. 38% increase in rootkits (stealth malware) over 2010
  7. Adobe outpaced Microsoft for security exploits in their software (Acrobat, Acrobat Reader, etc.)
  8. After a brief up-tick, spam is again declining
  9. Over 7,000 new malicious websites per day
  10. Over 2,700 new phishing websites per day
What are the take aways from it?

  1. Smartphone viruses are here, they're real, and they're growing.
  2. It isn't just a matter of keeping your OS updated. You've got to update all the software on your system regularly. Adobe Acrobat/Reader is proving that.
  3. Antivirus software is a must.


Charge Your Cell Phone, Get Malware?


Most of us have been in an airport or other similar public place and seen the free charging kiosks.

And, I'll venture to bet that most of us have used 'em, too.

Looks like the bad guys aren't running out of ideas on ways to get at you and your data, and now it looks like the free ride at the charging kiosk is over since the bad guys can start moving in there, too.

That's what Brian Markus (president of Aires Security) and his colleagues (researchers Joseph Mlodzianowski and Robert Rowley) showed when they built a charging kiosk at the 2011 DefCon hackers convention in Las Vegas.

As crazy as it sounds, charging your smart phone at a free charging kiosk can leave it exposed to data theft or even malware installation.

Brian Krebs always fantastic security blog, Krebs on Security, has a piece called Beware of Juice Jacking that goes into detail about how even some phones with settings to disable USB transfer don't do so reliably enough to be trusted.

'One attendee claimed his phone had USB transfer off and he would be fine. When he plugged in, it instantly went into USB transfer mode,' Markus recalls. 'He then sheepishly said, `Guess that setting doesn’t work.`'

Given that we haven't had any opportunities to test smart phone antivirus software against these types of threats, we can't say if the current batch of antivirus software for phones would be enough to prevent these types of attacks. Given what we've seen from VIPRE Mobile (the version of VIPRE Antivirus for Android Mobile phones), we expect it would.

Regardless, it's clearly safest to avoid these kiosks for charging your phone, and as the piece says,

If you must use a random charging kiosk, the safest option may be to completely power off the device before plugging it in.

'One thing we discovered: On certain devices, if you power them completely off, then charge them, they don’t expose the data,' Markus said.


More Android Smartphone Malware Found, Removed from Marketplace

Kaspersky, makers of Kaspersky Antivirus just posted a lengthy piece on  new Android Malware called the "Plankton Trojan".

Originally discovered by Xuxian Jian (Assistant Professor and his research team at the Department of Computer Science, NC State University), his report on the Android malware disconcertingly begins,
This spyware does not attempt to root Android phones but instead is designed to be stealthy by running the payload under the radar.

"In fact, Plankton is the first one that we are aware of that exploits Dalvik class loading capability to stay stealthy and dynamically extend its own functionality.

"Our investigation indicates that there are at least 10 infected Android apps in the Official Android Market from three different developers.

"Its stealthy design also explains why some earlier variants have been there for more than 2 months....

What does this mean?

For starters, it means that the bad guys have found a way to get onto your Android without requiring "root" access, which means that it's able to evade detection and avoid tripping the warning screens and whatnot that you'd expect to see.

The report details how this application silently hooks into the phone, downloads in the background more things it needs to run, and uploads information about your account to computers the bad guys control.

Kasperksy's analysis revealed,
...the virus does not provide root exploits, but supports a number of bot-related commands.

"One interesting function is that the virus can be used collect information on users’ accounts.
What exactly the bad guys are doing with the botnet either isn't yet clear or isn't yet being revealed by Professor Jiang or Kaspersky. And for that matter what they're doing with the users' data isn't clear/revealed either.

This may be a case where they're just trying to test the waters and see what kind of flags they raise and what kind of information they can glean from users.

Regardless, it's definitely cause for some concern amongst users and antivirus researchers alike, as it will require the AV companies to rethink some of their strategies in protecting phones.

What's Google Doing about it?

According to the piece by Kaspersky,
Google has historically taken a hands-off approach to policing the Android Marketplace.

"It will suspend and remove suspicious or malicious applications when they're reported, but does not vet applications prior to posting them, as Apple does with its AppStore.

"A growing population of Android users and burgeoning Android Marketplace, however, may challenge that approach.