Saturday, January 8, 2011

The Building Cyber Threat Of Mobile Phones

As mobile phone users continue to grow exponentially every year, the threat of malicious intent involving smart phones increases as well. With the emergence of Google's Android OS appearing on multiple vendor phones, its only a matter of time before there's a major breach involving a major smart phone distributor.

Over the past year there's been multiple instances of malicious apps being downloaded from the Android Market onto a users phone, using simple social engineering tactics (I.E New Angry Bird Levels, Twilight app, etc.) that are all designed for information stealing, service theft or botnet creation. Some of these apps have the potential to steal information such as contacts, send out SMS texts, make phone calls and determine your location via the built-in GPS. These apps could theoretically be installed from any vendor store, but its more likely to be installed on an Android OS since they don't vet their apps as throughly, if at all before being placed on their "Market".   http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=228200946

Most major vendors like Apple and Google have something called a "Kill Switch", that will allow the app to be removed globally across all phones that have it installed. Once an app has been determined to have breached
the vendors policy they'll push the button and have it killed. Its not sure if the users will have the money reimbursed for the purchase of the app after its been killed. http://www.informationweek.com/news/internet/google/showArticle.jhtml?articleID=211200988

Certain banking apps have also been compromised with "Man-in-the-browser" like attacks that end up stealing banking credentials that give attackers access to your banking credentials and account information. http://threatpost.com/en_us/blogs/zeus-variant-targets-mobile-online-banking-apps-092710

Right now there are a few vendors that are creating anti-virus for phones, but I don't think this is the road we should take considering that anti-virus isn't working now for PCs. http://usa.kaspersky.com/products-services/home-computer-security/mobile-security

All mobile phone users should not only password protect their phones, but they should encrypt the data that's stored on it. Both of these are simple settings that can be enabled on the majority of phones. This and using caution when downloading applications will prevent malicious activity on your phone for now.

No comments:

Post a Comment