Sidewinder on the menace of mobile phone malware

Stay one step ahead of the crowd. Don’t dismiss the notion of mobile phone viruses - protect your network now, says Davey Winder.

Would it surprise you to learn that a 28 year old man was recently arrested in Spain on suspicion of creating and distributing more than 20 variants of worms (a type of virus)? Probably not. But what if I said that they were designed to specifically target mobile phones?

In order to gauge the scale of the mobile threat, and arrive at some best practice suggestions, I have been talking to the real experts in the field.

Reality check

There is a mobile phone virus threat, even if it is small compared to the desktop one. Graham Cluley, senior technology consultant at anti-virus specialists Sophos, says: “There are about 200 malware threats for mobile phones and more than 250,000 viruses for Windows. In other words, the mobile malware threat is a raindrop in a thunderstorm.”

This can be attributed to many factors, but mainly it boils down to money - at the moment there is little to be stolen from a mobile phone that can translate into a cash profit. The trouble is that this will change - is changing, in fact - as more data is stored on ever more powerful smartphone devices. Devices that are brought into the workplace and can provide a route for hackers right into your otherwise well defended network.

BEST PRACTICE TIP: More mobiles will get lost/stolen than infected by a virus. Think 360 degree protection, think data encryption and access control.

The threat landscape explored

Most mobile phone exploits have - so far - been unsophisticated file-based threats, requiring the user to be hoodwinked into doing most of the dirty work themselves. The payloads vary from simple infection routines, which will quickly drain the battery as the Bluetooth transmitter hunts for handsets, through to changing icons and deleting contacts data.

“For the NHS, maintaining confidentiality is crucial, so a lot of thought should be put into how much of that data is accessible from mobile devices and under what terms.”

Kris Lamb, director of X-Force at IBM Internet Security Systems is quick to warn against thinking of these as harmless pranks. “In the case of some mobile malware, like Cardtrap and Crossover, there have been attempts to jump from infected mobile phones to PCs via synching.

“Don't confuse unsophisticated exploitation techniques with diminished severity, as we expect both the sophistication and types of mobile malware to increase and the mobile phone to become increasingly valuable as malware targeted computing real estate.”

BEST PRACTICE TIP: Don’t dismiss the present danger based on the past. Ensure your networks are protected in the present to guard against future developments.

Mitigating risk

So what can you do to mitigate the risk and protect your network and users? The principles of data integrity, isolation, strong authentication, trust management and layered defence hold true in the mobile environment, just as they do on standard networks.

“IT managers should pay a lot of attention to the flow of data,” says Nick Billington from BitDefender UK. “For the NHS, maintaining confidentiality is crucial, so a lot of thought should be put into how much of that data is accessible from mobile devices and under what terms.”

Treating all mobile devices that users bring into the workspace as part of the network is vital. They should be secured and controlled centrally by IT management, with updates and security policies rolled out to them automatically.

Matt Bancroft, vice president of Mformation, says: "IT managers need to start to treat mobile phones like any other device that connects into their networks. They wouldn't dream of letting people use a laptop and connect into an NHS network without the proper security measures in place. They need to apply the same principles to mobile phones.”

Handsets do come with some security measures, if they are ever used (how often have you ever actually used the keypad password function?). But, as Mr Cluley reminds us, “there is a danger that some mobile phone security applications have been designed with the consumer market in mind, and do not properly size-up to the corporate environment which has different requirements.”

BEST PRACTICE TIP: The mobile threat must be addressed at the network level - don’t fall into the trap of trying to secure every single mobile device individually.

Summing up

I will leave the last word to Leslie Forbes, technical manager at F-Secure, the company which has been a pioneer in the field of mobile anti-virus. “With mobile menaces steadily on the rise, we can only anticipate how virulently worms can multiply, especially with the explosion of Bluetooth and the increase in workforce mobility in organisations like the NHS.

“Back in the 80s, computer experts were quick to dismiss PC viruses as harmless. We need to learn from this mistake and start taking the mobile malware threat seriously. Only by taking pre-emptive measures can we equip ourselves against this pernicious and escalating menace.”

BEST PRACTICE TIP: Expand Acceptable Use Policies to include mobile devices - whether Bluetooth is on, whether it is discoverable, and how to report suspected breaches of security involving mobile phones.

Statistically speaking:
A Sophos survey reveals that 64 percent of IT administrators admit to having no mobile security solution in place to protect smartphones and PDAs, even though 81 percent agree that mobile malware will become a significant threat.

About the author: Author, journalist and consultant, Davey Winder has been writing about security issues for 16 years and was IT Security Journalist of the Year 2006, an award from BT.