Smartphone Malware in the Wild

Back in August, my colleague Tim Donaworth posted about security threats in Android. Smartphone malware and smartphone botnets are buzz phases right now, but when speaking about my research in the field I am often asked, “Will this sort of attack actually happen outside of a lab?” The answer is not only will it, it already has, and is going on as we speak.

Earlier this week Symantec blogged about a malicious Android application found carrying out the exact sort of attack Tim warned about in his post. In short, there was a legitimate application called Steamy Windows that fogged up your screen and asked for reasonable permissions when installed. There was also a malicious version of Steamy Windows that still made the screen steamy, but also infected the phone with botnet software. The only noticeable difference in the two applications was the permissions asked for upon install. The malicious version asked for rights to SMS and personal data. What business does an application that basically gives you a cool, interactive wallpaper have sending text messages?

The security research community has been active in addressing this threat, showing proof of concept malware and recommending security improvements for smartphone platforms. Some examples are Tipping Point’s WeatherFist application which showed a seemingly innocuous application performing botnet functionality, John Oberheide’s Twilight botnet that showed a proof of concept of how to abuse the trust model on the Android platform to load potentially malicious code after application install, and my SMS command and control smartphone botnet proof of concept released at Shmoocon 2011 which resides at the base operating system level and thus avoids having to ask permission from the user to access functionality such as SMS.

Smartphone malware is a real threat to security in the wild. While security measures such as Android’s user accepted permissions for API calls and iPhone’s review process are a step in the right direction, as smartphone malware evolves additional measures are needed. Smartphones can be thought of the same way as computers, in fact they run on very much the same operating systems your desktop computers do. They are vulnerable to the same sort of attacks. For example recently a Linux kernel local privilege escalation worked on Android as well, allowing applications to exploit the vulnerability and gain root privileges on the phone. The update systems for smartphones need attention as these sorts of vulnerabilities are found. Additionally, security functions such as integrity checks should be put in place in the base operating system where possible.

My biggest concern in smartphone security is user awareness. We have made great progress in educating end users about computer security in recent years, but I do not see the same understanding in the smartphone realm. You would never encourage your employees to trust and install every seemingly useful computer application they could find on the internet to their desktops. Instead there is security awareness training about the threat of downloaded malware. However, in the smartphone realm it’s all about downloading applications. Buy our phones because we have better apps than anyone else! Buy the app I wrote so I can retire on a private island! Users need to be made aware that everything downloaded to a smartphone can be harmful, that a link in a text message can hurt you the same as a link in an email you are warned against clicking on. Until the security and user awareness postures of smartphones get up to speed we will continue to see the same sorts of successful attacks in the wild.