Trying to keep malware off your computer is standard practice at this point, but not many people know that malware also poses a threat to their phones. The Cipher Brief asked Ravi Devireddy, CTO and co-founder of E8-Security, about mobile phone malware. According to Devireddy, the problem is not as bad as the media would have you believe, but there are still some steps you can take to make sure you are protected.
The Cipher Brief: How has malware targeting mobile phones changed over the last few years? How do you anticipate that it will change in the future?
Ravi Devireddy: Mobile malware has been on the increase but not at the pace that one would infer from media coverage. Some media coverage is generated due to mobile security vendors trying to draw attention to the risks. The mobile situation is actually in a better place than the desktop ever was due to the increased focus on security when the platforms were established (e.g. code integrity mechanisms).
The Android platform will continue to have more challenges than Apple due to its more open platform and its cooperative relationship with vendors in managing the update process.
TCB: Who are the primary targets of mobile phone malware (individuals, businesses, etc) and why? How do you see this targeting behavior changing, if at all?
RD: Individuals continue to be the primary target for mobile malware, with most of the reported activity being financially motivated. Many of the stories are around credential theft, with an expected increase in sophistication in both breadth, such as the use of new social engineering tactics, and depth, such as the identification of loaded apps to better target the user and employing better methods to intercept credentials. Fraud-based attacks, though old, are also still present.
Ransomware is now present on mobile, though arguably this phenomenon is more of a reflection on the rise in ransomware in general rather than a comment on mobile specifically.
Current media coverage has not provided much indication of the extent to which mobile malware may be being used for more significant types of attacks (e.g. APT, targeted attacks, intellectual property theft, espionage, etc).
TCB: Why are mobile phones attractive targets for the bad actors creating this malware? Is there anything that can be done to mitigate this?
RD: The situation is similar to the quote ascribed to Willie Sutton. When asked why he robs banks, he answered, "because that's where the money is." For malware, the primary target is usually the person, and increasingly smart mobile is more where the people are. You can try to protect the platform, but you are not going to be able to change the incentive.
To a large degree, mobile malware relies on social engineering to be effective, which is likely a result of the more-protected application distribution infrastructure. From this perspective, user education efforts may have an increased return on investment.
TCB: What can people do to help keep their phones secure?
RD: There are a number of top strategies. First, avoid bypassing the software integrity mechanisms of the phone platform (sideloading, allowing 3rd party apps, etc). The most recent report on Android security estimates that there is a 10 times increase in likelihood of encountering malware when you go outside the Google Play store infrastructure.
Second, if possible, choose a vendor who is likely to keep the phone consistently updated. Also make sure that your hardware is new enough to take advantage of the latest software.
Third, select apps conservatively, taking advantage of the information available about the vendor and other users' feedback (user feedback is not perfect, since Trojanized apps are possible, but poor feedback should be heeded).
And fourth, use the existing protection mechanisms provided by the phone (lockscreen, encryption). Upgrade to a phone with a fingerprint scanner if possible.
