Cybercrime-fest targets mobile devices

Attacks are on the rise from old and new sources, GAO report finds

The lineup of depressing security stats in a recent report by the Government Accountability Office on the mobile devices is growing.

Let's see:

  • The number of variants of malicious software aimed at mobile devices has reportedly risen from about 14,000 to 40,000 or about 185% in less than a year.
  • New mobile vulnerabilities have been increasing, from 163 in 2010 to 315 in 2011, an increase of over 93%;
  • An estimated half million to one million people had malware on their Android devices in the first half of 2011;
  • Three out of 10 Android owners are likely to encounter a threat on their device each year as of 2011;
  • According to Juniper Networks, malware aimed at mobile devices is increasing. For example, the number of variants of malicious software, known as "malware," aimed at mobile devices has reportedly risen from about 14,000 to 40,000, a 185 percent increase in less than a year.

"Threats to the security of mobile devices and the information they store and process have been increasing significantly. Cyber criminals may use a variety of attack methods, including intercepting data as they are transmitted to and from mobile devices and inserting malicious code into software applications to gain access to users' sensitive information. These threats and attacks are facilitated by vulnerabilities in the design and configuration of mobile devices, as well as the ways consumers use them. Common vulnerabilities include a failure to enable password protection and operating systems that are not kept up to date with the latest security patches," the GAO stated. 

MORE: The 10 most common mobile security problems and how you can fight them

The GAO said federal agencies and private companies have promoted secure technologies and practices through standards and public private partnership but that despite these efforts, safeguards have not been consistently implemented.

The GAO report went on to define some of the attacks that are facing mobile device users.  Some are old hat and have been a problem for large computer users for years, but some are unique to the mobile world.  Take a look, from the GAO report:

  • Browser exploits: These exploits are designed to take advantage of vulnerabilities in software used to access websites. Visiting certain web pages and/or clicking on certain hyperlinks can trigger browser exploits that install malware or perform other adverse actions on a mobile device.
  • Data interception: Data interception can occur when an attacker is eavesdropping on communications originating from or being sent to a mobile device. Electronic eavesdropping is possible through various techniques, such as (1) man-in-the-middle attacks, which occur when a mobile device connects to an unsecured WiFi network and an attacker intercepts and alters the communication; and (2) WiFi sniffing, which occurs when data are sent to or from a device over an unsecured (i.e., not encrypted) network connection, allowing an eavesdropper to "listen to" and record the information that is exchanged.
  • Keystroke logging: This is a type of malware that records keystrokes on mobile devices in order to capture sensitive information, such as credit card numbers. Generally keystroke loggers transmit the information they capture to a cyber criminal's website or e-mail address.
  • Malware: Malware is often disguised as a game, patch, utility, or other useful third-party software application. Malware can include spyware (software that is secretly installed to gather information on individuals or organizations without their knowledge), viruses (a program that can copy itself and infect the mobile system without permission or knowledge of the user), and Trojans (a type of malware that disguises itself as or hides itself within a legitimate file). Once installed, malware can initiate a wide range of attacks and spread itself onto other devices. The malicious application can perform a variety of functions, including accessing location information and other sensitive information, gaining read/write access to the user's browsing history, as well as initiating telephone calls, activating the device's microphone or camera to surreptitiously record information, and downloading other malicious applications. Repackaging-the process of modifying a legitimate application to insert malicious code-is one technique that an attacker can use.
  • Unauthorized location tracking: Location tracking allows the whereabouts of registered mobile devices to be known and monitored. While it can be done openly for legitimate purposes, it may also take place surreptitiously. Location data may be obtained through legitimate software applications as well as malware loaded on the user's mobile device.
  • Network exploits: Network exploits take advantage of software flaws in the system that operates on local (e.g., Bluetooth, WiFi) or cellular networks. Network exploits often can succeed without any user interaction, making them especially dangerous when used to automatically propagate malware. With special tools, attackers can find users on a WiFi network, hijack the users' credentials, and use those credentials to impersonate a user online. Another possible attack, known as bluesnarfing, enables attackers to gain access to contact data by exploiting a software flaw in a Bluetooth-enabled device.
  • Phishing: Phishing is a scam that frequently uses e-mail or pop-up messages to deceive people into disclosing sensitive information. Internet scammers use e-mail bait to "phish" for passwords and financial information from mobile users and other Internet users.
  • Spamming: Spam is unsolicited commercial e-mail advertising for products, services, and websites. Spam can also be used as a delivery mechanism for malicious software. Spam can appear in text messages as well as electronic mail. Besides the inconvenience of deleting spam, users may face charges for unwanted text messages. Spam can also be used for phishing attempts.
  • Spoofing: Attackers may create fraudulent websites to mimic or "spoof" legitimate sites and in some cases may use the fraudulent sites to distribute malware to mobile devices. E-mail spoofing occurs when the sender address and other parts of an e-mail header are altered to appear as though the e-mail originated from a different source. Spoofing hides the origin of an e-mail message. Spoofed e-mails may contain malware.
  • Theft/loss: Because of their small size and use outside the office, mobile devices can be easier to misplace or steal than a laptop or notebook computer. If mobile devices are lost or stolen, it may be relatively easy to gain access to the information they store.
  • Zero-day exploit: A zero-day exploit takes advantage of security vulnerability before an update for the vulnerability is available. By writing an exploit for an unknown vulnerability, the attacker creates a potential threat because mobile devices generally will not have software patches to prevent the exploit from succeeding.

Attacks against mobile devices generally occur through four different channels of activities:

  • Software downloads. Malicious applications may be disguised as a game, device patch, or utility, which is available for download by unsuspecting users and provides the means for unauthorized users to gain unauthorized use of mobile devices and access to private information or system resources on mobile devices.
  • Visiting a malicious website. Malicious websites may automatically download malware to a mobile device when a user visits. In some cases, the user must take action (such as clicking on a hyperlink) to download the application, while in other cases the application may download automatically.
  • Direct attack through the communication network. Rather than targeting the mobile device itself, some attacks try to intercept communications to and from the device in order to gain unauthorized use of mobile devices and access to sensitive information.
  • Physical attacks. Unauthorized individuals may gain possession of lost or stolen devices and have unauthorized use of mobile devices and access sensitive information stored on the device.

Follow Michael Cooney on Twitter: nwwlayer8 and on Facebook

Check out these other hot stories:

Watchdogs say tons of issues remain before unmanned aircraft can fly free in US

Europe sets sights on asteroid tracking radars

NASA "dry ice " snowfall lands on Mars - no word on school closings

9/11 attack as viewed from space

Air Force fights aircraft bird strikes with falcons

Insider security threat gets a serious look by US security agencies

Banking execs won't find prison nearly as easy to scam as their ATM racket

Fiber optic "magic carpet" network could help predict falling injuries

How to catch a tumbling, aging satellite

FAA to reevaluate inflight portable electronic device use - no cell phones though

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022