Editor’s Note: RCR Wireless News asked wireless industry analysts and executives to provide their predictions for what they expect to see in 2012 across their areas of expertise.
During the last two years we’ve seen an increase in attacks on smartphones and mobile devices. We’ve run across rootkits, botnets and other malware. Attackers have moved on from simple destructive malware to spyware and malware that makes them money. We’ve seen them exploit vulnerabilities to bypass system protections and gain greater control over mobile devices. In 2012 we expect to see attackers continue what they’ve done and to improve upon their attacks. We also predict a move toward mobile-banking attacks.
Botnets + rootkits = low-level trouble
On PCs, rootkits and botnets deliver ads and make money off of their victims. On mobiles, we’ve seen these types of malware used in the same manner. Rootkits allow the installation of additional software or spyware and botnets can cause ad clicks or send premium-rate text messages.
We’ve seen mobile variants of malware families that include Android/DrdDream, Android/DrdDreamLite and Android/Geinimi, as well as Android/Toplank and Android/DroidKungFu. Some of these malware have used root exploits, originally developed for customers to unlock their own phones, to gain access and take over victims’ phones. In the coming year as developers and researchers develop new methods for rooting phones, we will see malware authors adapting the lessons of PC malware development to undertake attacks that leverage the mobile hardware layer to a greater extent. PC-based malware is increasingly moving further “down” the operating system to take greater advantage of hardware; we expect mobile malware to follow the same direction.
Bootkits, malware that replaces or bypasses system startup, also threatens mobile devices. Although rooting one’s own phone or e-book reader opens the device to extra features or to replacing the OS, it can also allow attackers to load their own modified OS. Whereas a mobile rootkit will simply modify the existing OS to evade detection, a bootkit can give an attacker much greater control over a device. For example, the “Weapon of Mass Destruction” mobile penetration-testing toolkit runs on old Windows Mobile phones. WMD installs itself using tools developed to load Linux on Windows Mobile phones and allows the user to reboot to the original OS. Attackers have already used old root exploits to hide themselves; as new exploits are developed, attackers will eventually install their own custom firmware.
Mobile banking attacks
PC users have seen attacks from criminals using the Zeus and SpyEye crimeware kits to steal money from online banking accounts. Both Zeus and SpyEye have begun to use mobile apps as helpers to bypass two-factor authentication and gain access to victims’ money.
Zitmo (Zeus-in-the-mobile) and Spitmo (SpyEye-in-the-mobile) are two families of mobile spyware that forward SMS messages to attackers. Using this spyware required the attackers to log in manually to steal users’ money.
Last July, security researcher Ryan Sherstobitoff discussed how the transactions performed by criminals using Zeus and SpyEye could be tracked – as they looked nothing like those of legitimate users. More recently he showed how criminals had adapted and now can programmatically steal from victims while they are still logged on. This helps the criminals transactions appear to come from the legitimate users and by adding a delay seem to be performed by a real human. Attackers have adapted quickly to every change intended to secure banking on PCs. As we use our mobile devices ever more for banking, we will see attackers bypass PCs and go straight after mobile-banking apps. We expect to see attacks that leverage this type of programmatic technique in greater frequency as more and more users handle their finances on mobile devices.
