Editor’s Note: Welcome to our weekly Reality Check column. We’ve gathered a group of visionaries and veterans in the mobile industry to give their insights into the marketplace.
Within a couple of years, the exploitation of various infection techniques will make malware as problematic on mobile devices as it is on PCs – and because mobile operators are also subject to Windows-based malware coming from PCs tethered to smartphones or connected via mobile Internet (3G/LTE) sticks, malware presents a significant risk that cannot be ignored.
To develop effective, proactive policies for addressing malware, mobile operators must first measure the problem to be able to answer questions such as:
–How many subscribers are infected?
–What are the most serious infections?
–Which devices are most/least infected?
–How do these infections impact the subscriber and the network?
What’s really happening in mobile networks
A security analytics platform provides these answers. It analyzes mobile Internet traffic for malware, generates aggregated statistics and allows mobile operators to drill down to specific subscribers, pinpoint infections and discover why a particular device could be behaving in a suspicious manner.
The data displayed on an analytics dashboard can provide the mobile operator with insights into what is happening in the mobile network in real-time, such as the number of infected devices; malware types observed; historical trends, frequency and recency of specific malware; malware behavior summaries; periodic infection reports and outbreak incidents.
With these insights, the mobile operator can take action in a variety of ways. However, they must first understand the impact that malware is having on both their network and their subscribers.
Impact to mobile operators
When a Trojan infects a mobile device, it often creates an outbound connection to a command and control server on the Internet. The Trojan connection itself does not consume significant amounts of network resources; however, it uses the connection to upload personal information about the owner of the infected device. The connection can also be used to instruct the device to join a botnet and send spam e-mails or text messages, or target a DNS server for a DDoS attack – these actions can place considerable strain on network resources.
But malware doesn’t just consume network resources; of greater concern is the time and money it costs to deal with malware infections. For example, mobile operators may have to deal with an increased number of calls to their customer care departments as subscribers report sub-par device performance due to infections consuming battery power, CPU or bandwidth. The number of calls to billing departments may also increase as subscribers notice unexpected data and messaging charges.
To protect their networks and their subscribers, mobile operators may attempt to block communication to known C&C sites, but the technologies used to block traffic are typically deployed at the Internet gateway so network resources (e.g., radio access network, backhaul bandwidth, routing and AAA infrastructure) may continue to suffer from the utilization of malware on infected devices. Criminals have also developed a number of ways to counter these efforts.
Impact to subscribers
Because today’s mobile malware is not quite as sophisticated as PC-based malware, it tends to focus on stealing contact lists and address books from mobile devices in order to send unsolicited text messages and e-mail messages under the guise of the device owner. Not only is this an inconvenience to the people receiving these spam messages, it can also cost device owners money by racking up fees for data usage or the sending and receiving of premium text messages.
This approach may represent the beginning of an text spam market that could eventually rival traditional e-mail spam. Kindsight has also seen malware that intercepts text messages and forwards the content to C&C servers – a development that has significant implications if combined with banking Trojans to steal one-time banking credentials transmitted via text message.
From analytics to action
With this potential impact to both the mobile network and subscribers, mobile operators can’t simply react to incidents as they occur but instead need proactive processes in place to address malware. A mobile operator’s response to malware may fall into two main categories:
–Network actions including blocking and quarantining the subscriber.
–Subscriber notification including manual and automatic notifications.
Network actions
Through the use of web-filtering platforms or by changing firewall rules, mobile operators can respond to malware by blocking all or a portion of traffic from or to a specific IP address, domain or URL. Blocking is considered to be a non-real-time response to malware; operations staff assesses the recommended blocking action and typically implement it manually.
Using a slightly different approach, severely infected subscribers are placed in a “walled garden,” which effectively disables their access to the network. The only webpage a quarantined subscriber can access is a captive portal – a page internal to the operator’s network that informs the subscriber of his/her suspended service status and provides instructions on how to remove the infection.
Quarantining the subscriber in a walled garden is an excellent way to remove malware traffic from the network and to protect the subscriber from identity theft attacks. Despite the benefit of protection, a walled garden can lead to a negative subscriber response due to the inconvenience.
Subscriber notification
The strategy for notification depends on the operator’s processes and services for remediation. Some mobile operators will choose to manually contact a small number of subscribers with the most serious infections. Forms of notification may include phone calls, e-mails, text messages or interstitials.
When a new infection has been identified, the mobile operator’s security service could also be configured to automatically notify the subscriber of the issue via e-mail, text message or mobile app. This is an effective option when the operator already has well-defined remediation services to follow the notification.
Mobile security as a value-added service
Automatic notifications with tools for remediation can be offered as a fee-based mobile security service, which eliminates the impact of malware on the mobile network and has significant value for the consumer – not to mention that leveraging this opportunity makes perfect sense for mobile operators.
Some operators may even consider mobile security to be a substantial differentiator over their competitors, choosing to forego the opportunity to generate fee-based revenue in exchange for market differentiation and leadership.
Kevin McNamee is security architect and director of Kindsight Security Labs. With over 30 years of security and networking experience, Kevin was director of security research at Bell Labs and also held security development and design roles at TimeStep, Milkyway Networks, Newbridge Networks and Alcatel-Lucent.
