Does my cell phone have a virus?

Many users aren’t worried about viruses or malware on their cell phones.  However, most companies are.

To date, there isn’t any exploit based malware for the major smartphone OSs (Andriod, Symbian, iPhone, Windows Mobile, Blackberry and… oh yeah.. Palm).  What this means is that, unlike the Windows operating system, there isn’t piece of malware that has been written that takes advantage of a weakness in the code or device which would allow for an exploit to occur (at least not yet).

This means that all attacks on your cell phone require an action by the end user for them to work.  I think alot of people are still hung up on this point, so I’m going to restate it.  I can take advantage of a web server exploit and place malware in an iframe.  When, from your PC, you simply browse to that site, you can become infected assuming you don’t have an AV scanner or content filtering service that would protect you from the redirect and download.  In browsing the website, you have “done” something.

GREAT! Make sure everyone knows not to do anything to allow themselves to be compromised (or pwned)!

Rickrolled iPhone

Rickrolled iPhone

If only it were that easy, right?

What we have is a combination of a social engineering problem and end user education/awareness.

In many aspects, all malware delivered via email, web, sms, etc. has some context of social engineering to it.  One would either used a compromised account from a friends device and delivered messages to the contact lists, therefore making it seem like a trusted source or falsify the origination of the email to make it appear that it’s coming from a large trusted source (e.g. Microsoft.com).  Either way, they are trying to not raise any red flags and get you to open the email, the attachment, or follow the url.

We try to mitigate this with device control policies and the above mentioned user education/awareness.  By providing our users with examples and scenarios we try to make sure they are as informed as possible so they don’t fall prey to these attacks.

I have written a list of best practices for cell phone use to help protect you and your information.  If you are interested in those recommendations, please check out my post on Cell Phone Security Best Practices – keeping your personal information personal.

Droid

Droid

But wait, there’s another big hole here!  These are smartphones.  It’s not about email, text, and phone anymore.  These things can have applications installed on them!

Yep.

And so we have the app stores.  Each major manufacture has them for their respective OS (see list above).  What we have now is a channel by which a malicious person could deliver their application (aka malware) to your device.  What makes this more interesting is that you are willingly downloading and installing this application (aka malware).

These are supposed to be trusted channels.  Each manufacture has a process by which they test and verify some aspects of the application before they sign the app and publish it to their respective store.  This may range from, does the app start?  Does it crash my phone OS?  Or is it secure?  We can’t really assume they are checking for the security of it’s actions.

And why is that you ask?

Let me give you an example of a published application, that you would very likely not want.  Let’s just call this app “Flex(insert a vowel here)spy” and the vowel rhymes with the word try.  This company writes this application.  Submits it to an app store and says “This is a personal backup app.  It backs up your files, emails, contacts, etc to a website for you”.  Sounds good.  App store tests it and approves for sale.  It was posted in the app store and sold for a period of time.  Until our good friends at F-Secure notified them “um, you guys are selling an app that allows someone to spy on another users phone use”.  What????

What may have been presented to the app store as one thing, was in practice quite something else.  The app could be deployed directly to the phone or just put onto a memory card and slipped inside a phone to be activated.  So if you wanted to track someones usage and get their info, all you needed was 30 seconds of access to their phone.  What’s even more interesting is this is what the company’s website indicated you could do with the product.  If only the app testers had read it…

While not perfect, the app stores do provide a level of protection that should help keep users from putting malicious applications on their phones.  That is, until the users decide they need to “assert their freedoms” and jailbreak their devices so they can do things like install application not reviewed by the manufacturer.  Are you jailbreakers still sure your in the right here?

Even the new and highly touted Droid has seen issues with developers posting “apps” to help you connect to your online banking site.  Seriously though, when I want to connect to Citibank, do I need an app from 09driod that costs $.99 to do so?

Mobile Device Management

Mobile Device Management

Where does that leave us?

  1. Have policies for your device
  2. Use management applications for the device to enforce those policy settings
  3. Educate your users

This should look remarkably like any policy for managing a PC.  Well it is.  Lets take the approach that, as smartphones continue to mature and gain functionality, they will be under attack as much (if not more) than our PCs.  Since we have the perspective of having dealt with PC security issues, let’s try and stay in front of the smartphone security issues.

Advertisements

11 thoughts on “Does my cell phone have a virus?

  1. Pingback: Does my cell phone have a virus? « Noodle On This – Security … | High technology information

  2. Pingback: Why Tiger Woods Would Have Benefited From A Mobile Corporate Security Policy « Noodle On This – Security, Technology, and a smattering of the unrelated

  3. Mobile phone is a great invention of modern science. The consumers of mobile phone are increasing day by day. People are getting benefits.

    Reply
  4. I just had a virus cause havoc on my computer and I wanted to warn everyone to seriously think about getting some drive backup software to copy your hard drive – I wish I had!It’s taken me 2 days to get it fixed and I’ve lost almost everything.

    Reply
  5. You know, we really are not safe, and yes cell phones can get a virus at least the average user that logs on say to check bank funds, or even check email, and i will tell you why, but first, i have been called one to many times by my uncle, sister, friends and family to fix their PC or cell phones because of popus, slowdowns and virus alerts. to my surprise, their PC’s are in such unstable health, it shocks me and actually makes me realize why so many people all over the world get hacked from their email accounts to  their bank accounts and even say paypal and ebay accounts. These computers i check and fix do not have firewalls, some have virus apps but outdated and the most important thing i see is their browsers out dated, if they use firefox, the version is so old, its only a matter of time someone gets in via an open port. so the answer is, NO, we are not safe online. I run an online spyware and virus information website http://www.softe.org trying to educate people online safety and how to clean virus and spyware but most of the time it comes down to how much the end user understand how the world wide web really works.
    I my self have all the ingredients for safe surfing, but still take precautions when surfing, e.g cleaning cookies after ever session, using a proxy server to surf, and of course keeping my browsers updated.
    anyhow, i hope everyone reads this article to really understand te dangers of online  surfing. and if anyone has any questions, im always free to help 🙂

    Reply
    • I agree, it is necessary to keep your device updated and utilize the correct pieces of software. Maybe I’ll take the point I have listed under management policies and expand on that idea more.

      Reply
  6. Pingback: Cell phone security best practices – keeping your personal information personal. « Noodle On This…

  7. You may have not intended to do so, but I think you have managed to express the state of mind that a lot of people are in. The sense of wanting to help is something a lot of us are going through.

    Reply
  8. hi.You should pay attention of all those threats which comes from the internet by using a strong antivirus.My favorite is Kasperky antivirus.

    I am using it from a long time and did not disapointed me never
    have a good day

    Reply
  9. I just wanted to say that I found your site via Goolge and I am glad I did. Keep up the good work and I will make sure to bookmark you for when I have more free time away from the books. Thanks again!

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s