Malware May be Headed to Mobile Devices

September 16th, 2016

The fact that smartphones and tablets don’t need antivirus software or regular software updates is a major reason for their popularity. That could soon change, however, as security companies report evidence that criminals are getting close to finding efficient and profitable ways to compromise many mobile devices at a time, says Tom Simonite for MIT Technology Review.

If that happens, many more people would be exposed to mobile malware, and Apple and Google could be forced to regularly push out security updates for their mobile operating systems just as Microsoft does for Windows.

Smartphones and tablets don’t support the kind of criminal ecosystem associated with desktop and laptop computers. With PCs, people make money by using malicious Web pages and weaknesses in browsers and other software to install malware that steals login details or sends spam.

Criminals haven’t yet figured out a reliable business model for mobile, says Chris Astacio, a researcher at security company Websense. So far, attacks on mobile devices have been limited by the need to distribute malicious apps through mobile app stores, where Apple and Google take measures to screen out malware and quickly remove anything that does slip through.

Astacio believes that attackers will soon deliver mobile malware through Web pages instead, essentially the same approach that drives most infections on conventional computers. In a presentation last week at the RSA security conference in San Francisco, he reported evidence that the software currently causing most infections on laptops and desktops—according to figures from both Websense and another security company, AVG—could soon target mobile devices, too.

That software is Blackhole, which Astacio is investigating. It’s an example of an exploit kit, a package used by criminals to install malware onto people’s computers when they visit a compromised Web page. Blackhole, found on some NBC websites last month, assesses a victim’s computer so as to covertly offer them malware they are vulnerable to. The kit is an efficient way to distribute moneymaking malware at large scale.

While reverse-engineering the latest version of Blackhole, Astacio noticed that the software now specifically looks out for iPhones, iPads, and Android devices. Astacio believes Blackhole’s developers are preparing to target mobile devices with malware that can take control of a phone or tablet through its mobile browser.

“This all comes down to efficient hacking for mobile attackers—you already have the infrastructure set up for exploit kits to profile and target mobile devices,” says Astacio. “Mass mobile compromises seem to be the natural progression.”

Some malware for mobile devices has already appeared that could have a significant impact if coupled with the large-scale distribution offered by Blackhole. An Android app found recently by security company TrustGo on 100,000 phones in China spends victims’ money by abusing an SMS-based payments system. It was distributed and infected 100,000 phones in China through an alternative to Google’s app store popular in the country. Last fall it was found that some Samsung Android phones could be taken over through their browser.

Apple and Google currently issue patches for their mobile operating systems only a handful of times each year, so many people can remain exposed to a vulnerability even long after a fix has been developed. Updates to Android devices are particularly rare because mobile carriers choose when to pass along Google’s latest upgrades to their users and many often choose not to.

“To constantly have to update those devices is a business decision they don’t want to have to make,” says Astacio.

Source: MIT Technology Review