return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Threats to PDAs and smart phones will rival, even dwarf, PC infections ]

Threats to PDAs and smart phones will rival, even dwarf, PC infections


While there are some 150 viruses targeting cell phones today, most target smart phones in Europe and South East Asia using the Symbian operating system. That will soon change:

  • Cusp of rampant growth of smart phones and PDAs
  • Ascendance of keylogging, possibly rivaling phishing in volume
  • Multiple infection paths via multiple PDA functions of which the phone is one
  • PDAs displacing PCs for many tasks, more so in the developing world
  • Social engineering works as long as people are in the loop

Five simple rules apply for today's Bluetooth enabled smart phones (those most prone to infection):

  1. Do not answer 'yes' to an attempted message send, especially from an unknown user (just walk out of Bluetooth range)
  2. Do not swap memory cards (no matter how much you want that song)
  3. Do not download things (no matter how alluring that ring tone or game appears)
  4. Do not accept Multimedia Message Service (MMS) transmissions (even a known white list respondent could have violated rules 1,2, or 3)
  5. Disable Bluetooth or at least switch off the feature that lets your phone be detected by other Bluetooth devices

Unfortunately, users cannot disable themselves and so violations of rules 1, 2, 3, and 4 will certainly thrive amongst a growing user base. That conclusion tilts my support to Gartner's belief that the criteria for a pandemic scale worm or virus attack against mobile phones "will converge by the end of 2007" on the following:

  • Wide adoption of smart phones
  • Ubiquitous wireless messaging
  • Dominant operating system

Any mobile device that can receive, store and transmit pictures, music, games and videos can receive and transmit viruses and Trojans. One of the more insidious attacks against both PDAs and PCs will be silent keylogging:

In most cases, a keylogger or similar program, once installed, will simply wait for certain Web sites to be visited — a banking site, for instance, or a credit card account online — or for certain keywords to be entered — "SSN," for example — and then spring to life. Keystrokes are saved to a file, Web forms are copied — even snapshots of a user's screen can be silently recorded. The information is then sent back to a Web site or some waiting server where a thief, or a different piece of software, sifts through the data for useful nuggets…

keylogging programs exploit security flaws and monitor the path that carries data from the keyboard to other parts of the computer. This is a more invasive approach than phishing, which relies on deception rather than infection, tricking people into giving their information to a fake Web site...

"These Trojans are very selective [monitoring] the Web access the victims make, and start recording information only when the user enters the sites of interest to the fraudster."

The potential for serious attacks are already cascading down from smart phones to less capable phones. A proof-of-concept Trojan now circulating in Russia, posing as an app offering the ability to use text messages to visit mobile Internet sites in lieu of a Net connection, can "infect any cell phone capable of running Java applications," not just smart phones. (Seeking to gain something too good to be true, social engineering kicks in to lure users to download and launch.) Another proof-of concept virus has bridged the gap between PCs and mobile devices. Replicating each time the PC is booted, the virus waits for an ActiveSync session used to synchronize data between a PC and mobile device. The virus then copies itself to the device, deleting files.

What I find interesting in such an environment is that, unlike European cellular providers, US cellular firms are resisting antivirus agents on phones in their network:

Cell phone operators have typically focused on their network, rather than phones, as the place to try to thwart mobile virus threats. In moves invisible to users, they scan messages moving from one device to another to filter out malicious programs.

Gartner supports centralized scanning but I disagree with their contention that "installing antivirus software on cell phones would be a mistake" and that on PCs "antivirus tools became largely ineffective... when e-mail surpassed floppies as the dominant transmission mechanism for viruses." Our work takes us to grey area sites for which we depend on antiviral protection, firewalls and current patches - along with stripped down, isolated probe PCs.

"The mobile world should not repeat the mistakes of the PC world. Malware protection services should be built into the network first, and device-side protection should be the last resort."

I believe that Gartner's "last resort" case is much closer to hand, primarily because of what Bruce Schneier calls proxies (persons or organizations acting on your behalf):

Proxies are a natural outgrowth of society, an inevitable byproduct of specialization. But our proxies are not us and they have different motivations -- they simply won't make the same security decisions as we would...

Sometimes proxies act in our behalf simply because we can't do everything. But more often we have these proxies because we don't have the expertise to do the work ourselves. Most security works through proxies. We just don't have the expertise to make decisions about airline security, police coverage and military readiness, so we rely on others. We all hope our proxies make the same decisions we would have, but our only choice is to trust -- to rely on, really -- our proxies.

Here's the paradox: Even though we are forced to rely on them, we may or may not trust them. When we trust our proxies, we come to that trust in a variety of ways -- sometimes through experience, sometimes through recommendations from a source we trust. Sometimes it's third-party audit, affiliations in professional societies or a gut feeling. But when it comes to government, trust is based on transparency. The more our government is based on secrecy, the more we are forced to "just trust" it and the less we actually trust it.

I do not trust that cellular proxies will protect me, that they will understand every flaw in the hardware variations they put on their networks, that they will be capable of frequent zero-day exploit protection, that they will anticipate the applications and uses to which users will increasingly put these "digital do-it-all" smart phones. I categorically do not expect them to think like a criminal, an attacker, but more as a defender so thereby remain a step behind.

When the incentive for organized crime to accelerate its interest in mobile devices occurs "once people start online banking using their mobile devices or using mobile devices as debit cards or the authentication method of choice," I want access to a slimmer version of the Trusted Platform Module (TPM) security chip designed for PCs, the ability to install my specific point/perimeter protection yet not compromise the non-phone functions of the PDA.

New virus can pass from PCs to mobile devices
By Jeremy Kirk
IDG News Service
February 28, 2006

Russian phone Trojan tries to ring up charges
By Joris Evers
Staff Writer, CNET
February 28, 2006, 1:21 PM PST

Cyberthieves Silently Copy Your Passwords as You Type
By Tom Zeller Jr.
New York Times
February 27, 2006

Protecting Yourself From Keylogging Thieves
By Tom Zeller Jr.
New York Times
February 27, 2006

Is your cell phone due for an antivirus shot?
By Joris Evers
Story last modified Fri Feb 24 11:25:22 PST 2006

U.S. Ports Raise Proxy Problem
Commentary by Bruce Schneier
02:00 AM Feb, 23, 2006 EST

Invasion of the Computer Snatchers
By Brian Krebs
Washington Post
February 19, 2006

Your smart phone has a dumb virus
By Robert Vamosi
CNET Reviews
February 17, 2006

Cisco CEO to use 'holistic' security
United Press International
Feb. 17 2006

Brazilian police bust hacker gang
AP/The Age
February 15, 2006 - 4:37PM

More worries about Google Desktop 3
By Elinor Mills, CNET
ZDNet News: February 15, 2006, 1:52 PM PT

Microsoft Would Put Poor Online by Cellphone
New York Times
January 30, 2006

New security proposed for do-it-all phones
By Joris Evers
September 27, 2005, 4:00 AM PDT

It rings, it plays, it has TV
First there were TVs. Then came PCs. Now, mobile phones are becoming the 'third screen' for viewing video.
By Gregory M. Lamb
Christian Science Monitor
July 21, 2005

Battling for the palm of your hand
From The Economist print edition
Apr 29th 2004

The Disappearing Computer by Bill Gates
Reprinted from "The World in 2003," The Economist Group

How Real Is the Internet Market in Developing Nations?
By Madanmohan Rao
E-OTI (On the Internet)
March/April 2001

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  


  discuss this article

<<  |  September 2019  |  >>
view our rss feed