Why people are taking mobile security less seriously and what it might take to change their minds.
Security issues around mobile phones are garnering more and more attention in their own right. CBR sat down with David Emm, Principal Security Researcher, Global Research & Analysis Team at Kaspersky, to discuss some of the main threats and what people can do about them.
CBR: Ransomware has been in the news recently. Can you tell me more about it?
DE: Most of the malware we see for mobile phones mirrors what we see on desktop and laptops. It’s been a gradually evolving thing, and I think 2011 was a bit of a turning point there. That’s when we started to see a massive ramping up of numbers. I think we saw 6 times the amount of malware in 2011 than we saw in the six years preceding and we’ve seen that level of exponential growth since. At the end of 2013 there were about 200,000 code samples, 295,000 new ones were added last year.
I think they’re gradually adding to their repertoire, and ransomware is an obvious one. If you pitch a fishy email or message someone, they may not click on it or may not be related to that financial institution. With ransomware, everyone’s got files on their device, so you’re onto a sure-fire thing.
It works on mobiles as well as laptops. Ransomware tends to take two forms, they’re either blockers, which block access to the device, or they actually encrypt the data. Initially on mobiles about a year and a half ago we saw blockers. More recently we’ve seen ones that will encrypt the data.
They pretend to be from a police agency, varying it depending on location, so it could be national crime agency here, FBI. One twist on mobile is that the graphic which pretends to be from the police, they will take a picture with the camera and put the image within that background so that it looks more official.
CBR: So there will never be a cure for ransomware?
DE: Mostly, people like us can’t decrypt it. In the early days when the encryption was pretty weak, it was possible. Sometimes after that it’s been possible, if they make a mistake in the implementation. But if they implement it properly there’s no way.
The thing to stress is to back up. If you haven’t got a back up, it can be pretty ugly. As more people use mobile devices maybe they’ll be more of a target, especially since, in the wake of last year’s celebrity iCloud hack, people are a bit more wary about using online storage.
CBR: Are enterprises more at risk from mobile ransomware than consumers?
DE: It’s one of those things where even within companies, maybe data isn’t backed up. Certainly for SMBs that’s the case. They’re letting people bring their own device, they’re storing data on it, they’ve got no in-house expertise, so they see the productivity side of it but they’re not necessarily thinking about the security aspects.
From a practical point of view, that’s probably the sweet spot for attackers. Big business will probably have a backup regime, they’re containerising the data on those things, and it’s easy enough to give somebody another device. A small business probably isn’t thinking about that, and individuals on laptops are probably not thinking about it either. That’s probably the major area for exploiting it.
Typically the data doesn’t go anywhere. It stays where it is, it’s just encrypted. The sensitivity side of it is less of an issue; this is a hammer we’re talking about in malware terms.
CBR: What would you advise small businesses to do?
DE: Small businesses should build backups into the routine. Even if you only backup once a week, if you lose all that data, it’s not too much of an issue. Whereas if all that data is stored on the mobile, especially with a small business maybe a sales team which is not coming into the office very much and is spending nearly all of its time on a tablet or phone.
Ideally obviously you will have internet software to block these attacks in the first place. Making sure that software is up to date is important too, although on a mobile it may be that you have very little control over that. I think the confidentiality issue doesn’t affect as regards ransomware but there are other threats on mobile where it does.
CBR: Can you give an example?
DE: We’ve seen malware used in targeted attacks. Red October was a case in point; a targeted attack campaign at government agencies, diplomatic bodies, energy companies, universities, energy sector.
Once they’d infiltrated the network they would then monitor what was going on, so they would try to access mobile devices and the data on them. So they weren’t looking to install malware on the device they were just looking to get information from it across the network.
Another example might be with legal surveillance tools. These things are commercially available and they’re aimed mainly at police agencies. But there’s no guarantee they’re going to stay in those hands, and they can be quite sophisticated. Increasingly the developers of these have been adding mobile capabilities to them.
Probably about 60 percent of the malware for mobiles integrates the compromised device into a botnet. So they’re using control and commands servers to control what’s going on, it’s not a one-off hack. Quite a bit of the malware is traditional spyware designed to leak information.
On the one hand there’s the targeted attack aspect. On the other hand there’s the more mainstream backdoor and spyware type application.