iPhones particularly vulnerable to malicious applications | Bangkok Post: tech

MOBILE MALWARE

Mobile malware remains for the most part an unknown phenomenon to the general public. Many people are unaware that it exists, and those who are aware mostly consider it a minor issue. However, mobile malware is becoming a real phenomenon, which requires caution.

While it is true that there are currently only a handful of different malware families for iPhones, the real question is not about their number, but how far they can spread and what damage they can do. On this matter, experience on other mobile platforms has taught us that a single sample in the wild may be equal to thousands of infections. For example, on the Symbian platform, the CommWarrior and Yxes worms have propagated to hundreds of thousands of mobile devices: not that trivial!

Caution is also required because we are far from knowing everything about mobile malware and cyber criminals' intentions. Actually, it is quite possible that we are only seeing the tip of the iceberg as there could be much more mobile malware "hidden under water". In fact, Fortinet occasionally discovers malware which have been out for a while, but remained unnoticed by all anti-virus companies. Finding mobile malware samples is particularly difficult because they evolve on networks, which are not based on the IP protocol and are controlled by telecommunications operators. Also, they are seldom reported by mobile users to telco operators or security companies.

Don't trust statistics to evaluate the reality of mobile malware. Figures are too are difficult to ascertain for many reasons: they are split among several operators; they vary a lot from one country to another, depending on which mobile applications are used; and they differ according to how one defines malicious applications.

So, even if it has not been affected yet, do not underestimate the potential vulnerability of your iPhone.

Why attack Apple?

Why would malware target iPhones in particular? From a cyber criminal's perspective, the answer is short and simple: because it is a real consumer success, which can covert into a gold mine. Apple's App Store generates millions of dollars, so one can confidently confirm that it will one day be abused and will unintentionally offer malware to the unsuspecting iPhone community. It has already happened to the Symbian and Android platforms, for which a few malicious applications were unintentionally signed. The damage this time is likely to be even greater than on other platforms, because of the iPhone's popularity and the general belief that the Apple/Mac environment is safe.

iPhone's connectivity is another important factor attracting new malware. iPhones are particularly easy to use to access the Internet. According to AdMob, one of the world's largest mobile advertising networks, 40 percent of all online advertising requests come from iPhones, as of May 2010. This opens up the iPhone to a wider variety of Internet vulnerabilities, as malware can be downloaded from infected or malicious websites. And once an attack infiltrates your iPhone, the consequences can be unpleasant, costly or even more!

Fortinet's FortiGuard Threat Response team suspects the next malware for iPhones will most likely be spyware. Why? Because it primarily targets the users' privacy, which is unfortunately often disregarded by both end-users and security companies, and because the classification of the various spyware programs is not clear. Spyware is typically hidden from the user and is used to monitor computer activities and collect various types of personal information, such as contact phone numbers, geographical location, documents, pictures, etc. The potential risk they represent is far from philosophical when it's your credit card information that is targeted!

Up close and personal

Imagine that your trusty personal assistant betrays you. Indeed, this is comparable to what mobile malware can make your iPhone do. Your iPhone has your closely guarded personal information, including photographs, contact database, possibly your credit card details, banking information, email exchanges, personal addresses, and so on. It also connects you to tens if not hundreds of Internet applications that make your life easier. Now, imagine all this information falling into unscrupulous hands, a psychotic stalker, or becoming public information overnight! Consider the scenario in which the evening tabloid team barges into your living room and exposes your life publicly overnight. This is exactly what a mobile spyware can do once it has entrenched itself in your iPhone. This insidious, crafty malware can secretly tap your phone calls, record and transfer SMS/MMS/email messages, locate you geographically, listen to your surroundings, take pictures, downloads contacts, log activity or steal your online banking credentials.

The potential damage is endless and apart from organisations, such as the EFF (Electronic Frontier Foundation), only few people really take this matter seriously.

The battle has just begun

Recently, Fortinet has observed a strong increase in new mobile phone spyware. This growth affects all platforms including iPhones, Symbian or Windows Mobile. Since March 2009, the FortiGuard team has added detection for nine new mobile malware families. Of course, there are probably more to come, in particular with the development and marketing of software suites dedicated to creating mobile phone spyware, with end products being sold for tens to over thousands of dollars. They even advertise publicly, with touted claims they can help with issues such as parental control, employee monitoring or video surveillance. As long as end-users keep thinking that spying is fine or that they have nothing to hide, spyware will continue to spread.

Even if you have the feeling your life can be 100 percent transparent and that you have nothing to hide, spyware is still an invasion of human privacy.

Maybe we should remember that even our ancestors felt that privacy was an important thing to protect. The Universal Declaration of Human Rights, article 12 states: "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

So, how to behave with your iPhone?

At this stage, iPhones' and other mobile phones' security is only in its infancy, and like with children, perhaps one of its highest needs is education. Yes, your iPhone must be educated - by mobile operators, phone vendors, security companies and yourself.

Here are some guidelines on how to teach it caution and how to behave:

- Would you let your child talk to a stranger? No. So, do not open unknown SMSs or MMSs.

- Before buying your child a new game, wouldn't you check if it's suitable for his/her age or if other parents consider it an interesting game? You probably try to. The same applies to your phone.

- Do you inoculate your child against polio? Then, you might consider installing anti-virus software on your mobile phone, or at least check anti-virus reports regularly.