European cybersecurity agency Enisa has called on mobile app store owners to use a five-line defence against malware following reports that software attacks on mobile phones almost trebled in a year.
Enisa, which published a list of threats to mobile phones late last year (see below), said cyber criminals were now using apps stores, which deliver billions of downloads a year, to distribute malware.
Enisa executive director Udo Helmbrecht called for an industry-wide approach to killing insecure and malicious apps. “The number of malware attacks directed at smartphones still pales in comparison to PCs,” he said, “but this paper is a blueprint for how to maintain this head-start and address security across app stores."
Security researchers at G Data found one new mobile malware strain every 12 seconds, with most viruses designed to enable spamming or other criminal activities. As a result, the number of hacked mobile phones rose 273% in a year, it said.
“The perpetrators mainly use backdoors, spy programs and expensive SMS services to harm their victims,” said G Data security spokesman Eddy Willems.
Enisa report authors Marnix Dekker and Giles Hogben said attackers could easily use their malware to tap into private data processed and held on smartphones.
This included confidential business emails, location data, phone calls, SMS messages and so on. “Consumers are hardly aware of this,” they said.
App store owners had to do five things to ensure consumers were protected. These were:
- app technical reviews,
- user-and expert-driven app and developer reputation scorecards,
- revocation or kill-switches that restore phones to pre-install status once an app is removed,
- sandbox-based device security that allow apps minimal privileges, and
- jails or walled gardens that limit access to other programs and data.
Further advice on how to implement the defences is contained in a 20-page paper from Enisa.
Ten threats to your mobile phone
- Data leakage. A stolen or lost phone with unprotected memory allows an attacker to read the data on it.
- Improper decommissioning. A used phone is disposed of or transferred to another user without removing sensitive data, which allows an attacker to read it.
- Unintentional data disclosure. Most apps have privacy settings, but many users are unaware (or do not remember) that their data is being transmitted, and don’t know how to change the settings to stop it.
- Phishing. An attacker collects user credentials (eg passwords, credit card numbers) using fake apps or (sms, email) messages that seem genuine.
- Spyware. The user unknowingly installs spyware that allows an attacker to read or guess personal data. This includes software that asks for and then abuses access privilege on the smartphone.
- Network spoofing attacks. An attacker sets up a rogue network access point and users connect to it. The attacker subsequently intercepts the user communication to carry out further attacks such as phishing.
- Surveillance. An attacker uses a targeted individual’s smartphone to spy on them.
- Diallerware. Attackers steal money from the user by installing hidden software to dial premium SMS services or numbers that they own.
- Financial malware. Some malware hidden inside seemingly innocent apps steals credit card numbers, online banking credentials or subverts online banking or ecommerce transactions.
- Network congestion. Some apps will overdo signalling to the network, overloading it and pushing up your data traffic unnecessarily.