Slashdot Mirror
Will 2011 Be the Year of Mobile Malware?
alphadogg writes "Perhaps one of the most common predictions of the last six years has been that mobile malicious software will suddenly proliferate, driven by widespread adoption of smartphones with advanced OSes. None of those prognostications has really come to fruition, but it's likely that the coming year will bring a host of new malicious applications. Users — while generally aware of threats aimed at their desktop computers and laptops — have a good chance of being caught flat-footed with their mobile phones. In the third quarter of this year, up to 80 million smartphones were sold around the world, which accounted for about 20 percent of the total number of mobile phones sold, according to statistics published last month by analyst firm Gartner. Experts say the threats against those devices are going to come in several categories, including rogue applications. In September, researchers from security vendor Fortinet discovered a mobile component for Zeus, a notorious piece of banking malware that steals account credentials. The mobile component, which targeted Symbian Series 60 devices or BlackBerrys, intercepted one-time passcodes used to verify transactions."
No, it won't.
Oh I can think of a couple
Albeit, Jailbroken iPhones are less Secure than... umm... whats the term for that? Non-jailbroken? Jailfixed? StillJailed? Anyways.
Point is that some people have started writing malicious software for phones, its becoming glaringly obvious.
What we don't have is people focused on finding, removing, and spouting a product yet like Norton/McAffee/AVG/whatever.
Who is to say a lot of phones are infected but no one yet knows. I bet most users, if their email was compromised, would assume they were hacked via a computer, not tracked via their phone, which could easily be the case.
It is possible that 2011 might be a year in which there could be some unspecified increase in what could loosely be termed malware that might be targeted in whole or in part to infect certain devices that might be considered mobile devices under certain definitions of mobile or device.
If you feel you have to lead off with a statement that your prediction is essentially the same one you've been making for the past six years and it has yet come true, maybe you should leave off setting a deadline for the thing.
"Sacrifice for the good of The State" - The State
I doubt this is going to be a repeat of Windows, where a combination of massive marketshare and blatant negligence on the part of Microsoft led to an epidemic of worms.
But, there's also a very real threat, even on systems like iOS where users and even Apple assume that they have control of the platform, hackers prove them wrong constantly.
For instance a month or 2 back, jailbreakers were able to just visit a website through mobile safari and execute one exploit after another to compromise the entire system and install unapproved software like Cydia. That's a rare alignment of exploits, but who can really say it won't happen again via a malicious attacker?
I seem to recall a similar prognoses at the end of last year. Seems not to have happened. I suspect the trend will continue.
To much money on phone bills. .
5 minutes for it to start.
Random crashes for no reason (particularly media player).
The actual telephone part of it had so many quirks it was only semi usable as a phone.
Internet was dodgy at best and I live next (2 miles) to a new tower
I got a new phone like my old one from 4-5 years ago couldn't be happier but now I have a BB Storm that's basically an mp3 player and did I mention media player crashes a lot requiring a 5 min reboot
Comment removed based on user account deletion
Uh, could you elaborate? Was it malware, or just so good that you don't think you can quit playing?
the Windows Mobile aka WinPhone will really take off in 2011
I went to battle M.C. Escher, but drew a blank.
Nokia 2115i. It makes calls and sends texts. That's it. Not even internet access or a camera. (Though it does have a flashlight.) No need to fear viruses or spyware.
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
... rampant blogosphere speculation about everything. Just like the year before it.
year of...
Year Of...
YEAR OF!!!!
Holy crap, get over it! Stuff will happen next year. Some of that stuff will be expected. Of that expected stuff, some will live live up to expectations while the other will not. And there will be surprises!
"The mobile component, which targeted Symbian Series 60 devices or BlackBerrys, intercepted one-time passcodes used to verify transactions."
So that thing can be used for banking too? Huh, I'll tell my wife....
"All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
It's been on MY desktop since 199x!
and as smart phones become more powerful more people use them for actual work. I have worked on many mobile apps that are used for on site surveys, audits, and other data collection. My own opinion of the value of that data isn't really very high, but i know my clients would freak out if their iphones crashed and the data was lost. In that event, i would say, "well I tell you to upload the data on a regular basis and it should be in your most recent backup, you do back up your phone, right?"
I know sales people who's contact list IS their life. I've become reliant on the iphone app 1Password to store my passwords. I have a number of drawings in audodesk sketchbook i wouldn't want to lose. Now, i back my shit up. Anything that brings down my phone is likely only a minor inconvenience, but there are plenty of people who could be seriously affected. The real question should be is 2011 the year when smart phones become so important that malware is a real threat?
do you know how hard I worked on my Angry Birds scores?
My brief foray in android led me to believe those non-marketplace apps often had memory leaks and slowed my phone down considerably.
if you don't know your banking password or have it stored on your phone, you're doing it wrong. google docs auto-saves frequently and is "cloud" based so you'll lose very little. online store passwords are easily recoverable. you haven't really negated the original post's points.
It doesn't really matter since passwords are already the weakest link in online security.
2011 is the year of Linux on netbooks. Or was that desktops. Anyway, I'm sure its a year of something linux related...
tylenol's new pill for textually transmitted diseases.
"...and passwords for your bank, online stores, Google (Docs (where you're writing your half-finished novel))..."
That sort of fuckup could be regarded as "LARTing by events". I don't leave passwords or important work on my phone. Ever.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
I regret the install and uninstalled the app, but I'm sure they mined for data I gave up.
Our apps are already watching us beyond what we've authorized. How is that not malware?
Stop the brainwash
How can I install a firewall and AV software on my iPhone 3gs ?
I've unlocked and jailbroken it so I can customize it MY way and use it on the carrier of MY choice but I really want more than just a wink and a promise from Apple that I'm safe.
2011 will be the year of viruses on linux!
http://blogs.mcafee.com/mcafee-labs/windows-mobile-trojan-sends-unauthorized-information-and-leaves-device-vulnerable
it is possible but it is not like the market of Windows PCs has shrunken significantly so there's plenty to continue feeding on there as opposed to trying to attack low resource embedded devices like phones.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
Malware is profitable when it can infect a huge number of systems. Without a monoculture of mobile operating systems malware isn't profitable enough to develop.
didn't they ask us this last year? This question feels awfully familiar...
It doesn't really matter since passwords are already the weakest link in online security.
It's not that type of password. You are already logged in to your banking site using username and password. Then you decide to send money to someone, and one of the ways of doing 2-factor authentication available to you is to have the bank send you a 1-time password by SMS, which you then type into the computer. The one-time password is bound to the specific transaction you were requesting, and the sms contains some information about the transaction (like the destination account number and amount), so if the account number or amount is not what you wanted you know something is wrong.
So unless the bad guys have malware on your phone AND on your pc, they can't steal your money.
Of course, this is in europe. In the US two-factor authentication means password+"what is your mother's maiden name". And no, this is not a random anti-american rant. Most US banks still do not have 2-factor authentication, while all that I know of in europe do, in some form or another. Also, a security guy from a US bank I spoke to at a conference told me they don't do two factor authentication because users don't want to remember more passwords (thus proving he does not understand what is 2-factor authentication). Also, he said that when you want to do something "suspicious" like sending money to a new destination, they start to ask you security questions (like "what is your mother's maiden name").
I just installed Hero of Sparta, non-market place game for free. I swear, that's the last non-market place app I'll install on my phone.
Why, did it change your restaurant finding apps to only show "Hell" as an option for dining? ;)
Comment removed based on user account deletion
But not for the reasons given. If you go to light in a box and browse all the android 2.1 pads for sale, all of them warn you not to attempt to re-install or change the OS. this warning is not given for some propriatary reason but simply because there is no assure path to a perfectly safe re-install of the android software and drivers.
Thus there are going to ba a gazillion android pads walking around that cannot be patched. It's a safe bet there are security holes to be discovered in this. Once that happens it's going to be like windows has been with the sea of mobile zombies.
The iphones are different. You are constantly offered updates. (which brings up the problem with jailbreaking-- you can't update easily for fear of busting the jailbreak.)
Now phones may be a different matter. If the phone companies are able to push updates it may be a lot safer.
Some drink at the fountain of knowledge. Others just gargle.
I thought 2011 was going to be the year of the Linux Desktop
Slowed your phone down? Likely. Memory leaks, probably not. For anyone that has programmed in the Java-esque Android environment, they know that dealing with memory is simple and leaks don't ever happen!
I feel confused. Hey, if you're at it make it the year of reading too.
Users — while generally aware of threats aimed at their desktop computers and laptops — have a good chance of being caught flat-footed with their mobile phones
BWAHAHAHAHAHAHAHA! I stopped reading after this sentance.
Thought slowdown and increased battery consumption were the cost of using non-market applications.
Its not about losing work to a systems crash or phone splash down in the toilet bowl.
Its about content being stolen by malware.
Sig Battery depleted. Reverting to safe mode.
Advanced operating systems are maintained in such a way that they don't run malware, for example, they are updated automatically so regularly that there is a disincentive to create malware, same as you get rid of graffiti with a regimen of immediately painting it over. Mac OS and iOS, for example. It's the not-advanced operating systems which are easy targets, graffiti magnets.
I don't leave passwords or important work on my phone. Ever.
Well you will. So get used to it.
Probably they will be in an encrypted password vault, dozens of which are available for Android or iPhone.
Your credit cards will be moving to the phone. Tap to pay terminals are springing up everywhere. Near Field Communication chips are being introduced into cell phones. They are already HUGE in Japan.
You will still need to password enable payment, but you won't be carrying a wallet full of risky credit cards in the future.
And those digital car keys? The rush to push button ignition is just to prep you for that being triggered by the presence of your phone as well.
Its all going into the phone, my friend, so get use to it.
The Amish won't use Electricity. Don't be that guy.
Sig Battery depleted. Reverting to safe mode.
"Well you will. So get used to it."
Asserted conclusions /= proof.
"Probably they will be in an encrypted password vault, dozens of which are available for Android or iPhone."
Mine will be unused.
"Your credit cards will be moving to the phone. Tap to pay terminals are springing up everywhere. Near Field Communication chips are being introduced into cell phones. They are already HUGE in Japan."
I give a shit what is HUGE in Japan?
"You will still need to password enable payment, but you won't be carrying a wallet full of risky credit cards in the future."
I don't carry a wallet full of risky credit cards NOW. One card, that's it. No debit cards, which I will not have.
"And those digital car keys? The rush to push button ignition is just to prep you for that being triggered by the presence of your phone as well."
I'm a mechanic. If my old PATS system annoys me the PCM will be flashed with a "PATS delete", No problem
"Its all going into the phone, my friend, so get use to it."
I welcome other folks getting used to it. I spent my life learning how to make most of the tech I use serve me and see no reason to stop.
"The Amish won't use Electricity. Don't be that guy."
Blind technophilia /= "Amish".
One may choose from a wide variety of tech in ones personal life, Amish tech or computing tech any anything in-between.
It's all about "serving me". MY convenience, MY wants, not the wants of marketroids. OTHER people exist for them to fuck, which is fine with me.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
"iPhoneOS/Android/RIM/W7 so malware writers can hardly target all platforms at once" - by Artem Tashkinov (764309) on Wednesday December 22, @10:45AM (#34641654)
As long as the phones in question run a BSD based IP stack, then, , they already have a defense built in. That defense is a HOSTS file (all the user has to do is fill it with data for blocking out known bad sites/servers/hosts-domain names etc.).
HOSTS work on the "blacklist" principal here: You block out the bad sites, you can't enter them. You can't enter them, you cannot be infected/infested - simple.
Not only that, but you can block out adbanners that eat up bandwidth (and have been known to infect you more than a few times over the years now).
You can also speed up access to your fav. sites using HOSTS also, hosts work on the "whitelist" principle here
(In doing the latter, you also avoid DNS request tracking logs too (in avoiding using DNS altogether for those said favs of yours), you also avoid downed/crashed DNS servers & you still reach your fav. sites, PLUS you additionally/lastly avoid DNS redirected/poisoned (or otherwise hijacked) DNS servers also).
APK
P.S.=> I've already done this on an ANDROID phone, it works excellently for better online SPEED, SECURITY, & even a "touch of added extra 'anonymity'" too (via the ADB (android debugging bridge) & it's PUSH/PULL commands (after mounting the system mountpoint with READ + WRITE priveleges), loading a 24.5mb size HOSTS file, & seeing it work well for the purposes I noted above) & pre-built HOSTS files are out there, & they're regularly updated, such as this one -> http://www.mvps.org/winhelp2002/hosts.htm ... apk
I've used Nokias exclusively for the last 6 years. S60 2nd edition allowed you to install any apps from anywhere, and there were quite a few trojans and other apps written for it, around 2004-05. .SIS file) and then install it.
S60 3rd edition made it harder to do so by requiring all apps to be signed by Symbian, and earlier they only gave out certificates to companies rather than individuals. Nevertheless, there were (are) ways to self sign an install package (a
Even then - the phone warns you that the application is not signed, so there's no way anything can silently install itself without user intervention.
The second most common vector for exploits is the browser. No matter what short sighted US tech blogs may say - Symbian is the world's most widely used OS, with over 2 billion devices sold to date. How come we haven't yet seen a browser based exploit for the internal Webkit browser?
A google search for 'Symbian 3rd edition malware' shows up hardly one or two examples - and reading the descriptions, they rely on social engineering to fool the user into getting installed.
The same rules apply as on desktop OSes - namely not to open/install unknown applications etc. What would be worrisome would be a browser exploit, where just visiting a link can compromise your phone, or some sort of silently installed malware. The former has yet to be proved and the latter can only happen through (all too common) user stupidity, so this leads me to conclude that Symbian at least is safe for the present.
Also bear in mind that Nokia pushes out firmware updates much more regularly than other phone manufacturers; even upto 2 years after launch (the 5800 Xpressmusic is a case in point), so you can expect security fixes, if found, to be available faster. Sucks to be in the US with a carrier subsidized handset though.
"..One hosts to look them up, one DNS to find them, and in the darkness BIND them."
With PC sales on decline they are looking for new markets. They crying wolf for several years already. That kind of FUD provoked Nokia to introduce digital signing for Symbian OS apps, which effectively killed developers community. That caused Symbian OS becoming increasingly irrelevant and eventually caused its death(or at least zombification). Which in turn destabilized Nokia position and could be cause of the death of Nokia itself.
according to statistics published last month by analyst firm Gartner
That line right there shows this is total bullshit paid for by someone trying to sell AV for phones. Anytime I read a line like above with the word "Gartner" in it I don't believe a word of it.
...had malware years ago, but they introduced measures to stamp them out. This was the move from Symbian 7 to Symbian 8. IINM, this was the reason for the introduction of capabilities.
Max.