Best Practices - Mobile Phone Security

Version 1


    I recently bought a Google Android based smartphone, so was interested to learn that SK Telecom in Korea is now offering McAfee VirusScan Mobile for Android free to its customers. The application can be downloaded at no cost from the SK Telecom TStore and provides real-time scanning, data protection services, and automatic updates (http://newsroom.mcafee.com/article_display.cfm?article_id=3639). Hopefully this application will become available in other counties in the future to protect customers that may be susceptible to mobile malware.

     

    Fortunately there hasn't been much malware targeted at smartphones, but as these type of devices become more prevalent, and become more widely used for financial transactions and to store financial information and other valuable data, it is likely that malware authors will target these platforms more frequently, and discover exploits and vulnerabilities that allow malware to spread. Examples of attacks against mobile phone users include a recent SMS vulnerability for the Apple iPhone that allowed a malicious remote attacker to send a specially crafted SMS text message to crash the phone and allow full access to the phone (http://www.wired.com/gadgetlab/2009/07/apple-patch-sms/). Another example of a vector for mobile malware distribution is the Cabir Symbian virus which attempts to spead via Bluetooth (http://vil.nai.com/vil/content/v_130678.htm). This malware depends on the recipient of the virus accepting and running an unsigned application via Bluetooth, so it is very unlikely that this type of malware would become prevalent in the wild. An example of a mobile virus being used for financial gain is the Viver trojan (http://www.realtime-websecurity.com/articles_and_analysis/2007/05/viver_trojan_t arget_symbian_sm.html) which attempts to send premium rate SMS messages to phone numbers in Russia.

     

    Allowing root access to the smartphone makes it much easier for malware to run, as demonstrated by a trojan recently seen in Australia that changes the background of root enabled iPhones to a picture of 80's pop star Rick Astley! (http://www.wired.com/threatlevel/2009/11/iphone-worm/).

     

    Mobile phone Operating Systems have been developed with security in mind, but the above examples show that hackers and malware authors will look for exploits and weaknesses in phone security to access and steal data.

     

    Best Practices and some tips for Mobile Phone Security include:

     

    • Install a mobile based AV software package if you think you are likely to encounter malware via your smartphone.
    • Treat your phone as you would your desktop PC, and be cautious of  opening files, SMS messages, IM's and applications sent via Bluetooth,  especially if they are recieved from unknown sources.
    • Disable BlueTooth, or set the Bluetooth status to hidden, until you want to share something.
    • Only download and install applications from reliable sources such as the Apple iTunes store, Google Android Market or Nokia OVI Store.
    • Dont run or install unsigned applications from unknown sources.
    • Disable Wi-Fi access by default (this will also save a lot of battery power) and only connect to known Wi-Fi hotspots.
    • Use caution when recieving SMS messages or emails from unknown sources.
    • Avoid enabling root access to the phone as this will significantly increase the likelyhood of malware running or causing damage to files on your phone. If root access is enabled, change the password to a more secure one.
    • Periodically back up your important data to anther device such as a desktop PC so that it can easily be recovered and restored.
    • Install an app that can be used to remotely lock, wipe the data, or disable your phone if it becomes lost, stolen or compromised.
    • Lock your phone to your sim card and enable a PIN to prevent access to the phone in the event that it is lost or stolen.
    • Appreciate that your phone is a vector for malware distribution,  connecting to multiple PCs may allow malware to spead via USB,  especially if Autorun is enabled on the host OS.

     

    Hopefully mobile based malware will not become more prevalent, but as malware authors have followed technology trends in the past, and as smartphones become more common, it would be expected that malware authors would at least try to target these devices as they become more popular.