Malicious software (malware)
As smartphones are a permanent point of access to the internet (mostly on), they can be compromised as easily as computers with malware. A malware is a computer program that aims to harm the system in which it resides. mobile malware variants have increased by 54% in the year 2017. Trojans, worms and viruses are all considered malware. A Trojan is a program that is on the smartphone and allows external users to connect discreetly. A worm is a program that reproduces on multiple computers across a network. A virus is malicious software designed to spread to other computers by inserting itself into legitimate programs and running programs in parallel. However, it must be said that the malware are far less numerous and important to smartphones as they are to computers.
Nonetheless, recent studies show that the evolution of malware in smartphones have rocketed in the last few years posing a threat to analysis and detection.
The three phases of malware attacks
Typically an attack on a smartphone made by malware takes place in 3 phases: the infection of a host, the accomplishment of its goal, and the spread of the malware to other systems. Malware often uses the resources offered by the infected smartphones. It will use the output devices such as Bluetooth or infrared, but it may also use the address book or email address of the person to infect the user's acquaintances. The malware exploits the trust that is given to data sent by an acquaintance.
Infection is the means used by the malware to get into the smartphone, it can either use one of the faults previously presented or may use the gullibility of the user. Infections are classified into four classes according to their degree of user interaction:
- Explicit permission
- The most benign interaction is to ask the user if it is allowed to infect the machine, clearly indicating its potential malicious behavior. This is typical behavior of a proof of concept malware.
- Implied permission
- This infection is based on the fact that the user has a habit of installing software. Most trojans try to seduce the user into installing attractive applications (games, useful applications etc.) that actually contain malware.
- Common interaction
- This infection is related to a common behavior, such as opening an MMS or email.
- No interaction
- The last class of infection is the most dangerous. Indeed, a worm that could infect a smartphone and could infect other smartphones without any interaction would be catastrophic.
Accomplishment of its goal
Once the malware has infected a phone it will also seek to accomplish its goal, which is usually one of the following: monetary damage, damage data and/or device, and concealed damage:
- Monetary damages
- The attacker can steal user data and either sell them to the same user or sell to a third party.
- Malware can partially damage the device, or delete or modify data on the device.
- Concealed damage
- The two aforementioned types of damage are detectable, but the malware can also leave a backdoor for future attacks or even conduct wiretaps.
Spread to other systems
Once the malware has infected a smartphone, it always aims to spread one way or another:
- It can spread through proximate devices using Wi-Fi, Bluetooth and infrared;
- It can also spread using remote networks such as telephone calls or SMS or emails.
Examples of malware
Here are various malware that exist in the world of smartphones with a short description of each.
Viruses and trojans
- Cabir (also known as Caribe, SybmOS/Cabir, Symbian/Cabir and EPOC.cabir) is the name of a computer worm developed in 2004, designed to infect mobile phones running Symbian OS. It is believed to have been the first computer worm that can infect mobile phones
- Commwarrior, found March 7, 2005, was the first worm that can infect many machines from MMS. It is sent as COMMWARRIOR.ZIP containing the file COMMWARRIOR.SIS. When this file is executed, Commwarrior attempts to connect to nearby devices by Bluetooth or infrared under a random name. It then attempts to send MMS message to the contacts in the smartphone with different header messages for each person, who receive the MMS and often open them without further verification.
- Phage is the first Palm OS virus discovered. It transfers to the Palm from a PC via synchronization. It infects all applications in the smartphone and embeds its own code to function without the user and the system detecting it. All that the system will detect is that its usual applications are functioning.
- RedBrowser is a Trojan based on java. The Trojan masquerades as a program called "RedBrowser" which allows the user to visit WAP sites without a WAP connection. During application installation, the user sees a request on their phone that the application needs permission to send messages. If the user accepts, RedBrowser can send SMS to paid call centers. This program uses the smartphone's connection to social networks (Facebook, , etc.) to get the contact information for the user's acquaintances (provided the required permissions have been given) and will send them messages.
- WinCE.PmCryptic.A is malicious software on Windows Mobile which aims to earn money for its authors. It uses the infestation of memory cards that are inserted in the smartphone to spread more effectively.
- CardTrap is a virus that is available on different types of smartphone, which aims to deactivate the system and third party applications. It works by replacing the files used to start the smartphone and applications to prevent them from executing. There are different variants of this virus such as Cardtrap.A for SymbOS devices. It also infects the memory card with malware capable of infecting Windows.
- Ghost Push is malicious software on Android OS which automatically roots the android device and installs malicious applications directly to system partition then unroots the device to prevent users from removing the threat by master reset (The threat can be removed only by reflashing). It cripples the system resources, executes quickly, and is hard to detect.
Mobile ransomware is a type of malware that locks users out of their mobile devices in a pay-to-unlock-your-device ploy, it has grown by leaps and bounds as a threat category since 2014. Specific to mobile computing platforms, users are often less security-conscious, particularly as it pertains to scrutinizing applications and web links trusting the native protection capability of the mobile device operating system. Mobile ransomware poses a significant threat to businesses reliant on instant access and availability of their proprietary information and contacts. The likelihood of a traveling businessman paying a ransom to unlock their device is significantly higher since they are at a disadvantage given inconveniences such as timeliness and less likely direct access to IT staff. Recent ransomware attack has caused a stir in the world as the attack caused many of the internet connected devices to not work and companies spent a large amount to recover from these attacks.
- Flexispy is an application that can be considered as a trojan, based on Symbian. The program sends all information received and sent from the smartphone to a Flexispy server. It was originally created to protect children and spy on adulterous spouses.
Number of malware
Below is a diagram which loads the different behaviors of smartphone malware in terms of their effects on smartphones:
We can see from the graph that at least 50 malware varieties exhibit no negative behavior, except their ability to spread.
Portability of malware across platforms
There is a multitude of malware. This is partly due to the variety of operating systems on smartphones. However attackers can also choose to make their malware target multiple platforms, and malware can be found which attacks an OS but is able to spread to different systems.
To begin with, malware can use runtime environments like Java virtual machine or the .NET Framework. They can also use other libraries present in many operating systems. Other malware carry several executable files in order to run in multiple environments and they utilize these during the propagation process. In practice, this type of malware requires a connection between the two operating systems to use as an attack vector. Memory cards can be used for this purpose, or synchronization software can be used to propagate the virus.