Mobile Malware: Beware Drive-by Downloads on Your Smartphone

While Jeff Schmidt, the CEO of JAS Global Advisors, was surfing the Web on his new Android smartphone (his first Android phone) earlier this year, what appeared to be an ad popped up on his screen. The “ad” looked like the prompt that appears when his phone rings. He clicked the button on the ad to pick up the putative call, and the ad began downloading a binary file–malware–onto his Android phone. Schmidt had been hit by a drive-by download, a program that automatically installs malicious software on end-users’ computers—and increasingly, smartphones—without them knowing.

“I’m a pretty paranoid and sophisticated user,” says Schmidt, whose firm provides information security and risk management services. “I didn’t think I’d be vulnerable to this sort of thing, but because I wasn’t familiar with the user interface, I clicked on the ad. It really surprised me.”

Fortunately, Schmidt halted the download when he realized what was going on and caught it before anything bad happened to his phone. He’s not sure what the malware would have installed on his phone, but he suspects it could have been some kind of spyware, such as a keystroke logger, or some other application that would turn his computer into a spam-mailing bot or otherwise compromise his security and privacy.

Schmidt’s experience with mobile malware—specifically, with a mobile drive-by download—illustrates the challenges users face detecting and preventing mobile malware from infecting their smartphones. It also demonstrates the sophistication and ever-changing nature of security threats targeting mobile devices.

The Mobile Malware Phenomenon: Why It’s Hard to Detect

Mobile malware is proliferating at an astonishing rate. Security threats targeting mobile devices increased more than 600 percent between 2010 and 2011, according to research from Kaspersky Lab. In December 2011 alone, Kaspersky identified more new mobile malware apps than it identified between 2004 and 2010.

“Mobile devices are scary because people generally have no idea what the software they download will do, whether they get it from an app store or it comes with the phone,” says Schmidt. “The apps on mobile devices are not at all transparent. A lot of software gets installed on them that users don’t understand.”

Smartphones have become an effective way for criminals to distribute malware because it’s harder to recognize on a smartphone than it is on a PC. “Screen real estate is very limited on these devices,” he says. “The visual cues we’re used to on PCs [when we download a virus] are not available in a mobile environment. Even to sophisticated users, it’s not entirely clear what’s happening behind the scenes.”

Faster connectivity and more powerful devices further complicate security. Schmidt says both factors make it easier to download malware more quickly, without the user knowing. “That makes a compromised device more valuable to a bad guy,” he adds.

It also makes smartphones more susceptible to drive-by downloads.

How Drive-By Downloads Work on Your Smartphone

Attackers are adapting the popular and effective drive-by download method, popularized on PCs, for mobile devices, says Kevin Johnson, founder of information security consultancy Secure Ideas and author of Security 542: Web Application Penetration Testing and Ethical Hacking.

Drive-by downloads work by exploiting vulnerabilities in Web browsers, plug-ins or other components that work within browsers. Through a browser vulnerability, drive-by downloads dump an application onto the user’s computer, such as fake anti-virus software—malware that’s masked as anti-virus software.

On a smartphone, drive-by downloads work differently, says Johnson, who is also a senior instructor with the SANS Technology Institute. “With an iPhone, I can’t browse to a Website and have it install an app on my iPhone. The iPhone is not capable of doing that, which is good,” he says. “The problem is that the drive-by download model has changed to take that into account.”

So instead of dumping an app onto your smartphone’s OS, the infected Website exploits a vulnerability in, say, the Safari browser and runs commands or packages within the phone’s operating system to change the way it works, says Johnson.

“It’s not installing the software, but it’s still doing bad stuff to the phone,” he adds. “It’s considered jail-breaking or rooting the device.”

How to Protect Your Smartphone

IT departments can lock down corporate-owned smartphones so that employees can’t install anything on them or browse to random Websites. Securing employee-owned smartphones is obviously a lot more difficult. Johnson says companies need to emphasize awareness and make employees understand security risks. He also recommends mobile device management systems that restrict certain user activity.

One such mobile device management solution for “Bring Your Own Device” environments comes from Good Technology. Good Technology offers an application that smartphone owners can install on their devices, says Johnson. The software serves as a container for work-related activity on the phone. It basically separates the corporate work from the rest of the phone, says Johnson.

When an employee is ready to get onto the corporate network to check email or product inventory, for example, he simply launches the Good application, which prompts him to authenticate. “Everything that happens inside that app is segmented from the rest of the phone,” says Johnson. “As the app is running, everything is there in memory. When you close the app, it saves everything else to a file that is encrypted. Attackers can’t get to it. So if a drive-by download attacks a phone, it can’t access any of the corporate stuff. It doesn’t protect the device; it protects a company from an infected device.”

The drawback to the Good Technology application, says Johnson, is that the user interface is different from the rest of the phone. “If you’re used to the way Android does mail, the Good mail client works differently. It doesn’t have the same feature set. A lot of users complain about that,” he adds. “But if it’s the difference between complaints from users and safety from drive-by downloads, then Good wins.”

Meridith Levinson covers Careers, Security and Cloud Computing for CIO.com. Follow Meridith on Twitter @meridith. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Meridith at mlevinson@cio.com.