The smartphone invulnerability syndrome.
In December 2010 Tunisian fruit vendor Mohamed Bouazizi set himself ablaze in an ultimate act of protest against harassment by government officials. No one could have predicted the cataclysmic changes that followed. Regimes toppled and dictators were overthrown as Bouazizi's death sparked the Arab Spring across North Africa and the Middle East. Mobile phones and social media were among the most influential media tools used to coordinate the protests.
On the first-year anniversary of the Arab Spring, security vendor Symantec discovered something else that followed Bouazizi's death - something that involved mobile phones and social media. In what appeared to be the first hacktivist (politically motivated hacking) attack targeted only in the Middle East, new Android malware was distributed through regional forums.
The malware - dubbed Android.Arspam by Symantec - was embedded into the pirated version of a popular Islamic compass app. Once downloaded, it went to work as a service called al Arabiyyah.
Every contact in the address book of the infected phone got a text message with a link to an online tribute to Mohamed Bouazizi. Whether the phone user sympathised or not with the hacktivists' cause, they had to pay for the text messages that spread the political propaganda. Bulent Teksoz, chief security strategist, Emerging Markets, Symantec says attacks like Android.Arspam represent test runs by hacktivists and cybercriminals targeting the Middle East, giving them an opportunity to test and develop their methods. "Cybercriminals are looking for easy money and the Middle East - because of the economy, mobile phone penetration and the number of people getting online every day - is a sweet spot right now. Coupled with the lack of protection and the number of mobile applications that exist, it creates the perfect condition for cybercriminals to come and play."
Symantec's 2012 State of Mobility Survey that polled over 6,000 organisations across 43 countries, discovered that mobile computing is the biggest IT security concern. And getting your phone hacked is no longer a headache just for British celebrities. Teksoz says a staggering one-tenth of mobile users in the Middle East who were surveyed by Symantec have had their phones compromised. "In 2011-2012, we discovered around 162 vulnerabilities on mobile platforms. It all points to an indisputable fact: we know the bad guys out there are looking for more ways to get into the mobile applications, mobile devices and mobile security."
The rise in popularity in mobile and cloud computing means that mobile devices are now a prime target for hackers. People generally have a false sense of security when using their phones, which can be foolish considering mobile phones are being used to do online shopping, access corporate emails and for banking. James Lyne, director of technology strategy at software developer Sophos, has a name for the haphazard attitude towards mobile phone use: 'smartphone invulnerability syndrome'.
"In effect people are forgetting about practice and threats they've understood on their PC for years. Attacks can take a wide variety of forms, but the most common at the moment are basic, but effective, phishing scams like fake websites or emails. Users tend to be more likely to be duped on their phones, even by attacks they would delete immediately on their computer. Malicious applications are also growing in number, such as those that steal your banking details or credit card information."
Smartphones on the Android operating system appear most vulnerable to being hacked because any developer can upload an app for free distribution. Unlike Apple, you can download applications from any app store on the internet, making it easier for the bad guys to distribute bad code. However, Lyne adds that the Apple model isn't perfect either. Security researchers have recently found that it's possible to get malicious apps published by Apple.
The increasing bring-your-own-device trend (BYOD) in business means it's not just individuals, but companies that stand to lose millions in the years to come if this carelessness continues. As employees use their personal phone for business transactions, it makes companies even more vulnerable to their entire networks being brought down by one employee who may lose their phone or download malware. "In a corporate setup where executives are using their own device, it can be a security nightmare. Companies are turning to Mobile Device Management (MDM) software to manage these risks," says Teksoz. This has lead to the popularity of mobile security software that can remotely wipe data on a phone that has been lost or hacked.
Lyne agrees that mobile operating system vendors are starting to develop more capabilities to prevent such attacks, essentially re-learning the lessons of the PC, but there is a great deal more work to be done. "Today's mobile threat is quite basic, but if the bad guys escalate their tactics, mobile vendors at present aren't in a good position to respond."
So how can you tell if your phone has been hacked? Typical symptoms include unusual behaviour from the phone, inexplicable battery drains, device running more slowly than before and inflated bills. "Generally prevention is the best strategy as malware is not often obvious and visible - it does most of its work in silence in the background," advises Lyne.
Prevention, coupled with awareness - yes, your phone can be hacked, and quite easily at that - is the key to being smart about your smartphone.
In 2010 over one million mobile phone users in China were affected by the 'Zombie virus' in which phones sent hundreds of text messages without the owners' knowledge.
Dumb things to avoid on your smartphone
1. The 'smartphone invulnerability syndrome'.
Marilyn Monroe, born Norma Jeane Mortenson but baptized and raised as Norma Jeane Baker; June 1, 1926 – August 5, 1962, was an American actress, singer, model and showgirl who became a major sex symbol, starring in a number of commercially successful motion pictures during the 1950s.
| Photo: |
"People need to be aware that these devices can be attacked and that they need to keep up to date with the latest security developments - mobile devices are changing at a very fast pace. We can expect significant development in this market over the next 24 months," says Lyne.
2. Not checking that the website and application you are dealing with is the correct one.
Malware often looks very similar but is spelt slightly differently. "Ensure that encryption (SSL transport represented often by a padlock symbol in your browser) is enabled," advises Lyne. "Do not download any apps from unauthorised resources, be it someone sending you a file, a text message, a suspicious web page or unauthorised websites. Check that the permission being requested by the app match its features," says Teksoz.
3. Not treating your phone as you would your computer.
Follow the same best-practice protocol used to protect data on the computer. Don't put phone pin codes and banking passwords where they can be discovered by someone else if the phone is lost. "Use strong passwords and always make use of whatever security measures - like pin code or pass codes - are provided by the mobile phone," says Teksoz.
4. Not running security software on your mobile device or remembering to update it.
Download the free mobile security awareness toolkit from Sophos.
5. Keeping connectivity enabled when it is not required and not being used.
"Keeping your Bluetooth on makes you vulnerable to attacks. Don't put your Bluetooth in a discoverable mode, use it when you need it but let it stay hidden," Teksoz says.