PhoneRPT spoke to Kaspersky Lab‘s Senior Malware Analyst Vicente Diaz, following several mobile threat reports being published by major anti-virus makers, ahead of this year’s Mobile World Congress 2012 in Barcelona.
We have seen several Android threat reports in these recent weeks, from Symantec, AVG and even some press releases from Kaspersky. Are other platforms not so susceptible to viruses and malware?
Right now, Android is the most targeted platform by far. It has similar market share than iOS, however, it is an easier attack vector for the attacker as there are vulnerabilities available and these have not been patched for months (at least for the user given the distribution model with no clear responsibility for security updates) and application marketplaces are not being correctly monitored for malware.
This is the low-hanging-fruit theory, where the weakest gets the biggest percentage of attacks. This percentage is not directly related to the security level, but rather to these and other factors. Still, this is a very rapid-changing and dynamic scenario that we are keeping our eye on to see how it will evolve in the next few months.
Are open-source platforms, such as Android, more at risk than closed ones, such as iOS?
Open-source platforms are not less secure per-se. Apple is doing a great job in securing its operating system and updating its users’ devices as soon as a new vulnerability is found, making it “frustrating” for an attacker spending time and money on the research of vulnerabilities and exploitation of them. On the other hand, Android has a completely different distribution model, where the manufacturers and telecom operators are responsible of updating the operating systems for their customer base. In this case, the responsibility is not clear, the market is more fragmented and it is much more complicated to patch vulnerabilities.
Therefore, it is much easier for an attacker to have a vulnerability working for years, even when patches are available. That’s one of the main reasons Android is a much more appealing platform to attack – there is a similar market share to iOS, but vulnerabilities are easy to exploit, meaning much bigger ROI for the attacker.
Should Google begin to manually review every app that enters the Android Market, or is it possible to undertake this regulation by software (automating it)?
Given the amount of apps added every day to any marketplace, it is impossible to do a manual review. In this case, Google will be running some kind of “anti-virus” for detection, probably using a mixture of signatures, heuristics and reputation. This is the same that antivirus companies do, and this involves a large amount of automatic analysis as well as a percentage of manual analysis for special samples or fine-tuning the system.
When it comes to mobile threats, what do hackers win out of their work?
This depends on the kind of fraud they try to perform; however, in the end there is always the money factor. There are different kinds of attacks. Some of them only try to get quick money by low-technical fraud, such as asking for credentials. Others use the phone communication capabilities for sending SMSs (transparent for the user) to premium numbers. However, in general data stealing and gaining access of the infected device is always the best “business” for a hacker, as it allows any kind of fraud: impersonation, blackmail, targeted attacks or selling stolen data.
Is mobile banking at risk from these threats?
It is indeed. In the past banking apps started using 2 factor authentications for avoiding the risk of a computer being infected, using the mobile as the second channel. We have found malware targeting mobile for stealing this TAN number in order to make this 2 factor authentication useless. Yet, the real problem is that as we move from using PCs to using ONLY the smartphone for banking, we are back in the first scenario, where we do not have 2 factor authentication. With this, and as using a mobile device to access our banks increase, we will start see malware for getting such credentials become more popular, as happened with the use of PCs.
Given that NFC operates at touch-level, could hackers personally steal important data, such as login details, by simply brushing against another person?
For this to be possible there should be vulnerability in the NFC protocol remotely exploitable that allows this data stealing. This could be possible, but it is quite unlikely. In my opinion this would be more a curiosity than a real threat. We should always take into account what the method for the attackers is to reach more victims faster, and NFC is not the protocol.
In terms of numbers, how do you see the future, for all smartphone platforms?
Smartphone and other gadgets such as tablets are the present and the future. On one hand, these devices have opened the door for a large amount of population to the digital world (the ones who didn’t want to approach a PC for being complicated), on the other, even old PC users are eventually spending more time with the new gadgets and less with the old ones. So they are the future.
From the security point of view, this means they are the new objective for cybercriminals, so we should be aware of anything new that comes into the smartphone security world.
Viruses and malware aside, in your opinion, which smartphone operating systems will rise, and which will fall?
There are three major players now that I believe will stay for a long time: Android, iOS and Windows. None of them are likely to disappear in the next few years, as it is not likely that any new major operating system will appear. As such, if we take a look to the computer world, we have a similar scenario, and we have had it for years: Windows, Linux/Unix flavors and MacOS. Both worlds are related, all the big manufacturers are signing contracts with either of the big players, and Google, Microsoft and Apple are probably the three biggest technological companies in the world.
Therefore, apart from my personal preferences, I believe these three operating systems are here to stay for a few years – no new players are expected.