Accessing the Internet via a PC is quickly becoming passé and according to Gartner Research, the number of users accessing the Net via mobile phones will surpass those on PC’s by 2013. As more and more people use their mobiles as portable computers, it is only logical that hackers and malware will follow in an effort to capitalize on the criminal opportunities. Although mobile phone viruses and trojans have been around since at least 2004, as mobile phones evolve into powerful hand-held computers, the threat posed by mobile malware is vastly increasing in severity.
Since early 2006, it has been possible to remotely activate a mobile phone’s microphone, transforming the phone into an omnipresent eavesdropping device. As mobile phones add more features, including cameras, Bluetooth connectivity and GPS functions, they will become even more powerful tools for criminals to reach out and discover unsuspecting victims. For example, a stalker could remotely activate the camera and use the phone’s GPS coordinates to track an ex-girlfriend or celebrity.
An even greater threat might be the installation of a rootkit on the mobile phone’s operating system which could affect all parts of the phone, including its touch screen and even the number pad. Thus for example when a person thought they were phoning Citibank, might find their call had in fact been re-routed to an international organized crime group instead.
Given the wide use of foreign call centers by financial institutions, who would question a funny accent on the other end of the line when you spoke to your bank? The spoof would be relatively easy to perpetrate, as hackers would have access to all the widely available bank 800 phone numbers and could compare the number dialed by the legitimate user to any banks, thus rerouting the calls without the knowledge of the victim. By the end of the conversation, the criminal would have access to the victim’s personal and banking details and could use them to remove all funds from the account.
In certain regards, mobile phone may pose a more serious criminal threat to end users as many owners have the devices practically glued to their hip 24/7. Few, if any users employ antivirus, anti-spam or malware detection software on their phones. Furthermore, users carry mobile phones from the bedroom to the classroom to the boardroom and they are rarely ever more than a few feet away. As such, mobiles phones are the technical threat that users bring with them everywhere they travel, giving criminals and others with ill intentions constant and immediate access to their victims.
Though end-users may have the misguided impression that they alone turn on and off their smartphone’s camera, GPS and microphone, such is not the case. According to noted security expert Bruce Schneier, the US Department of Commerce has warned that “a cellular telephone can be turned into a microphone and transmitter for the purpose of listening to conversations in the vicinity of the phone.” An article in the Financial Times last year said mobile providers can “remotely install a piece of software on to any handset, without the owner’s knowledge, which will activate the microphone even when its owner is not making a call.”
As reported elsewhere on Future Crime, there have been a a wide number of attacks against smartphones recently, including phishing attacks against mobile banking sites and subversion of the “App Stores” via the submission of “crimeware” applications.
Moreover, some mobile phones are shipping with malware already installed on them. In March of 2010, an employee at Spanish antivirus firm Panda Security received a new Android-based Vodafone HTC Magic with a virus pre-installed. When the employee, Pedro Bustamante, plugged the phone in to his computer, he received a number of virus alerts warning him of the threat. The virus was intended to “phone home” for further instructions and would have stolen the user’s various credentials.
What is troubling in this case is that the phone shipped directly from the trusted mobile phone carrier, Vodafone. Though Vodafone initially described the incident as an isolated one, such was not the case. Further investigation sourced the malware threat to Vodaphone’s memory card supplier, which included a copy of the Mariposa botnet infection in a hidden directory on the phone’s mini-SD card. At least 3,000 mobile phones were known to have been pre-infected before the end-users ever had the chance to turn them on.
Even jailbroken iPhones have been recently reported to be infected by a malicious program known as “Duh.” The program served as the bot component and causes the phone to call back to a server located in Lithuania. “Duh” then provided the phone’s IP numbers and additional WiFi and 3G information, giving the phone its own unique identifier, which will allow the Duh botnet controllers to note the presence of the phone every time it connects to a network. At that point, the phone is fully part of the botnet and can be used for criminal purposes in the future.
The emerging trend of herding mobile phones to existing and new botnets is troubling, in particular given the vast number of telephone handsets around the world. The United Nations International Telecommunications Union has estimated that as of 2010, there are an estimated 5 billion mobile phone handsets in the world. Even if only a tiny proportion of them were to become infected, they would vastly add to the power and potential damage that could be caused by existing botnets, such as Cornficker.
Moreover, as noted above, if a criminal enterprise were able to gain widespread access to the cameras, mircrophones and GPS data of hundreds or thousands of phones at a time, they would be able to fully have situational awareness into all activities in a particular home, company or city-a frightening scenario. In light of the various criminal scenarios enumerated above, better security is required for mobile phone handsets. Given their growing numbers, their omnipresence in modern life and the clear lack of robust security features, our very own mobile phones are arming criminals with all the tools they need to ‘reach out and touch’ victims wherever they may be in the world.