Criminals are using increasingly sophisticated techniques to secretly attack smartphones by planting malware and generating premium rate calls and SMS messages. Corporate users have become favoured targets of these mobile phone security threats
The conclusions come from a report by Dublin-based security company AdaptiveMobile, which provides services and products to 90% of the world's mobile telecommunications companies.
The company says that, while email spammers have seen their activities limited by better filtering techniques, mobile spamming and phishing scams offer criminals an easier route to making money.
Gareth Maclachlan, chief operating officer at AdaptiveMobile, said the main attraction of the mobile phone is that it has intrinsic value: It is either tied to a customer's account or holds a fund of money that can be spent.
"Every SMS the mobile sends can generate revenue if it goes through to a premium short code, and every call can generate revenue if it goes to a premium-rate number," he said. "It is now much easier for a criminal to do this. In the last 18 months, the barriers to entry have been lowered. Before, you would have to carry out a complex activity to break into the carrier's network and inject signaling. Now, you can get a pre-paid SIM for £10 and flood the network with cheap, unlimited SMS messages. So, just as email spam is virtually free to run, it is now almost free to send out masses of SMS messages."
The trend is already costing mobile operators a lot of money. Maclachlan cited the recent case of one mobile phone service operator that lost $10 million in just a few days. Thousands of its subscribers received messages that looked like genuine missed call alerts, and many of them called the number and received a voice message saying the number was busy and to call back later. What they did not know was that they were calling an international satellite phone service at $4 per minute.
By the time the customers received their bills and started to complain, per standard procedure the operator had already paid the satellite company on behalf of its customers, and so had to issue customer refunds out of its own coffers, leaving it with a huge loss.
Another growing problem identified by the report is the compound threat -- a more sophisticated attack using multiple elements -- that is sometimes combined with an attack on the user's PC.
One example of such blended attacks was Zeus MitMo, a virus discovered in October 2010. This malware was developed to defraud online banking customers, specifically those who had begun using a second channel (the mobile phone) to receive a one-time authentication code for increased security in online banking transactions. Developed to run on Symbian and BlackBerry platforms, the malware tricked the mobile user into installing it on his or her mobile phone, and then forwarding any authentication code sent to that phone by the bank to the attackers, who then have all the information they need to empty the account.
Maclachlan said the people running the scams are careful to avoid attracting attention to themselves. "In the mobile world, the infections will go to 50,000 or 100,000 subscribers on a network of several million. If each one of those handsets sends just one extra SMS a month, it will not be detected. But it can generate a lot of revenue over a few months," he said. "Most people will not have a virus on their phone, and those who do will probably never notice."
He added that business users tend to be a particular target. "We see very high infection rates in corporations, because most corporate users have the same handset for business and personal use. They have the same address books, so they trust messages coming from other parts of the company. And they never see their phone bill -- it's paid for them."
He predicts that the mobile operators will try to prevent threats at the network level rather than taking the more hands-off approach of many ISPs. "If the mobile operators pushed out antivirus to their customers' devices, it would scare users and would generate more customer care calls," Machlachlan said, "So operators are keen to solve security issues themselves at the network level."