Mobile malware reinforces need for mobile hypervisors

At last year’s VMworld in San Francisco Stephen Deasy (Director, R&D, VMware) and Srinivas Krishnamurti (Senior Director, Mobile Solutions, VMware) announced VMware’s plans for a type II mobile hypervisor platform.  Three months later VMware and LG have announced a partnership to install VMware Mobile Virtualization Platform (MVP) on LG smart phones starting in 2011. While significant questions remain about the viability of this partnership, the need for a mobile virtualization solution cannot be stressed enough.

In December China Central Television reported that more than 1 million Chinese mobile phones were infected with malware that was costing its users more than $300,000 per day sending unauthorized text messages.  The data in the report was released by the Chinese National Computer Network Emergency Response Technical Team Center back in September, and since then a further 10 similar pieces of malware have been discovered suggesting that the current number of phones infected is probably significantly higher than the reported 1 million phones. This news follows an earlier report of the first text message-based Trojan to infect smartphones running Google’s Android operating system being detected in the wild. Trojan-SMS.AndroidOS.FakePlayer-A which poses as a harmless media player application has already infected a number of mobile devices according to Russian security firm Kaspersky Lab. The Trojan once installed sends SMS messages to premium-rate numbers without the users awareness, at least until the bill comes in.

Now a new threat has arrived in the form of a sophisticated Trojan that targets Android devices.  Dubbed “Geinimi” this  is the first piece of Android malware seen in the wild that displays botnet-like capabilities (the first mobile botnet running the WeatherFist application created by Derek Brown and Daniel Tijerina of TippingPoint’s Digital Vaccine Group was a harmless proof of concept).

Geinimi is spread through legitimate third-party Chinese Android applications that have been repackaged to include the malware. Users who allow side-loading of apps enable the exploit by approving the application installation which requests permissions above that required by legitimate versions of the applications. Once installed the compromised application appears to behave as normal while in the background the Trojan runs and collects personal information including location towards the notes and the unique identifiers of the phone and SIM card.  This information is then forwarded on to multiple remote servers. The Trojan also appears to include code that allows it to download and attempt to install applications from these remote servers.  However while Geinimi can remotely initiate application installation, the phone’s owner still needs to confirm the applications installation which provides some measure of protection against the creation of a fully functioning Geinimi botnet.

Mobile security firm Lookout provided a detailed description of Geinimi on its blog and offered some simple best practice guidelines on how to secure  an Android handset. And now it is Cisco’s turn to offer its perspective in its annual security threats report. Acknowledging the improvements that Microsoft with its much tougher stands on securing Windows 7, Cisco is now drawing attention to the security weaknesses of mobile devices calling attention to smart phones in general and taking the surprising step off calling out Apple’s iPhone, iPad and iPod by name, and stating.

Today’s cybercriminals have a powerful weapon at their disposal: the exploitation of trust. They have become skilled at convincing users that their infected links and URLs are safe to click on, and that they are someone the user knows and trusts. And with stolen security credentials, they can freely interact with legitimate software.

The worldwide adoption of mobile devices presents even more opportunities for intrusions and theft. While security researchers have identified many focused scams that target mobile devices, a widespread incident is almost certainly on its way.

Cisco stopped short of offering any concrete advice on how to address these concerns, limiting its position to observing that

In the classic enterprise organization today, no one truly owns—or wants to own—the mobility issue. This is actually part of the reason that the adoption of consumer-driven smartphones in the enterprise has been slow. When it comes to enabling these devices and making sure they are secure, no one is stepping up.”

which is hardly going to reassure enterprise customers.

Ultimately the only effective means of offering protection here is to require a mobile virtualization solution to isolate corporate data from the possible consequences of a user infecting their personal phone with any form of malware.   What still remains to be seen is whether or not adequate long-term protection can be offered by a type II hypervisor, or if increasingly sophisticated malware will require a type I hypervisor at some point in the future. However, until LG ships the first MVP phone the best advice is to follow Lookout’s advice and:

  1. Only download applications from trusted sources, such as reputable application markets. Remember to look at the developer name, reviews, and star ratings.
  2. Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
  3. Be aware that unusual behavior on your phone could be a sign that your phone is infected. Unusual behaviors include: unknown applications being installed without your knowledge, SMS messages being automatically sent to unknown recipients, or phone calls automatically being placed without you initiating them.
  4. Download a mobile security app for your phone that scans every app you download.
Posted in SDDC & Hybrid Cloud, SecurityTagged , , , ,