Q&A: The Threat of Malware to Mobile Phones

Richard R. Roscitt is the CEO of SMobile Systems. He keynoted at world-class forums and is regularly featured in leading business and industry trade print and electronic media, having appeared often on CNBC, Bloomberg TV, and CNN/FN. In this interview he discusses the threat of malware to mobile phones.

The security industry has been warning users about the threat of viruses on cell phones for years. Yet, despite all the warnings, a dangerous and widespread problem hasn’t materialized. What concrete evidence is there that cell phones are going to be the next big target?
Cell phones are becoming the new PCs. Enterprise users are now able to use their mobile phones for the exact same functionality that they previously needed to rely upon with their laptop or desktop PC. Only now, these tasks can be done from a much smaller device from virtually anywhere at any time. This is also true for regular consumers, who utilize their phones for banking transactions, online purchases, etc. It is certainly advantageous for hackers to take advantage of devices that are used for these purposes. Throw in the fact that these devices are multiplying at an incredible rate, usually do not have any security whatsoever and are now including Wi-Fi functionality and it is very easy to see how these devices are becoming the next big target.

The malware landscape has changed significantly in the past few years with authors becoming more professional and writing malicious code for profit. What can they gain from infecting cell phones?
An important concept to understand is that malware is simply software applications that are written for malicious purposes. The limitation of what malware can actually do is only limited by the creativity and knowledge of the developer writing the code and the technical functionality of the operating systems and applications for which the malicious application is being written. With PC-related malware, one of the biggest limitations actually has to do with getting the malware on the device and getting it on their undetected by the existing security applications, not whether something is actually possible or not.

With cell phones and other mobile devices, which generally do not have security applications installed, there really isn’t a threat that a malicious application would ever get detected – there’s literally nothing there to detect a malicious program. So, the biggest deterrents at this point are getting the malicious software onto the device and the malware writers obtaining the necessary skills to write the specific applications to achieve the functionality they desire. Keylogging, e-mail logging, browser redirection, remote control, uploading sensitive data, etc. are all possible. With more and more users utilizing their cell phones for Internet-related tasks, an attack vector is being created for these devices to become infected. So, what can be gained from infecting cell phones is very similar to what can be gained from infecting a PC, though PC’s have protection and most cell phones do not.

What kind of a threat is spyware to cell phones at the moment? What are the examples of cell phone spyware in the wild today?
Cell phone spyware today can capture e-mails and text messages, allow a remote user to silently turn the phone on to listen to whatever conversations are taking place in the area, and give the exact location of the phone via GPS. I believe that any reasonable person would consider this a considerable threat. There are at least half a dozen Internet sites that sell spyware for these devices and without antivirus/antispyware software to detect these unwanted applications, most cell phones are completely vulnerable to these attacks.

Is phone call encryption the answer to the majority of possible problems?
Today, many phone calls have at least a minimal level of encryption provided automatically by their cell phone network provider. In fact, it’s not uncommon to see 256-bit AES being used by network providers to encrypt phone conversations. While adding an additional layer of protection by utilizing a phone call encryption application can add a higher level of protection in areas where the inherent encryption is deficient and certainly for those working in government positions, this alone will not address threats from malware, direct attack, physical compromise, etc.

Don't miss