Drive-by attacks targeting smartphones are in our future

A new study that has analyzed the behavior of 10,000 applications downloaded from the Android Market, shows that many mobile applications leak personal information and that mobile devices may be as vulnerable to drive-by downloads as PCs.

Some of the key findings of the research include:

842 of the 10,000 apps analyzed from Google’s Android marketplace were leaking private information. The apps transmitted International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI) numbers to remote servers, potentially exposing this personally identifying information to compromise. The leaks occurred most frequently when application developers used IMEIs as user IDs, enabling unrelated applications to compare notes on user behavior, and clone users’ phones.

Hashing IMEI numbers to protect privacy does not protect user privacy. While some mobile application developers seek to protect the personal IMEI data via cryptographic “hashing,” the Dasient security team found that the hashing techniques used on IMEI were relatively easy to circumvent.

Mobile drive-by attacks can become a very real and new threat vector for malware distributors. Smartphones have valuable information stored on them and they are increasingly being used for mobile commerce, including mobile banking and retail transactions. Mobile web browsers are as robust as their desktop counterparts, with JavaScript interpreters and third-party plug in support, which results in increased attack surface. Smart phones are using common software packages, and the vulnerabilities in them will definitely be misused over time.

While drive-bys on desktop PCs on the Web are very common, the ability to conduct mobile drive-by attacks is a new, and potentially attractive, method of deployment for malware distributors. To prove how easy it actually is, the Dasient security team prototyped a mobile drive-by attack for Android, which you can check out here (registration required).