Professional Documents
Culture Documents
August 2011
Table of Contents
Highlights Research Methodology Why Mobile Security is Important Mobile OS Security Model Comparison Platform Vulnerabilities and Patch Management Mobile Threats Mobile Malware Trends Whats Next? Tips To Stay Safe About Lookout
3 3 3 4 5 7 9 23 25 25
HIGHLIGHTS
o Both web-based and app-based threats are increasing in prevalence and sophistication. Android users are two and a half times as likely to encounter malware today than 6 months ago and three out of ten Android owners are likely to encounter a webbased threat on their device each year. An estimated half million to one million people were affected by Android malware in the first half of 2011; Android apps infected with malware went from 80 apps in January to over 400 apps cumulative in June 2011. Attackers are deploying a variety of increasingly sophisticated techniques to take control of the phone, personal data, and money. Additionally, malware writers are using new distribution techniques, such as malvertising and upgrade attacks.
RESEARCH METHODOLOGY
The findings in this report are based on data collected and analyzed by Lookout through our Mobile Threat Network, which includes the worlds largest database of applications and aggregates detection results from mobile devices throughout the world. The Lookout Mobile Threat Network gathers application data from a variety of sources including official application markets, such as the Android Market and Apple App Store, as well as alternative markets in which apps are distributed.
In June 2011, for the first time ever people on average spent more time using mobile applications (81 minutes) than browsing the mobile web (74 minutes).
1 Roberta Cozza, Forecast: Mobile Communications Devices by Open Operating System, Worldwide, 2008-2015, Gartner, April 5, 2011 2 Flurry (June 2011), Mobile Apps Put the Web in Their Rear-view Mirror: http://blog. flurry.com/bid/63907/Mobile-Apps-Putthe-Web-in-Their-Rear-view-Mirror 3 Erica Ogg, HP: Number of mobile apps doesnt matter, CNET News, June 29, 2011
As mobile devices grow in popularity, so do the incentives for attackers. Mobile malware, for example, is clearly on the rise, as attackers experiment with new business models by targeting mobile phones. Recently over 250,000 Android users were compromised in an unprecedented mobile attack when they downloaded malicious software disguised as legitimate applications from the Android Market4. The emergence of mobile payments is another key driver of mobile threats. The value of mobile payment transactions is projected to reach almost $630 billion by 2014, up from $170 billion in 2010.5 Vendors, retailers, merchants, content providers, mobile operators, and banks are all actively establishing new payment services. Mobile payments create an attractive target for attackers, as they allow direct monetization of attacks. In addition to financial information, mobile devices store tremendous amounts of personal and commercial data that may attract both targeted and mass-scale attacks.
Every day hundreds of apps are added to the Android Market and Apple App Store.
iOS
On the device itself, Apples iOS security model runs each third-party application in an isolated environment so that the application may only access its own data and permitted system resources. All third-party applications are granted access to the same data and capabilities on the device with the exception of a few, such as location data and push notifications, which require a user to opt in for each application. In terms of app distribution, Apples App Store for iOS utilizes a curated app review model in which all apps submitted by developers go through a manual review process with restrictions based on policies regarding issues such as data collection, API usage, content appropriateness, and user interface guideline compliance. This model is designed with the assumption that apps will only be downloaded from Apples App Store, as some security restrictions are enforced during the review process but not necessarily enforced on the device itself. The assumption generally holds, as iOS devices prevent users from loading applications from sources other than Apples App Store unless the device has been jailbroken. Jailbreaking is a process whereby the user can alter the phones operating system to gain full access (or root access) to the operating system and allow applications not officially vetted by Apple, many of which
4 Lookout Mobile Security Blog (March 2011), Update: Security Alert: DroidDream Malware Found in Official Android Market: http://blog.mylookout.com/2011/03/ security-alert-malware-found-in-officialandroid-market-droiddream/ 5 Howard Wilcox, Mobile Payments Markets: Strategies & Forecasts 2010-2014, Juniper Research, May 2010
take advantage of operating system capabilities otherwise restricted by Apples review policies.
Android
Android has an operating system security model that supports its open application distribution model. In the Android OS security model, an applications capabilities are gated by permissions that the application declares when it is installed and cannot be changed at a later time. When installing an application, users are presented with the list of permissions requested by the application and can determine whether the permissions are appropriate for the functionality of the app. Permissions allow applications to access specific data and capabilities on a device, including location, contacts, SMS messaging, identity information, and the ability to access the Internet. If an applications permissions seem overreaching, a user may choose not to install the app or may identify it as suspicious. While the Android permissions model enables developers to provide a broad range of functionality in their apps, it does rely on end users ability to evaluate permissions requested by an app at the time of installation. In terms of app distribution, the Android operating system utilizes an open application distribution model that allows users to download applications from variety of sources, including Googles Android Market, Amazons Appstore for Android, carrier markets such as Verizons V CAST network, and other alternative app markets. Android also has a setting, often referred to as sideloading, which enables or disables the capability to download applications from other sources outside of the Android Market. Android enables multiple application distribution methods. For example, Amazons Appstore for Android and Verizons V CAST apps utilize a curated model with a manual review process similar to Apples, while Googles Android Market is based on a community-enforced model where some security checks are performed when applications are submitted to the market, but it is expected that the community as a whole will participate in identifying malicious or otherwise undesirable applications. This allows Android developers to update their applications much more quickly than with the curated model.
DroidDream malware that emerged in the Android Market in the first quarter of 2011 utilized two exploits to vulnerabilities, Exploid and Rage-AgainstThe-Cage.
6 C-Skills (July23, 2010) http://c-skills. blogspot.com/search?q=exploid 7 C-Skills (July 15, 2010): http://c-skills. blogspot.com/
sandbox, gain root control of the operating system, and install applications without user intervention8. Similarly, JailbreakMe 3.0 for iOS devices is a non-malicious web page that exploits two vulnerabilities to jailbreak a device9. As with PCs, software patches are used to fix vulnerabilities on mobile devices. In the PC world, common processes like patch management are relatively simple. Software vendors deliver online updates to licensed users on a regular schedule or as needed. On mobile devices, depending on the nature of the vulnerability, a patch may be as simple as updating a single application or as complex as a firmware update that involves both the device manufacturer and the carrier. Critical vulnerabilities on mobile devices, such as kernel or web browser issues, often require a firmware update if they occur in software that is highly integrated into the operating system. Given the differences in the mobile ecosystems, patch management processes vary by OS. In the case of Android, Google regularly produces updates to fix security vulnerabilities on the Android OS within days of discovery and pushes the fixes into the Android Open Source Project (AOSP). Next, it is up to device manufacturers to produce a devicespecific firmware update incorporating the vulnerability fix, which can take a significant amount of time if there are proprietary modifications to the devices software. Device manufacturers typically pull the patch from the AOSP repository, merge in their modifications, and produce a new firmware update. This process is complicated by the fact that a single device model may have a large number of updates to support carrierspecific customizations. Once a manufacturer produces a firmware update, it is up to each carrier to test it and deploy the update to users. For users, the process to install an update is rather simplethey typically receive the update over-the-air (OTA) and confirm its installation. On iOS, security updates typically require Apple to produce a new firmware build, an operator to test the firmware build, and a user to sync with iTunes to install the patch. Because there are fewer parties in the iOS ecosystemApple, operators, and users firmware updates are typically made available more quickly to a broad base of users than with Android. To apply an iOS firmware update, users must sync with iTunes. Unfortunately, many users simply plug their iOS devices into an outlet to charge them and rarely sync. According to one report, as many as 50 percent of iPhone users do not regularly sync with iTunes and thus are unlikely to receive critical security updates10. This failure to sync means that many users do not apply updates, even though they may be available. Both Google and Apple are taking steps to improve the state of patching on their respective platforms. The Android team has made an announcement that it intends to enforce an 18-month minimum support cycle for all Android devices to ensure that devices receive software updates throughout their expected lifetime.11 Apple has announced that its upcoming iOS 5 will support firmware updates downloaded over the air and will not require syncing with a computer to apply them.12
According to one report, as many as 50 percent of iPhone users do not regularly sync with iTunes and thus are unlikely to receive critical security updates.
8 Lookout Mobile Security Blog (March 2011) Android Malware DroidDream How it Works: http://blog.mylookout. com/2011/03/android-malware-droiddream-how-it-works 9 http://esec-lab.sogeti.com/post/Analysis-of-the-jailbreakme-v3-font-exploit 10 http://onefps.net/post/6496478249/50percent-of-iphone-owners-dont-backup 11 http://www.engadget.com/2011/05/10/ google-clarifies-18-month-android-upgrade-program-details-far-f 12 http://www.apple.com/pr/ library/2011/06/06New-Version-of-iOSIncludes-Notification-Center-iMessageNewsstand-Twitter-Integration-Among200-New-Features.html
This conflict of interest between vulnerability disclosure and the ability for people to fully control their own device poses a great security issue.
MOBILE THREATS
As with PCs, there are a variety of security threats that can affect mobile devices. We split mobile threats into several categories: application-based threats, web-based threats, network-based threats and physical threats. For the sake of brevity, this list is intended to be a general overview of the most important mobile threats, not an exhaustive treatment of all possible threats.
Application-based Threats
Downloadable applications present many security issues on mobile devices, including both software specifically designed to be malicious as well as software that can be exploited for malicious purposes. Application-based threats generally fit into one or more of the following categories:
PRIVACY THREATS may be caused by applications that are not necessarily malicious
(though they may be), but gather or use more sensitive information (e.g., location, contact lists, personally identifiable information) than is necessary to perform their function or than a user is comfortable with.
Web-based Threats
Because mobile devices are often constantly connected to the Internet and used to access web-based services, web-based threats that have historically been a problem for PCs also pose issues for mobile devices:
PHISHING SCAMS use web pages or other user interfaces designed to trick a user into
providing information such as account login information to a malicious party posing as a legitimate service. Attackers often use email, text messages, Facebook, and Twitter to send links to phishing sites.
Network Threats
Mobile devices typically support cellular networks as well as local wireless networks. There are a number of threats that can affect these networks:
NETWORK EXPLOITS take advantage of software flaws in the mobile operating system
or other software that operates on local (e.g., Bluetooth, Wi-Fi) or cellular (e.g., SMS, MMS) networks. Network exploits often do not require any user intervention, making them especially dangerous when used to automatically propagate malware.
WI-FI SNIFFING can compromise data being sent to or from a device by taking
advantage of the fact that many applications and web pages do not use proper security measures, sending their data in the clear (not encrypted) so that it may be easily intercepted by anyone listening across an unsecured local wireless network.
Physical Threats
Since mobile devices are portable and designed for use throughout our daily lives, their physical security is an important consideration.
LOST OR STOLEN DEVICES are one of the most prevalent mobile threats. The
mobile device is valuable not only because the hardware itself can be re-sold on the black market, but more importantly because of the sensitive personal and organization information it may contain.
According to our data, in June of 2011 Android users were two and half times more likely to encounter malware than just six months ago.
TRENDS
Mobile security issues are present on all major mobile platforms, though threats affect each platform differently. In this report, we specifically focus on iOS and Android. Application-based threats affect both iOS and Android. Currently, malware and spyware have primarily targeted Android devices, though there are commercial spyware applications available for jailbroken iOS devices. According to our data, in June of 2011 Android users were two and a half times more likely to encounter malware than just six months ago. While malware has increased at a faster rate then spyware, Android users are still slightly more likely to encounter spyware than malware. Privacy issues affect both platforms. Web-based threats that carry over from the PC such as phishing generally do not discriminate by platform. iOS has been more notably affected by browser exploitation although only in a non-malicious way to jailbreak devices13), Android has begun to see drive-by-downloads in the wild14. Based on the incidence of web-based threats in June 2011, approximately three out of ten people are likely to click on an unsafe link each year.
DIAGRAM 1
APPLICATION-BASED THREATS
In this section we explore some of the prevalent and emerging trends related to application-based threats, including distribution and functionality trends in malware and spyware, privacy issues, and application vulnerabilities.
Jan 2011
June 2011
52% Spyware
48% Malware
DIAGRAM 2
Not only has malware grown more rapidly than spyware, there has also been a steady growth in the number of applications infected with malware, increasing from 80 to 400 unique applications in the first six months of 2011. Worldwide, the likelihood of encountering malware varies from less than 1% to more than 4% depending on country.
10
App types most frequently repackaged with malware include games, utilities and porn apps.
DIAGRAM 3
DATE
DIAGRAM 4
In the next section, we examine malware and spyware trends in three important aspects: how attackers entice users to download; distribution methods; and capabilities.
Social Engineering: How Attackers Entice People to Download Malware and Spyware
People, obviously, do not purposefully download malware or spyware to their devices, so attackers must use techniques to mislead users into downloading it unknowingly. Once an attacker convinces someone to download a malicious app, then the technical hacking can begin.
11
Gaming Apps
BubbleBuster, repackaged with DroidDream Light Chess, repackaged with DroidDream
Utility Apps
Battery Saver app, repackaged with GGTracker Scientific Calculator app, repackaged with DroidDreamLight
Porn Apps
Porn app, repackaged with GGTracker
DIAGRAM 5
Repackaged apps containing malware create a crisis of trust. To the naked eye, a legitimate app and a repackaged version often look the same with the exception of their permissions. Apps repackaged with malware typically, though not always, require a greater set of permissions than the original app. In some cases, malware writers will pirate paid applications and make them available for free, injecting malware into the pirated version. The illustration in Diagram 6 details an example of the process used by malware writers to take legitimate apps from the Android Market, repackage them with malware, and introduce the repackaged versions into third party app stores.
15 http://blog.mylookout.com/2011/05/security-alert-droiddreamlight-new-malwarefrom-the-developers-of-droiddream/
12
Legitimate Developer
5
Android Market
End User
Malicious Developer
Send location Send contact info Send and read SMS messages place phone calls Silently download files Launch web browser And more...
6
DIAGRAM 6
Malicious Developer can control the phone remotely and access users private information.
13
user agrees by pressing Okay to sign up for premium sms ringtone subscription service for 9.99 per month. User may cancel subscription at anytime by replying to ringtone shortcode STOP. if user quits within 24 hours user will not be billed $9.99. User understands that tic-tac-toe app will message users friends when a game initiated by end user.
DIAGRAM 7
DIAGRAM 8
In another example (See Diagram 7), a version of GGTracker disclosed in fine print on a user interface dialog that charges would be made to the users phone bill every month in the form of a premium SMS ringtone service in order to get access to the app, even though such services are likely entirely unrelated to the apps functionality.
The makers of DroidDream published over 80 unique applications with DroidDream and DroidDreamLight malware variations under a variety of developer names.
UPDATE ATTACKS. Recently malware writers have begun using application updates
as an attack method in the Android Market. A malware writer first releases a legitimate application containing no malware. Once they have a large enough user base, the malware writer updates the application with a malicious version. Because many users have their devices set to automatically update applications or will manually update whenever a new version is available, the update attack technique minimizes the amount of time malware is in the market before it is installed on a large number of devices. We first observed this technique being used in the wild by the creators of Legacy (a.k.a. DroidKungFu), an example of this can be seen in Diagram 8.
SHOTGUN DISTRIBUTION
Malware writers target both the official Android Market as well as alternative,
14
geographically targeted markets. In many cases, attackers will publish a large number of apps across multiple developer accounts and multiple markets in order to maximize the number of users they infect. For example, the makers of DroidDream published over 80 unique applications with DroidDream and DroidDreamLight malware variations under a variety of developer names, while Legacy has been published in over 60 apps primarily distributed outside the Android Market.
In the case of malvertising, a malware writer buys in-app ads, directing users to download malware.
DATE
DIAGRAM 9
MALVERTISING or
malicious advertising is another tactic used by attackers to lure people into downloading malware. Because legitimate developers commonly use in-app advertisements to gain more users, people are used to downloading apps via advertisements. In the case of malvertising, a malware writer buys mobile ads, directing users to download malware on the Android Market or from a fake site designed to imitate the Android Market.
Malicious Ad
Clicking on ad directs user to malicious web page
DIAGRAM 10
15
GGTracker used malvertising to successfully encourage many people to download malware. In Diagram 10, the makers of GGTracker created an extremely vague ad, Game Request, that looks like a notification and directs a user to a malicious website that imitates the Android Market and automatically starts a drive-by-download.
Malware has even been able to dynamically support multiple premium-rate SMS services.
DIAGRAM 11
Malware Capabilities
In addition, trends of how malware and spyware get on to mobile devices, there are also emerging trends in what such applications do once they are installed.
16
began targeting U.S. users in early June with the emergence of GGTracker. Premiumrate SMS malware will also typically intercept any SMS messages from the SMS service to prevent a user from becoming aware of the charge. This type of malware has even been able to dynamically support multiple premium-rate SMS services. For example, GGTracker utilized over 15 different apps and 21 different SMS shortcodes.
BOTS arean emerging trend in mobile malware that, like their PC counterparts,
communicate with and receive instructions from one or more command-and-control (C&C) servers, giving the malware writer remote control over all infected devices. Malware in the wild has supported a wide range of commands, including the ability to: o o o o o o o o send SMS messages copy SMS messages stored on the device to a server copy the contact list stored on the device to a server install an application remove an application dial a phone number open a web page change the list of C&C servers to connect to
Malware using premium-rate SMS messages began targeting U.S. users in early June.
Malware writers will typically obfuscate their code and use encryption to hide critical data such as the list of C&C server names. Bots also typically obfuscate or encrypt their network traffic to avoid being easily detectable. Typically, installing additional apps onto the device requires the user to click yes to the installation pop-up, though in cases where the malware exploits vulnerabilities (e.g. DroidDream, jSMSHider), a bot can install additional apps without any user knowledge or intervention.
17
children, and other targets can cost anywhere from a few to hundreds of dollars. The functionality in surveillance apps often includes the ability to gather phone call history, listen to actual phone calls, view browser history, track location, gather SMS message history, and more. Notably, many surveillance applications support Android as well as jailbroken iOS devices. These apps often have very legitimate use cases and are not always used maliciously.
DroidDream is malware that became available via the Android Market in Q1 2011 and has affected an estimated 250,000 mobile users to date.
100 50 0
March 2011 April 2011 May 2011 June 2011 July 2011
DroidDreamlight
140 120 100 80 60 40 20 0
March 2011 April 2011 May 2011 June 2011 July 2011
DATE
DIAGRAM 12
Discovered in early March 2011, DroidDream is an example of malware that acts as a bot and uses two exploit payloads in its attempts to gain root access to infected devices. Once the malware exploits a device, it attempts to contact a remote server and accept commands. Since the initial discovery of DroidDream weve seen a variant,
16 http://blog.mylookout.com/2011/05/security-alert-droiddreamlight-new-malwarefrom-the-developers-of-droiddream
18
DATE
DIAGRAM 13
DroidDreamLight, emerge in late May 2011 that also acts as a bot but does not contain exploit code.16 The makers of the DroidDream malware family have continued to publish new infected applications and weve seen over 80 unique instances to date (See Diagram 12).
Third, it is one of the first known instances of Android malware specifically targeting U.S. users by silently charges money to users phone bills when it is installed, charging $10 per service.
GGTracker Prevalence
700
DATE
DIAGRAM 14
19
Previously, we had only seen this type of malware on Android target China and Russia. Finally, its worth noting that GGTracker continues to employ a variety of distribution techniques to seed the market. The first apps infected with GGTracker used malvertising to direct users to the fake Android Market, but another wave of infected apps, appearing in early July (see Diagram 12), were found in the Android Market.
14 12 10 8 6 4 2 0
June 15, 2011 June 22, 2011 June 30, 2011 July 7, 2011 July 15, 2011
On iPhone 33.9% of free applications had the capability to access location and 11.2% had the capability to access contacts.
DATE
DIAGRAM 15
Privacy issues
Mobile devices now hold a rich set of personal information including location, browsing history, call history, text messages, contact lists, email, Facebook messages, the devices phone number, and unique identifiers that can be used for tracking. Apps can access personal data on the device, although the data available to apps differs between iOS and Android. Legitimate apps can use personal information to provide powerful features and benefits; however, the opportunity to misuse that information exists as well. Because they have the potential to access so much data on devices, many apps gather data without users being aware of its collection. In some cases, when a developer uses third-party advertising or analytics libraries, they are unaware of all the personal information accessed. Advertising and analytics libraries routinely gather sensitive data and developers dont always pay close attention to the data collected by the ad or analytics libraries they incorporate into their applications. Several ad networks do a good job informing developers what choices they can make as it relates to data collection to serve ads. On the other hand, a number of ad networks use IMEIs and other sensitive identifiers as a way to uniquely track devices even though, most of the time, this tracking goal can be accomplished without transmitting sensitive data to a server.
17 https://www.mylookout.com/appgenome/
20
In the Lookout App Genome Project17 report published in February 2011, we estimated that on iPhone 33.9% of free applications had the capability to access location and 11.2% had the capability to access contacts. On Android, we found that 28.2% of free apps in the Android Market had the capability to access location and 7.5% had the capability to access contacts.
App Vulnerabilities
Smartphone operating systems enforce strict security sandboxes to limit what applications can do, though even in the sandbox, applications can contain exploitable vulnerabilities. Because mobile platforms are new, often introducing new APIs and security models, even skilled developers arent always aware of best security practices. While a number of security issues have come to light affecting both Android and iOS applications (e.g. leaking sensitive information to system logs, storing credentials in an insecure manner, improperly validating externally supplied data), one of the most prevalent issues is simple and is not unique to mobile at all: transmitting sensitive data without proper encryption.
Currently people have a 30% likelihood of clicking on an unsafe link per year on their mobile device based on detection rates from Lookout users.
19%
Compromised
21%
Malicious
60%
Phishing
DIAGRAM 16
Unsafe Links
Category Breakdown
21
such as websites containing browser exploits are OS targeted, which means that users viewing a PC threat from a mobile device will not be affected, though we expect more mobile targeted attacks in the future. According to one study, mobile device users are three times more likely to succumb to a web-based phishing attack than desktop users.19
Approximately 1 in 20 users will click on a phishing link every year on Android devices based on current rates.
22
Physical/Network Threats
While web and application based threats has been on the rise for mobile devices, physical threats remain some of the most prevalent and the barrier to entry for network threats continues to decrease.
LOST AND STOLEN MOBILE DEVICES are so common that Lookout locates a missing
device every 5 seconds.
WI-FI SNIFFING is a technique where nearby attackers can get access to data
transmitted to or received from a mobile device. Barriers to entry for Wi-Fi sniffing continue to drop as easy-to-use tools emerge. While these tools facilitate targeted rather than broad-based attacks, the increased use of free Wi-Fi in airports, cafes, and other public places has increased the likelihood that Wi-Fi traffic, including account information, can be intercepted. Firesheep20 is a desktop browser plugin that monitors unencrypted Wi-Fi networks for nearby computers and mobile devices accessing popular web sites (e.g. Twitter, Facebook, GMail) in an insecure way and allows an attacker to trivially hijack user accounts accessing those sites. Similarly, Faceniff is an Android-based tool that also allows someone to hijack user accounts accessing popular sites on nearby PCs and mobile devices in an insecure way by redirecting local network traffic through the phone (using a technique called ARP spoofing). While none of the techniques implemented by Firesheep or Faceniff are new, the ability for even a novice user to engage in point-and-click network hacking makes it more important than ever that popular sites stop using insecure network protocols.
WHATS NEXT?
Mobile threats are evolving quicklysophistication that took decades to reach on the PC is taking just a few years on mobile. To predict where they are moving, its important analyze what dynamics are affecting their growth and understand what will run the same course as PC threats and what will be different. Application-based threats are likely to continue to follow their existing platform distribution trends unless platforms significantly change their security or distribution models. Privacy issues and application vulnerabilities are affecting both iOS and Android platforms, however malware and spyware predominately target Android.
Malware
The mobile malware industry is currently in its startup phase, with attackers experimenting with different distribution and revenue models. As the industry matures, we believe that there will be successful distribution and monetization patterns that emerge. The growth in malware prevalence will likely follow the malware industrys
20 http://codebutler.com/firesheep 21 http://faceniff.ponury.net/
23
successful discovery and exploitation of these patterns. Emerging patterns include: o o o o Malware that acts as a botnet, exposing an array of remotely controlled device capabilities. Abuse of premium-rate text messages Targeted attacks aimed at gathering sensitive data for commercial or political purposes Financial fraud as more mobile finance and payment apps emerge
In order to combat scrutiny in app storesboth in the curated and open modelswe expect malware will engage in techniques to gain distribution while evading detection for as long as possible. Specifically, we expect to see a growth in upgrade attacks where a seemingly-legitimate app is upgraded with malware and multi-stage attacks where a seemingly-legitimate apps behavior changes at runtime based on code or configuration downloaded from a server dynamically.
Vulnerabilities
Because vulnerabilities on mobile devices typically take a long period of time to patch, we predict a growth in malware using browser exploits to infect both Android and iOS devices as well as an increased use of local privilege escalation exploits by Android malware to break out of the default security sandbox. Since the android security model does not typically allow legitimate applications to act as root, if malware is able to gain root on a device, it can be very difficult to remove. Regaining control of the device in such cases can require a full firmware re-flash or leveraging an equivalent vulnerability to gain equivalent privileges. Identified application vulnerabilities will likely rise, and as more high value applications such as payment and banking tools come into wide use, we expect exploitation of these vulnerabilities to become more prevalent.
Phishing
Application-based phishing attacks (e.g. fake login/sign up screens) are very difficult for users to detect as mobile devices tend not to have a secure location indicator for native applications that can be used to differentiate between a legitimate application dialog and an illegitimate one. As more people access sensitive accounts and services from their mobile devices, we expect to see an increase in phishing attacks launched from malware on devices. We expect web-based phishing attacks to remain prevalent in the future as more users move towards their mobile devices as a primary means of reading email and browsing
24
the web. Just as many web sites have both mobile and desktop views, we expect an increasing number of phishing attacks to create both desktop and mobile views to maximize their effectiveness in convincing mobile users to enter information.
o o
ABOUT LOOKOUT
Lookout is a mobile security company dedicated to making the mobile experience safe for everyone. Lookout delivers award-winning protection from the growing threats facing mobile users today including malware and spyware, phishing scams, data loss, and device loss. Lookout is cross-platform, cloud-connected and designed from the ground up to provide advanced protection for smartphones while remaining lightweight and efficient on the phone. With users across 400 mobile networks in 170 countries, Lookout is a world leader in smartphone security. Headquartered in San Francisco, Lookout is funded by Accel Partners, Index Ventures, Khosla Ventures and Trilogy Equity Partners. For more information and to download the application, please visit www.mylookout.com.
25