Malware, or malicious software, is software designed to infiltrate or damage a computer system. Examples of malware include computer viruses, worms, trojan horses, spyware, dishonest adware, scareware, crimeware and rootkits. Forms of attack can include attempts to read, alter, or destroy data or to compromise the computer's operating system to take control of the machine. The primary motivation for the development and use of malware is financial gain. In order to achieve the greatest impact, malware is typically created to target the devices and operating systems that have the greatest market share. As the number of mobile devices increases worldwide, there has been a dramatic increase in the number of malware variants that target these devices. Enterprise and consumer mobile devices are exposed to a record number of security threats, including a 400 percent increase in Android malware from June 2010 to January 2011 (Malicious Mobile Threats Report 2010/2011, Juniper Networks Global Threat Center).
In addition to standard attack vectors that pose a threat to traditional computer security, mobile devices are vulnerable to a wide variety of new exploits that hijack the microphone, camera and GPS as well. If malware has root access on a mobile device chances are it has access to email, banking credentials, contacts, and even the user's physical location.
Present anti-malware software for mobile devices relies on an architecture traditionally used by personal computers. This method uses signatures generated from rudimentary heuristic analysis to identify and defend against attacks. Mobile devices cannot support the CPU and memory intensive process of querying against tens of millions of malware signatures. Signature based anti-malware systems are essentially ineffective in detecting zero-day, or previously unknown, variants. Malware cannot be detected unless samples have already been obtained, a fine-grained manual analysis has been performed by a trained specialist, signatures have been generated, and updates have been distributed to the users. This process can take anywhere from hours to days, with some vulnerabilities remaining un-patched for years.
Due to the volume and increasing sophistication of malware, analysts must be prioritized based on the prevalence of the infection, the rate at which it spreads, the security impact, and the effort required to remove it. Malware analysts are trained to follow a three-step technique, which includes surface analysis, runtime analysis, and static analysis. This process begins with the most straightforward and least resource-intensive analysis and progresses to techniques requiring the most time and skill. Static analysis is the most effective technique for determining what the malware actually does, but this level of analysis is typically reserved for the highest priority malware because it is very expensive in terms of effort and resources.
The use of obfuscation techniques such as binary packers, encryption, and self-modifying code by malware writers renders static analysis seemingly impossible. When conducting a static analysis, the malware analyst relies on their individual experience. Based on this knowledge, they categorize samples into families so that new variants can be compared to malware that they have seen before. There is a shortage of malware analysts with this ability. Even at the US Computer Emergency Readiness Team, US-CERT, a trusted leader in cyber security, there are only a few people capable of doing this level of work (Building a Malware Analysis Capability, CERT, Jul. 12, 2011 Gennari et al.).
Malicious applications continue to be found on third-party websites and application stores. Many third-party sites host applications without due diligence. Google, Apple and Amazon application stores are employing a predominantly manual vetting process that is both ineffective and inefficient. An alarming number of malicious applications continue to be found in both the Google Marketplace and the Amazon Appstore. Malicious applications have become a persistent problem for Google, which has had to scrub the market several times. Due to alerts sent from a third-party, they pulled more then 50 applications in March 2011, 3-dozen in May and 10 more malicious applications in June.
The manual process of vetting applications is alienating legitimate developers who are becoming frustrated by how long it takes to have their application approved and released into the application stores. Additionally, developers are unable to perform proper regression, stability, performance, and security testing for quality assurance prior to submitting their application for distribution because few test environments exist for mobile operating systems.
Mobile carriers are in a seemingly endless battle against malware for network resources, operator revenues, and subscriber trust. They are charged with protecting consumer security while defending their core network assets from bandwidth consuming malware. Carriers face revenue losses attributed to malware including those that send unwanted or premium SMS messages, are used for denial of service attacks, or harm their customer's mobile devices resulting in subscriber termination.
Consumers are largely unaware of malicious or anomalous mobile applications, or applications, that are installed on their mobile devices. In order to protect themselves they are advised to research the publisher of an application, check application permissions, and to not install applications from third-party websites or application stores. The majority of consumers will grant applications permissions without consideration, and will not take the time to research the source.
Companies and government agencies often allow employees to use their own mobile device for work, increasing the threat that malware will make its way onto the enterprise network. The enterprise software programs traditionally reserved for the PC are now being released as applications that allow access to proprietary and financial information from both personal and company issued mobile devices. IT departments are at a significant disadvantage as the proliferation of mobile devices in the enterprise challenges the predominant security strategy of hardening the perimeter and controlling access to the internal network.