What To Do When Your Phone Gets Hacked …
My friend Mike’s Android phone had been acting strangely for awhile. In the middle of the night, the phone would come alive. It would meander down various menu paths, send texts that were gibberish and start playing poker. Was it bug in the operating system? Or had Mike been hacked?
We agreed that an Android with a gambling problem was not a good sign, but neither us knew what to do. Mike took to locking down the phone, a Pantech Breakout, whenever it was charging to prevent it from buying poker chips, which may sound funny if it’s not your phone.
Then, one night, Mike forgot to lock the phone, and I caught it reading a Treasure Island ebook at 2 a.m. Around that time, the Android went on a shopping spree. Packages began showing up at our doorstep: an aluminum wallet, Beach Body’s PS90X fitness program, and wrinkle removal cream.
It was clear that someone had taken control of the phone and gained access to Mike’s credit card. How did the intruder get in? And, more importantly, how could Mike throw him or her out and make sure he or she didn’t come back?
If you are among the millions of people with infected phones, you know that traditional law enforcement is of no use at all in responding to smartphone crime. You’ll probably end up doing what Mike did: cancelling your credit card, making a crime report online, deleting misbehaving apps and hoping for the best.
You might feel confused, helpless and a little angry, like we did. After all, it’s clear that people are making money from hijacking smartphones—from the hackers themselves to companies like BeachBody that are paying them. The problem could be addressed by following the money trail, but BeachBody and Telebrands, sellers of the Aluma wallet, weren’t interested in returning our calls.
Since I had no way of following the money trail, I decided to try to follow the technology trail. I reached out to Chris Wysopal, the co-founder and chief technology officer of a company called Veracode, that specializes in application security testing.
Far from your ordinary chief technology officer, Wysopal has been fighting to help secure our digital world since the 1990s when he became the seventh member to join the famed Hacker collective known as L0pht Heavy Industries. In 1998, Wysopal and his hacker buddies gave the U.S. government a wake-up call when they testified before a U.S. Senate committee that they could bring down the Internet in 30 minutes. Four years later, Wysopal pushed the IETF, one of the Internet’s main standards-setting bodies, to adopt a responsible process for disclosing vulnerabilities. When the effort was rejected, he founded an industry group that brought together software vendors and security researchers to address the problem. He’s been recognized as one of the most 100 influential people in IT by eWeek, among other industry honors.
Lately, he’s been sounding the alarm about mobile apps. In a talk last spring at the RSA security conference, Wysopal noted that in 2010 there were already 10.9 billion mobile apps—a mind-bogglingly large number that is poised to increase by an order of magnitude over the next few years. Almost none of these apps is being subjected to a rigorous security review.
If you’ve downloaded an app, you could be at risk.
Here’s an excerpt from our Q&A covering the basics of what you need to know about mobile application security.
How are mobile phones getting infected?
The State University of North Carolina did a study on this called the Android Malware Genome Project and found that 86% of Android malware uses a technique called repackaging. With repackaging, you download a popular application, decompile it and then add a malicious payload to it. Then you recompile the application, and you submit it back to the public market with a slightly changed name.
So you download something called Zynga Poker and you upload it back up as Charlie’s Awesome Poker Version 2. It looks like a legitimate poker game. But the malicious payload executes. This is the number one way that malware is getting onto people’s devices. There is a slight variant to repackaging called updating which means you add code that will grab a malicious payload at a later time. That is a little bit more flexible because if security people discover your payload technique you can then change it.
How do you know that your device has been compromised?
One big sign is that your device starts acting strangely. People get really in tune with their devices, for example, they know how often they need to plug in and recharge the battery. If it feels like something is weird about the device, it could be some malicious program running in the background. Unfortunately, most people can’t see what is going on over the network. If you were a security researcher or a digital forensics person you would hook your device up to a WiFi network that you controlled, and you would watch the traffic your device is sending. You’d question suspicious behavior Why is my phone sending my address book to an IP address in China? Or why are my GPS coordinates constantly being updated to these overseas websites?
Another way people detect that they’ve been infected is when unfamiliar charges appear on their bill. This is something that is unique to malware on the mobile device. Unlike a PC, a mobile phone is hooked up to an accounting mechanism. You either have a credit with your provider, or you pay as you go. That allows attackers to uniquely monetize their malware. They can send premium SMS text messages that actually cost you money and put money in the hands of the person who is writing the premium SMS service. They can make in-app purchases. The ease with which small bits of money can be stolen from lots of people makes mobile malware more dangerous.
What are some basic things people can do to protect their devices?
One thing you can do is to try to keep the software on your devices up to date. That is actually really easy to do on iOS (the operating system for the iPhone, iTouch and iPad) and really difficult to do on Android, because you have three parties that have to approve a new version of the operating system (OS) before you can get it. There have been some studies that found a lot of people are on phones that can’t be updated and those devices have OS vulnerabilities in them that make them susceptible to an attacker. In these cases, people end up downloading malware that then uses the OS vulnerability to compromise the phone, for example, to make it part of a criminal botnet that can be used to carry out other attacks.
Which is more secure, Android or iOS?
From a malware perspective, typically, iOS is more secure for sure. There are a couple of reasons for that. Apple restricted the functionality that apps can do. For example, you can’t send premium SMS messages. Then there is the application review process. The Apple App Store review has always been far more stringent than Android’s. However, Android is making improvements and they are screening out more bad apps that are coming through.
From a privacy perspective, when you talk about apps that are leaking your personal information to ad networks or to the app developers like your GPS location or your contact book, that type of behavior is allowed by both iOS and Android. It’s not considered malware because the user might want that activity to happen. To me, one of the biggest challenges is to determine when an app is maliciously grabbing personal information and when it is doing something legitimate.
How big is this problem?
That’s really difficult to say. Some people claim everyone has an infected app on their device. Other’s say the problem is limited to third-party app stores, and if you go to the app store on iOS or Google Play, you’ll be safe. I think there are a lot of unknowns out there. It’s an ongoing area of research for us, and we are working on doing our own analysis of mobile apps to try and get a real handle on this. That is something we are going to be doing over the next couple of months.
Who is responsible for protecting users? The carriers? The operating system providers? The app makers?
Currently, no one has that responsibility. For example, let’s look at the model that we use for PCs. You may have a PC that is running Windows, but as soon as you download an application from someone other than Microsoft, Microsoft is going to say, “That’s not my application, I didn’t write that.” Meanwhile, your carrier is going to say it is just delivering what you wanted. Everyone is hands off because protecting users can be expensive.
Are there things that can be done?
Yes. I think that where we can control this is the app store by having really in-depth screening for all kinds of malicious behavior that apps can do. The challenge is that’s not really in the best interest of the platform provider because they want lots of apps in their app store. They are in a battle now to have more apps and to have better apps. Anything that slows that down is a challenge. But as a security person, I know the best place to put a review is in the app store.
For more information, you can review Chris Wysopal’s RSA talk.