Attacks against mobile phone platforms on the rise

Mobile Device Madness

Media outlets around the country reported that Google had pulled 21 apps from its Android Marketplace, citing concerns over malware. Google moved swiftly to remove the malware-riddled apps from their online store, however more than 50,000 Android users downloaded these applications before they could be taken down. Those numbers vary, and I have heard estimates as high as 200,000, but it’s really irrelevant. This has raised some serious concerns about Android’s distribution model and its relationship with carriers. But why hasn’t something of this magnitude happened on Apple’s online store yet?

Carrier vs. Creator

There are some important differences in the iOS (Apple’s iPhone operating system) and Android that go beyond simple bells and whistles. Namely, what kind of control the carrier (such as AT&T or Verizon) has over each device’s operating system. In Android’s case, almost all carriers “reskin” or modify the base Android operating system in some way before making it available to consumers. This is done for a variety of reasons, from fine-tuning to get the best performance out of your phone to actually restricting certain features from functioning. Google updates and patches the core Android operating system regularly, however if the operating system has been modified by a carrier, it may not incorporate Google’s updates into the OS for several more months.
By contrast, Apple iOS is maintained, updated, and deployed by Apple through iTunes. Even though carriers such as Verizon and AT&T can add specific carrier settings and functions, updates are deployed by Apple. This means that when you receive an update for your iPhone, it will include fixes for vulnerabilities and exploits that have been reported in the iOS. The malware bundled with Marketplace apps took advantage of exploits in the underlying Android operating system. These were patched by Google, but not yet deployed by the carrier. In other words, Google acted responsibly by removing the infected applications, but the carriers did not update their versions of Android quickly enough.

Application Approval

The other contentious issue right now is the approval process for applications before they make it onto the Android Marketplace or App Store. On the one hand, Apple reviews each individual application before it is allowed to make it onto the App Store. The argument from Android proponents is that Apple doesn’t perform a source code review of most of these applications, and that Apple has too much control over what users will ultimately have access to. I don’t know about you, but with tens of thousands of apps available on the App Store, I don’t think users are really hurting as bad as Android fanboys would have you believe. Further, because there is almost no review process for apps making their way onto the Android Marketplace, there are further opportunities for malicious coders to slip back doors, malware, or botnets onto Android apps.

Botnets? On my phone?

The scary part is that we haven’t yet seen the worst that these bad guys have to offer. This week’s incident has the hallmarks of a full-scale botnet operating on mobile phones. Botnets infect unsuspecting user PCs and connect back to Command and Control servers located on the Internet. These servers are usually hacked or compromised systems themselves residing on corporate networks. The C&C servers issue orders to the end-user systems (known as Zombies) forcing them to coordinate denial of service attacks, or simply retrieving personal information and account numbers.
It’s hard to see a future where mobile phones aren’t just as susceptible to malware and compromise as standard PCs, and that future may already be here. I’m not suggesting that the same thing isn’t possible on iOS, however there has yet to be an incident of this scale or magnitude reported on Apple’s iOS. Hopefully Google will scrutinize their review and vetting process for Android apps, resulting in catching more of this malware before it makes it to market. Whether it’s 50,000 users or 500,000 users, a single privacy breach is one too many.

More like PCs every day

As with anything, there are steps that users can take to avoid downloading malware in the first place. For starters, try to obtain software only through sanctioned software outlets such as the App Store or the Marketplace. Additionally, make sure the apps you’re installing are from reputable developers or publishers. Chillingo, NGMoco, EA and Gameloft are some publishers that you have probably already seen before, and are known for releasing quality products. Check with your online store regularly to see if new updates have been issued for the applications you have running, and try to install operating system updates as soon as they become available. Most of the same rules of PC computing apply for your mobile devices, and as the line between PCs and mobile devices increasingly blurs, we will need to become even more cognizant of what we install on our phones.