We discuss malware in significant detail in Chapter 11 with a primary focus on personal computers. Many of those same concerns apply to mobile devices, with a few twists. We briefly address those issues here.
As our computing lives move more and more to mobile platforms, security becomes an increasing issue.
The recent rapid functionality enhancement of mobile phones driven by the population surge of smart phone platforms is expected to increase the security threat from mobile malware. The enhanced functionalities such as faster Internet access and standardized programming APIs provide an ideal breeding ground for malware development.20
On mobile and cellular platforms, the ultimate protection comes from the fact that you have to personally verify and be involved in the installation of software on your device, and that holds true for malware. You have to be involved for it to get on your device. If you’re appropriately informed and cautious, you can avoid most problems.
Nowadays, still a significant barrier for the known mobile malwares is that user interaction must be involved for those non-crash-purpose malwares. None of today’s mobile malwares are able to install stealthily without the users accepting the standard security warnings. Social engineering techniques, such as pretending to be a theme, a system patch, or a game installation, are widely used to tempt users to run malwares on mobile phones.21
We talk about phishing attacks in Chapter 12, which primarily involve email and web browsing to fool users into revealing personal information. One way in which cell phones differ from traditional personal computers is in the support of text messaging based on the SMS standard. As a result, SMS has become a point of access for phishing attacks.
SMiShing, a term coined by researchers for the McAfee security software firm, describes a form of phishing in which the bad guys send an SMS (short message service) message to a person’s mobile phone. The first such messages purported to come from dating-service Web sites. Victims would receive a message announcing that the site intended to charge them $2 a day unless they visited the URL listed in the message and followed the steps outlined there to unsubscribe from the service. Upon browsing to the URL (via computer), victims would get hit with drive-by downloads that installed Trojan horse software that subsequently would steal passwords and do other nasty things to the victims’ PC. … It’s impossible for a company to add charges to your bill, unless you knowingly signed up for its service and provided a cell phone number so it could send you messages. So if you get a SMiShing-style SMS message and don’t remember signing up for anything, just delete the message and ignore the instructions. The scare works because people visit the Web page without thinking twice about it.22