Smartphone Security Follies: A Brief History
As smartphones have grown more powerful and complex, so have the threats against them.
This has become especially true as smartphones have evolved from tightly controlled enterprise-centric devices such as Research in Motion's BlackBerry series to consumer-oriented devices such as Android that run on open-source operating systems. These dangers were further hammered home last week when the Android Police blog revealed that a vulnerability in the Skype Android application could allow hackers to swipe users' email addresses, contact lists and chat logs.
[LATEST THREAT: Skype for Android leaks user data]
With this in mind, we thought it would be a good time to go over some of the highest-profile smartphone security follies of the past few years, whether they came in the form of application vulnerabilities or applications embedded with malicious code. As we go through the years, you'll see that threats to mobile devices have not only become more prevalent but also more complicated.
August 2006: Researcher creates first-ever BlackBerry Trojan
RIM made its name by developing well-engineered mobile devices that could securely deliver corporate email by routing it through the company's own network operations center. In 2006, however, security researcher Jesse D'Aguanno began poking holes in RIM's Teflon by creating the world's first piece of Trojan malware for BlackBerry devices. Demonstrating his creation at the Defcon hacker conference, D'Aguanno showed how he embedded the malware into a harmless-looking tic-tac-toe game download. Once the game was downloaded onto the device, the malware worked with a separate piece of code, called BBProxy, to launch attacks on enterprise networks.
D'Aguanno said he created the Trojan to serve as a heads-up to both RIM and BlackBerry users that they should be more alert to the potential dangers that lurk for mobile devices. Over the past five years, events have proven D'Aguanno's concerns to be accurate.
January 2009: RIM patches PDF vulnerability
Seeing how important PDF files are in the corporate world, RIM would have been negligent if it didn't incorporate them into its BlackBerry devices. Even so, the successful integration of PDFs into RIM devices and its BlackBerry Enterprise Server wasn't headache-free.
In 2009 RIM announced that "multiple security vulnerabilities" existed in some versions of the enterprise servers' PDF distiller that were released as part of its BlackBerry Attachment Service. The vulnerabilities could allow hackers to send users emails containing a "specifically crafted PDF file" that could cause memory corruption and "possibly lead to arbitrary code execution" of the computer hosting the attachment service.
November 2009: iPhone users get Rick Rolled
Stealing peoples' personal information is one thing -- but what sort of monster subjects unsuspecting iPhone users to the horrors of Rick Astley?
That's precisely what happened in late 2009, when the first-ever iPhone worm began forcibly changing users' iPhone wallpaper to a picture of much-loathed '80s singer Rick Astley. The worm was mostly a harmless prank written by an unemployed Australian programmer, but it was a sign of more sophisticated and dangerous iPhone worms to come.
November 2009: iPhone worm goes after banking codes
It only took two weeks for a copycat hacker to use the formula revealed by the "Rick Roll" worm to create a more malicious piece of code to build a botnet used for stealing data such as online banking credentials. The worm was apparently created by Dutch hackers and used a command-and-control strategy that is frequently used in PC-based botnets to steal data from infected devices. The worm only struck jailbroken iPhones, however, so the majority of iPhone users were not at risk.
December 2010: First-ever Android botnet malware surfaces
It was only a matter of time before hackers took advantage of Android's openness, and the world got its first taste of what an Android botnet would look like late last year when researchers discovered the "Gemini" malware that could be downloaded off third-party Android application websites. Lookout Mobile Security CTO Kevin Mahaffey said the code was wrapped in legitimate Android applications whose developers didn't realize their apps were being used to spread malware.
March 2011: DroidDream causes havoc on Android Market
Last month Google announced that it had to remove around 50 malware-infected applications from its Android Market and that it had activated an Android app kill switch that would remove the malicious apps remotely from user devices if they had already been downloaded. The so-called "DroidDream" malware debacle highlighted the downside of Google's "free love" approach to publishing applications, as it lets anyone put an app on the market and will only it down them down if alerted by a third-party user.
April 2011: Skype springs leaks
Skype, one of the most popular mobile VoIP applications out there, found itself the victim of self-inflicted wounds this month as one security research blamed "sloppy coding" for a vulnerability that could let hackers swipe key information from Android-based smartphones, including users' email addresses, contact lists and chat logs. The vulnerability was discovered by Android Police contributor Justin Case, who also first brought news of the DroidDream malware to light. Case said that the vulnerability occurred because Skype left personal contact files with "improper permissions, allowing anyone or any app to read them." Although Skype has said it will patch the vulnerability at an undetermined date in the future, Sophos security researcher Chet Wisniewski advised users this weekend to simply remove the application from their devices until Skype issues an updated version.
Read more about wide area network in Network World's Wide Area Network section.