Why the Feds are Getting the Mobile Threat Wrong

Yesterday, Public Intelligence – mainly, a public repository of government documents – released a joint DHS-FBI report “Threats to Mobile Devices Using the Android Operating System” (find it here).

Granted, the report hasn’t been validated as official as we write this post so it definitely may be a hoax. But assuming its authenticity – there is much to say about it.

The report calls out Android a “primary target for malware attacks” given that 44% of Android devices run Gingerbread (Android v.2.3.x) which is known to have numerous vulnerabilities. We have no qualms regarding that threat – as we constantly research new mobile malware and system vulnerabilities, there is no doubt regarding the increasing number of malware targeting that platform.

But then the report takes a wrong turn when presenting a short table describing the threats to the devices and mitigation steps. The problems:

• Understanding the threat. As a security threat, the table lists out “Fake Google Play Domains”. Not quite, however. Fake Google Play Domains are not the threat – they are only part of the problem. The threat is actually the existence of malicious Android applications. These applications may be those developed from the start as malicious applications, or may be fake applications riding on legitimate apps. In the latter case, malware authors/ distributors repackage legitimate apps with the malicious functionality.

• Mitigation recommendations. The DHS/ FBI suggest the “Carrier IQ Test” as the sole mitigation strategy for rootkits. But Carrier IQ is not the only rootkit out there. Additionally, there are different types of malicious apps which act as spyware – logging all user activity from accessing email services to eavesdropping on phone conversations and surround recordings. Examples include: malware families such as DroidDream, DroidKungFu, GingerMaster and Pjapps – to name just a few.

I’m sure the feds have a mobile Anti Virus (AV) solution in place – or at least considering one. Unfortunately, the usage of signature-based AV solutions won’t work against most of these mobile threats. AV might prove to be useful against mass malicious apps (think premium dialers) but not against the real threat of spyware and rootkits. These types of malware are much more sophisticated and can easily bypass these solutions. Just last month, a TIME Tech survey proved that no AV-vendor detected more than six of nine separate mobile spyware.

So what should be done? Consider the root of the problem: in order to perform nefarious activities, the mobile malware needs to gain system privileges. It usually does this through exploitation of an operating system vulnerability. However, no legitimate app should be trying to exploit a vulnerability. Detect that, and you’re on your first step to detecting the malware. Of course, that still won’t provide you with 100% detection, and you should follow up on more app and even network behavior (e.g. calls to known C&C servers) for complete intrusion detection. However, figure out that an external system component is exploiting a vulnerability – and you’re starting out on the right path towards a secure mobile strategy.