Smartphone security below par, says EU agency

iphone_03.jpg

Smartphone security is not what it ought to be as popular apps are increasingly targeted by cyber attackers, according to a report by the European Network and Information Security Agency (ENISA).

Smartphone sellers and app developers need to do more to prevent malicious software or malware from creeping into phones and stealing users' valuable data, argues the ENISA report.

Though computers are still a prime target for cyber attacks, smart phones are increasingly being breached by hackers. In 2011, malware was disguised as a popular Android app which infected thousands of phones.

There are many reasons why smartphone security is a matter of urgency. It is a booming market used by professionals and there are an abundance of new app sellers like Amazon, CISCO, Microsoft and Nokia which develop apps for different operating systems

"The stakes are high: consumers, government and business professionals use smart phones to store and process large amounts of confidential and personal data," reads the report.

Both consumers and developers are overly concerned with functionality at the expense of security, argues the agency, which lays out five steps to bolster smartphone security.

App stores should be able to remove malware from users' phones remotely and they should be using sandboxes, web servers used as testing sites for new technologies, to ensure the absence of malware.  

In addition, smart phones should have jails, meaning they should either prevent owners from using untrustworthy app stores or send out clear warnings about installing from unknown sources (the agency also warns against using jails as a way to stifle competition).

In recent years malware has become increasingly sophisticated. For example, the Zitmo or Zeus Trojan was discovered in February 2010 after it had captured SMS messages bearing users' bank transaction codes.

According to ENISA there are many versions of Zitmo for different types of smart phones, including Windows Mobile, Symbian OS and Blackberry. The malware is spread by first infecting a user's Windows PC and then asking them to type in their phone number.

In March this year, security company Symantec discovered that Google's Android apps were bundled and resold with malware attached that could take screenshots from people's phones and harvest sensitive data like bank details.

There were somewhere between 50,000 and 200,000 downloads during the four-day security breach, according to Symantec.

The ENISA report offers some glimmer of hope for smartphone users as malicious software is perhaps easier to detect on phones because it goes beyond denial of service common to the PC-operated world.

During the agency's research they identified several potential threats, such as when an app suddenly reveals sensitive data, gives a user privileged access to an app or when a new data store suddenly appears without the user's authorisation. All of the above should alert the user that their phone is perhaps being tampered with by hackers. 

Though less common than security breaches on PCs and laptops, smart phones are increasingly becoming targets of malicious attacks.

At the end of 2010, a Trojan – a kind of malware which disguises itself as a reputable programme – called Gemini infected smartphone users in China. It was disguised as popular games from unofficial appstores.

In March this year the Symantec security company discovered that Google's Android apps were bundled and resold with malware attached that could take screenshots from people's phones and harvest sensitive data like bank details.

There were somewhere between 50,000 and 200,000 downloads during the four-day security breach, according to Symantec. 

Subscribe to our newsletters

Subscribe
Contribute