While Jeff Schmidt, the CEO of JAS Global Advisors, was surfing the Web on his new Android smartphone (his first Android phone) earlier this year, what appeared to be an ad popped up on his screen. The "ad" looked like the prompt that appears when his phone rings. He clicked the button on the ad to pick up the putative call, and the ad began downloading a binary file--malware--onto his Android phone. Schmidt had been hit by a drive-by download, a program that automatically installs malicious software on end-users' computers--and increasingly, smartphones--without them knowing.
How Drive-By Downloads Work on Your Smartphone
Attackers are adapting the popular and effective drive-by download method, popularized on PCs, for mobile devices, says Kevin Johnson, founder of information security consultancy Secure Ideas and author of Security 542: Web Application Penetration Testing and Ethical Hacking.
Drive-by downloads work by exploiting vulnerabilities in Web browsers, plug-ins or other components that work within browsers. Through a browser vulnerability, drive-by downloads dump an application onto the user's computer, such as fake anti-virus software--malware that's masked as anti-virus software.
On a smartphone, drive-by downloads work differently, says Johnson, who is also a senior instructor with the SANS Technology Institute. "With an iPhone, I can't browse to a Website and have it install an app on my iPhone. The iPhone is not capable of doing that, which is good," he says. "The problem is that the drive-by download model has changed to take that into account."
So instead of dumping an app onto your smartphone's OS, the infected Website exploits a vulnerability in, say, the Safari browser and runs commands or packages within the phone's operating system to change the way it works, says Johnson.
"It's not installing the software, but it's still doing bad stuff to the phone," he adds. "It's considered jail-breaking or rooting the device."
How to Protect Your Smartphone
IT departments can lock down corporate-owned smartphones so that employees can't install anything on them or browse to random Websites. Securing employee-owned smartphones is obviously a lot more difficult. Johnson says companies need to emphasize awareness and make employees understand security risks. He also recommends mobile device management systems that restrict certain user activity.
One such mobile device management solution for "Bring Your Own Device" environments comes from Good Technology. Good Technology offers an application that smartphone owners can install on their devices, says Johnson. The software serves as a container for work-related activity on the phone. It basically separates the corporate work from the rest of the phone, says Johnson.
When an employee is ready to get onto the corporate network to check email or product inventory, for example, he simply launches the Good application, which prompts him to authenticate. "Everything that happens inside that app is segmented from the rest of the phone," says Johnson. "As the app is running, everything is there in memory. When you close the app, it saves everything else to a file that is encrypted. Attackers can't get to it. So if a drive-by download attacks a phone, it can't access any of the corporate stuff. It doesn't protect the device; it protects a company from an infected device."