A couple of articles I read yesterday about the FinFisher Trojan, “The SmartPhone Who Loved Me: FinFisher Goes Mobile?” and “From Bahrain With Love: FinFisher’s Spy Kit Exposed?,” forcefully brought home the point that malware attacks directed at mobile devices are maturing at a far more accelerated pace than they did in the desktop world.
Stuxnet, Duqu, Flame, Gauss and Shamoon, APTs directed at traditional endpoints, speak to the sophistication of the attacks and the actors orchestrating them (learn more from this webcast). The FinFisher Trojan, which was built using pieces of the FinFisher toolkit, has the ability to infect smartphones running Apple’s iOS, Google’s Android, Nokia’s Symbian, and RIM’s Blackberry operating systems.
The folks who were targeted (in this instance) received a simple email with images attached. They clicked on the attachments and then the malware did the rest. Simple but effective social engineering, tailored to satisfy our innate curiosity and hunger for information, started the process of getting this attack to take root. Pretty soon, these devices became broadcasting beacons for all of their voice calls, text messages, emails, data and GPS coordinates to the command-and-control servers that were listening.
To varying degrees, our smartphones contain most of our private information like photos and videos of our families and friends; contact information (including critical phone numbers and email addresses); a calendar of our important appointments and meetings; usernames and passwords; and financial, medical and work-related documents. As smartphones increasingly become an extension of our identity, the loss of personal information to attackers is not the only thing we have to worry about.
As we learn with frightening regularity about the growing prevalence of mobile malware that’s designed to steal our bank information, turn the phone into a bot to participate in a botnet attack, call premium SMS numbers, delete our data or brick the entire device, we now also have to concern ourselves with the seemingly random sequence of occurrences that we keep dismissing as figments of our overactive imaginations, and wonder if, in fact, someone is paying a little extra attention to us.
Earlier this year, Bit9 senior security researcher Dan Brown predicted that sometime in 2012 we would learn of the existence and use of an advanced persistent threat (APT) designed for a smart device. As much as I’d like to see him proven wrong, I have to agree that APTs for mobile devices are already here.