Comment: Phone Hacking – Scandal, Spyware and Trust

Mobile malware malfeasance helped bring down the News of the World (Image courtesy of dutourdumonde/
Mobile malware malfeasance helped bring down the News of the World (Image courtesy of dutourdumonde/
Gareth Maclachlan, AdaptiveMobile
Gareth Maclachlan, AdaptiveMobile

The past several weeks have seen news break, almost daily, that another public figure has become an unwilling victim of ‘phone hacking’ by unscrupulous journalists. What is clear now is that the issue now reaches far beyond the illegal accessing of voicemail inboxes, as first thought. As the case continues and more security breaches come to light, it is apparent that the mobile ecosystem has a big challenge on its hands that, if not handled correctly, could be potentially damaging.

Over recent weeks several victims – from ex-Prime Minister Gordon Brown to sex blogger Zoe Margolis – have spoken out publically, claiming to have been on the receiving end of email malware from journalists or publications. This malware has been built and sent with the sole intention of illegally extracting personal information from the unwilling recipient’s computer or phone.

However, despite extensive coverage of voicemail hacking, and the rise of malware targeting mobile devices, little attention has been paid to who is responsible for protecting against and preventing these threats. While it is evident that the use of malware is increasing, in this case ‘spyware’, how exactly does mobile malware function, is it different from traditional malware, and what does it mean for mobile operators?

Malware can be built to target PCs, laptops, mobile phones and tablet devices, and it can be operating system (OS) agnostic. It is essentially a piece of malicious code that has been designed to, in this case, gather information that leads to privacy violations and unauthorized access to information.

Currently, the media is reporting cases on celebrities, politicians and other high-profile figures as the primary targets. However, any individual or organization that has information or data that might be of interest to reporters, competitive business or other interested third parties, could potentially be at risk.

"Network operators and the wider mobile ecosystem’s position as trusted brands no longer rests simply with competitive pricing or the newest handsets"

But what is the difference between mobile malware and traditional PC malware? Mobile malware is malicious software created specifically for smartphone platforms such as Android, Symbian, Blackberry and iPhone. It is quite similar to PC malware from five to 10 years ago – but the gap is closing fast.

The key difference is that people are more trusting of their phones than their PCs, so mobile malware has access to much more intimate information, including pictures, your phone book, text messages, emails and even voice calls. Beyond stealing information, mobile malware is capable of secretly making calls to premium rate numbers and signing up for premium SMS services that can end up costing subscribers a lot of money.

What we are seeing now is an increase in mobile malware, specifically spyware, which can remain undetected on the user’s device while forwarding on information such as location, contact details or copies of messages to a third party. Spyware is designed to go unnoticed and, as such, can be hard to detect, especially if the recipient isn’t necessarily technology savvy.

As the increase in smartphone usage continues, we are likely to see these kinds of threats continue to rise and also extend into new areas. For example, with illegal, downloadable SMS-hacking software available online, it is likely we will see increasing attempts to remotely access text messages – something that the mobile network operators are already working hard to prevent. However, while work is being done to ensure that such threats never reach devices in the first place, unless operators ramp up their security practices they risk losing out in the future.

Although mobile operators are more trusted than many other service providers, this trust hinges on those operators ensuring they can safeguard subscribers’ personal data and protect them from financial loss. Any operator that fails to do so risks serious reputational and financial damage if that trust is lost. As evidenced by the numerous news stories revealing flaws in Google’s Android system, network operators and the wider mobile ecosystem’s position as trusted brands no longer rests simply with competitive pricing or the newest handsets.

As trusted providers, customers are looking to their mobile operator to provide guidance and education, as well as protecting their data and wallet. Mobile network operators can either rise to the occasion and be seen as industry leaders in mobile security, or wait for others to lead the way and risk jeopardizing not only their customers’ personal data, but also their trust.

Therefore, with the growing number and complexity of mobile security threats being built for these gadgets, combined with the increasing penetration of ‘smarter’ devices, it is imperative that mobile operators ensure all subscribers are protected and remain one step ahead of the threats. Mobile operators must understand that traditional piecemeal approaches to securing networks are no longer adequate in coping with the increasing sophistication of attacks. Many operators are now taking proactive steps to ensure that this is the case, and those that hesitate risk losing subscribers to competitors that do.

Gareth Maclachlan is chief operating officer at AdaptiveMobile. Prior to founding AdaptiveMobile in 2003, Maclachlan was wireless investment director at global VC firm ETF Group, and principal consultant at PricewaterhouseCoopers (PwC), responsible for its UK e-business practice. He began his security career in the early days of computer viruses and now specializes in the increasingly sophisticated threats facing mobile computing devices and smartphones. Maclachlan has seen the cybersecurity landscape evolve from its beginnings and has led projects with the UK Home Office, National Criminal Intelligence Service, Interpol and the FBI to assess and respond to the emerging national threats from the internet. He has also been a board member for mobile marketing companies, and was involved in a joint venture with Kirch Gruppe on mobile entertainment.

What’s hot on Infosecurity Magazine?