How drive-By downloads work on your smartphone
Attackers are adapting the popular and effective drive-by download method, popularized on PCs, for mobile devices, says Kevin Johnson, founder of information security consultancy Secure Ideas and author of Security 542: Web Application Penetration Testing and Ethical Hacking.
Drive-by downloads work by exploiting vulnerabilities in Web browsers, plug-ins or other components that work within browsers. Through a browser vulnerability, drive-by downloads dump an application onto the user's computer, such as fake anti-virus software -- malware that's masked as anti-virus software.
On a smartphone, drive-by downloads work differently, says Johnson, who is also a senior instructor with the SANS Technology Institute. "With an iPhone, I can't browse to a website and have it install an app on my iPhone. The iPhone is not capable of doing that, which is good," he says. "The problem is that the drive-by download model has changed to take that into account."
So instead of dumping an app onto your smartphone's OS, the infected website exploits a vulnerability in, say, the Safari browser and runs commands or packages within the phone's operating system to change the way it works, says Johnson.
"It's not installing the software, but it's still doing bad stuff to the phone," he adds. "It's considered jail-breaking or rooting the device."
How to protect your smartphone
IT departments can lock down corporate-owned smartphones so that employees can't install anything on them or browse to random websites. Securing employee-owned smartphones is obviously a lot more difficult. Johnson says companies need to emphasize awareness and make employees understand security risks. He also recommends mobile device management systems that restrict certain user activity.
One such mobile device management solution for "Bring Your Own Device" environments comes from Good Technology. Good Technology offers an application that smartphone owners can install on their devices, says Johnson. The software serves as a container for work-related activity on the phone. It basically separates the corporate work from the rest of the phone, says Johnson.
When an employee is ready to get onto the corporate network to check email or product inventory, for example, he simply launches the Good application, which prompts him to authenticate. "Everything that happens inside that app is segmented from the rest of the phone," says Johnson. "As the app is running, everything is there in memory. When you close the app, it saves everything else to a file that is encrypted. Attackers can't get to it. So if a drive-by download attacks a phone, it can't access any of the corporate stuff. It doesn't protect the device; it protects a company from an infected device."
The drawback to the Good Technology application, says Johnson, is that the user interface is different from the rest of the phone. "If you're used to the way Android does mail, the Good mail client works differently. It doesn't have the same feature set. A lot of users complain about that," he adds. "But if it's the difference between complaints from users and safety from drive-by downloads, then Good wins."
Meridith Levinson covers Careers, Security and Cloud Computing for CIO.com. Follow Meridith on Twitter @meridith. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Meridith at firstname.lastname@example.org.