It is not new that people are referring to Bring Your Own Device (BYOD) as Bring Your Own Malware (BYOM). In 2012 alone, Android malware encounters grew 2,577 percent (for details, see Cisco’s Annual Security Report). Many organizations are struggling to keep up with the BYOD trend by allowing employees to bring their favorite gadgets to the office to increase productivity and employee satisfaction. However, they are also struggling when trying to protect critical corporate assets, user’s data, and intellectual property in their employees’ mobile devices.

Stealing Your Banking Information and Your Corporate Intellectual Property Made Easy

The number of new mobile Trojans and malware is increasing every day. For example, the Carberp malware/Trojan can steal online banking credentials very easily from your phone or tablet. Carberp was first seen about three years ago, but now its source code is being sold in the underground scene at a very affordable price (US$5000 or less). Citmo.A (or Carberp-in-the-mobile) monitors incoming SMS to steal the mobile Transaction Authentication Number (mTAN) that financial institutions send to customers to validate online banking transactions.

Another example is the SpyEye-in-the-Mobile (SpitMo), which is a couple of years old, but it is still a successful tool for cybercriminals to make money.

Mobile versions of FinSpy/FinFisher can allow miscreants to log incoming and outgoing calls; conceal calls to eavesdrop on the user’s surroundings; and steal SMS messages, contact lists, and phone/tablet media (for example, photos and videos).

Even Your Music Could Trigger Mobile Malware

Recent research has revealed very clever and nontraditional ways to trigger malware and malicious behavior in mobile devices by using sound/music. Yes, that’s correct—music! Researchers at the University of Alabama at Birmingham (UAB) demonstrated this new “exploitation concept” in a paper titled Sensing-Enabled Channels for Hard-to-Detect Command and Control of Mobile Devices. This means that cybercriminals could become good DJs very soon. In all seriousness, this is the start of clever ways that malware could be triggered remotely in mobile devices (outside of Bluetooth, NFC, and over IP).

The UAB researchers demonstrated a terrifying potential attack vector by developing Android applications that monitor acoustic, visual, magnetic, and vibrational sensors built into modern mobile devices.  The prototype applications listen for command and control messages on these channels, most of which would be indistinguishable for normal sounds or lights.

Mobile Botnets Are Here to Stay

Mobile botnets are becoming the new normal. Just like in traditional botnets, cybercriminals leverage mobile botnets with one main purpose—to make money. They make money through fraud by either pumping ads onto your mobile device or selling your information to other spammers and criminal organizations. Miscreants can also steal user’s financial data, usernames, passwords, contact lists, user’s schedules, emails, corporate intellectual property, etc.

Examples of mobile botnets are Rootstrap/Bmaster (also known as Android.Bmaster) and the MDK botnet (Android.Troj.mdk). The Cutwail and Kelihos botnets are also known to target mobile devices.

There are many different ways a mobile device can be compromised by a botnet or become part of a botnet:

  • Cybercriminals can send SMS with malicious links to users
  • Coordinating with PC/desktop botnets
  • Emails with spam links
  • Drive-by downloads
  • All the traditional ways that malware is spread (of course).

Cybercriminals have been known to hide mobile malware in legitimate apps and games such as Temple Run, Fishing Joy, and others. This makes it hard for a user to detect a “bad app.”

BYOD Security Guidance at Cisco Live

Every BYOD implementation is unique and there is no one-size-fits-all solution because it requires a balance between technology, policy management, and employee outreach and education.

Most Common BYOD Questions

The following are the most common questions CISOs, IT security management, and engineers often ask about BYOD:

  • How do regulatory compliance, industry, and corporate culture factor into BYOD decisions?
  • What are the most critical steps to take during BYOD planning?
  • How should policy planning relate to technology and tool of choice?
  • What are the strengths and weaknesses of mobile device management, identity-based approaches, and mobile-enabled applications?
  • What is the role of identity in a BYOD environment?
  • How can I maintain a secure remote access VPN solution in a BYOD environment?

All of these questions and many more will be answered in detail this week at Cisco Live Orlando. BYOD security is one of the hottest topics this year. I am personally delivering an advanced troubleshooting session for remote access VPN in BYOD scenarios (BRKSEC-3050) and leading several discussions regarding BYOD. However, you may also want to review  and attend the following sessions:

  • BRKSEC-2045  Mobile Devices and BYOD Security—Deployment and Best Practices
  • BRKSEC-3044  What’s accessing my BYOD network and how do I keep the bad guys out?
  • COCEWN-3428  Inside Cisco IT: Beyond BYOD—The Post PC Era
  • PSOSEC-2001  BYOD: Management and Control for the Use and Provisioning of Mobile Devices
  • BRKSEC-3050  Troubleshooting Remote Access SSL VPN in BYOD Scenarios

I invite you to join me this week at Cisco Live and access detailed information about these sessions and many more at the Cisco Live 365 website. Choose Session Catalog, and then choose the appropriate tab (Sessions, Speakers, or Exhibitors) to search and learn more about Cisco Live. Session PDFs and videos are usually available within a week after a live event. For more information, check the home page announcements. While we do record a large number of sessions, not all sessions are recorded.


Omar Santos

Distinguished Engineer

Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations