The lack of adequate security on the majority of mobile devices makes them prime targets for malware that can turn smartphones and tablets into platforms for launching distributed denial of service (DDoS) attacks targeting corporate websites, similar to those that have recently plagued a number of large U.S. banks, according to analysts from a leading financial services research firm.
A recent study by Javelin Strategy & Research titled “10 Trends for Financial Services in 2013″ revealed that only 33% of smartphones and 29% of tablets in use today have security software installed on them, leaving a staggering 102 million devices completely unprotected and at risk of becoming instruments in large scale denial of service attacks.
“The mobile device will provide a new attack vector that requires less technical prowess than those that recently brought FI [financial institution] websites to their knees,” wrote Al Pascual, an analyst with Javelin.
While the financial industry continues to battle against mobile malware designed to pilfer funds and commit fraudulent transactions, researchers are seeing a trend towards the development of strains which seek to allow hackers the ability to engage the devices in disruptive attacks that threaten an organization’s ability to conduct business via online customer interfaces.
“Mobile malware is beginning to evolve from programs that are designed to fatten the hacker’s wallet to ones that support more esoteric goals. Popular hacking tools are being ported to Android which can be further ‘weaponized’ to infect mobile devices for use in DDoS attacks.” Pascual noted. “Considering the always-on nature of many devices, advances in processor design and the race to provide greater wireless network bandwidth, mobile devices represent an opportunity to replicate the success of the FI DDoS attacks of 2012 – this type of attack could conceivably generate the same volume of website-clogging traffic.”
One example of mobile-based DDoS malware is the “Android.DDoS.1.origin” Trojan discovered by Russian anti-virus vendor Doctor Web last year. The malware places an faux Google Play application icon on a targeted user’s device, which ostensibly performs just as the real application would by giving the user access to the Google store, while simultaneously establishing communications with a command and control (C&C) server which can issue instructions for a coordinated DDoS attack by way of an SMS message.
While the recent denial of attacks against the banks were typically powerful in nature with high bandwidth usage, an increasingly popular variant of DDoS attacks are the “low and slow” operations targeting a web server’s application layer using less than 1Gbps in bandwidth, a volume which would fall beneath the radar for bandwidth consumption, making them harder for organizations to identify and mitigate.
Infected mobile devices would be ideal tools for hackers to employ in these types of DDoS attacks, and creates a scenario where attempts to block malicious traffic becomes an even more difficult task because the attacks could not simply be isolated by region of origin, as the traffic would be emanating from the same locations as the organization’s primary customer base. Defending against such attacks may end up being just as disruptive to customer access to targeted websites as the DDoS attacks themselves.
The solution? Of course there is no silver bullet, but much like security awareness campaigns over the last decade that sought to make PC users more proactive in their use of antivirus and firewall software, mobile users need to be made aware of the increased threats to their devices and the consequences of inaction. Manufacturers also need to step up the pace of vulnerability patching to stem the onslaught of mobile malware distribution.
“A knee-jerk response to continue the IT security arms race, should the scenario of mobile DDoS ensue, need not be inevitable,” Pascual said.