M.S. Obaidat, J.L. Sevillano, and J. Filipe (Eds.): ICETE 2011, CCIS 314, pp. 217–232, 2012. © Springer-Verlag Berlin Heidelberg 2012 On the Feasibility of Malware Attacks in Smartphone Platforms Alexios Mylonas * , Stelios Dritsas, Bill Tsoumas, and Dimitris Gritzalis Information Security and Critical Infrastructure Protection Research Laboratory, Dept. of Informatics, Athens University of Economics & Business (AUEB), 76 Patission Ave., GR-10434, Athens, Greece {amylonas,sdritsas,bts,dgrit}@aueb.gr Abstract. Smartphones are multipurpose devices that host multiple and hetero- geneous data. Their user base is constantly increasing and as a result they have become an attractive target for conducting privacy and security attacks. The at- tacks’ impact increases, when smartphone users tend to use their devices both for personal and business purposes. Moreover, application development in smartphone platforms has been simplified, in the platforms developers’ effort to attract more developers and increase its popularity by offering more attractive applications. In this paper we provide a comparative evaluation of the security level of well-known smartphone platforms, regarding their protection against simple malicious applications. We then study the feasibility and easiness of smartphone malware development by average programmers via an implementa- tion case study. Our study proved that, under certain circumstances, all examin- ed platforms could be used by average developers as privacy attack vector, harvesting data from the device without the users knowledge and consent. Keywords: Smartphone, Security Models, Malware, Evaluation Criteria. 1 Introduction Smartphones are some of the devices that enhance Weiser’s vision of ubiquitous com- puting [30]. Their small size, reduced cost, mobility, connectivity capabilities and multi-purpose use are some of the reasons for their pervasiveness [10]. Malicious software or malware [1], [3], [15] has also appeared in smartphone plat- forms [12], but initially their occurrences and severity were limited. Nonetheless, re- cent reports show that the risk of malicious application execution on smartphones is severe and contingent [2], [17]. Moreover, smartphones use extends the infrastructure perimeter of an organization, thus, amplifying the impact and risk of malicious appli- cations [28], especially when users bring their own smartphones in the corporate premises [22]. Apart from the increasing smartphone sales [10], the annual downloads of smart- phone applications from application repositories are also on the rise. According to [9], the total application downloads - since 2008 when the first application repository, the * Corresponding author.