With nine out of ten consumers using a mobile phone, security should be front of mind. Yet many consumers still have a fantasy that their handsets are secure.
We’re all wise to the risks our online antics pose to our security. We’ve learned not to trust emails from Nigerian bankers offering to share millions in exchange for a small upfront handling fee. We know our banks haven’t monitored fraudulent activity so they don’t need us to verify our account details by confirming personal information. Messages from DHL with attachments informing us about deliveries we’re not expecting don’t fool us into opening the document. We’re even wise to the links in emails that want us to visit websites and win prizes.
Why don’t they work? Because we’ve learned the hard way. When these scams first started circulating, people fell for the lies hook, line and sinker. Some of you will remember - or have heard about - the chaos caused in 2000 when people opened an attachment to find out who loved them and spread the “I Love You” worm as a result. In a single day it travelled around the world causing an estimated $5.5 billion in damages. It was a huge wake-up call and many organisations issued warnings to employees and instructions to make sure they never fell victim again.
So why aren’t people heeding the warning that malware has gone mobile and taking steps to protect themselves? The reality is there is a false sense of security surrounding mobile use, especially as victims currently are few and far between. But I’m here to dispel those myths and banish the fantasy.
Myth one: Mobile operating systems are sandboxed, so we’re safe.
Anyone that still believes this is true is living in fantasy land. We have already seen malware that attacks sandboxing – DroidDream is just one that recently made the headlines. It exploited a vulnerability in the Android operating system and obtained root privileges, downloading and installing additional arbitrary pieces of software, to assume virtually limitless control of the infected smartphone.
Myth two: Mobile applications are controlled.
Anyone that still believes Apple and Google are watching our backs has a serious case of loyalty overload. DroidDream was found in applications that were being sold through the Google app store, proving that the semi-closed, or walled garden, approach that’s supposed to protect our mobile devices and prevent malware from infecting the device is flawed!
The simple reason is Google et al want - and actively encourage - developers to create apps with just a $25 entry fee. It’s unsurprising that malware writers and spammers are happy to flex their muscles and get a piece of the action. Rogue developers all too easily can get permission or approval to upload their infected applications – that’s what they did with Droid Dream.
Google did act swiftly, patched the hole and removed it from the application store. But you can rest assured that the developers are looking for ways to obtain sufficient privileges to prevent Google from removing malicious applications from the infected devices in the future.
Myth three: There’s no money in mobile malware, so fraudsters aren’t interested.
Wake up people - we’re already in the middle of a third generation of financial malware!
•Zero generation had users unwittingly dialling premium numbers or sending SMS texts to services that charged them for the privilege.
•First generation was malware that employed simple tricks, for example, changing the host file of an infected device and redirecting the user’s mobile browser to a phishing site.
•Second generation has seen malware increasingly infect the mobile device that works in conjunction with malware already infecting the desktop. In case you’re not sure how this scam works, basically malware infects the mobile device and steals SMS verification messages and reroutes them to the fraudster.
With financial transactions, banks offer users additional security by sending authentication codes to the user’s registered mobile. However, if this is controlled by a fraudster, then there’s nothing stopping them completing financial transactions on your behalf. By the same token, that same mobile malware is controlled by the SMS channel so attackers can send SMS with commands that the malware would intercept and treat like controlling commands.
•Next generation mobile malware will actually attack the mobile device, focusing on mobile browsers or mobile applications themselves to abuse the current user’s session and commit fraudulent transactions, possibly even with the unintended aid of the user. While at the moment this might still be in the realms of myth, it won’t be long before it becomes reality. We’re just waiting for banks to introduce the services worth attacking. Fraudsters have all the tools they need to effectively turn mobile malware into the biggest customer security problem we've ever seen. They’re lacking one thing - customer adoption.
Banks are actively advertising their applications for people to download and use from their smartphone and tablets wherever, whenever. As the money trail becomes mobile, so will the attention of our new age of bank robber.
Stop the rot before the damage is done
I said at the start of this article that people need to heed the warning that malware has gone mobile and begin taking steps to protect themselves. As I’m sure you’ll agree, I’ve shown that it’s not only possible but is already happening. So it’s time to start affording your smartphone the same protection you do the PC.
DroidDream was preventable. Yes, Google should have identified the malware and prevented its download in the first instance. But that’s not what we mean - DroidDream actually exploited a vulnerability that had already been identified and patched. The problem unfortunately is 99 percent of Android users were still exposed because their smartphone had not been updated. We regularly update the operating software of our PCs - it’s time we afforded the same protection to our mobiles.
As online fraud is mostly a big numbers game, attacking mobile banking is not yet an effective fraud operation. But expect a change. In a year from now, this is all going to look completely different as more users start banking from their mobile phone and fraudsters release their heavy guns. You’ve been warned.