Subscribe

Mobile malware on the rise

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 03 Apr 2012

Threats posed by mobile devices are increasing at a tremendous rate, as fraudsters are becoming more successful in infecting hundreds of thousands of these devices.

So say security experts, who also point out that hackers and criminals are increasingly targeting mobile devices to steal banking information because consumers are moving more and more of their banking and shopping activities onto these devices.

To exacerbate the situation, according to the findings of a 2011 study by digital forensics and security firm viaForensics, 25% of mobile banking apps tested are not adequately secure, with banking details being easily retrieved from them.

Wilter du Toit, CEO of Virtual Mobile Technologies, says solutions that are available to secure apps - such as USSD, mobile Web and HTML5 - do not provide adequate protection from threats.

Denis Maslennikov, senior malware analyst at Kaspersky Lab, says that, in August 2010, Kaspersky Lab identified the first Trojan for the Android platform, which masqueraded as a media player app.

“In less than a year, Android malware quickly exploded and became the most popular mobile malware category out there,” he explains.

“This trend then became obvious in Q3 of 2011, in which Kaspersky Lab discovered over 40% of all the mobile malware they saw in 2011. Finally, critical mass was hit in November 2011 when we uncovered over 1 000 malicious samples for Android, which is almost as many as all the mobile malware the company has discovered in the past six years.”

He also points out that, nowadays, cyber criminals mostly use social engineering tricks in order to force users to install malware.

“At the moment, we have not seen any attacks on Android devices without any kind of user interaction. Yet, unfortunately, even using only social engineering tricks, cyber criminals are pretty successful in infecting hundreds of thousands of devices.”

Maslennikov also believes the problem is that cyber criminals often use names of legitimate apps in order to spread mobile malware.

“We have seen a number of samples of malware which passes itself as a new version of a popular browser, IM client, game or utility. Usually, such malicious apps are spread via third-party Web sites or application markets. It is therefore critical that users are careful and always check the developer of each application they want to use.”

Mark Eardley, channel manager at SuperVision Biometric Systems, says the main concern is that mobile devices aggravate and enlarge the security risks created by PINs and passwords.

“In essence, we are sacrificing security for the sake of convenience. It's a bit like removing all the safety equipment on your car so that - being much lighter - it will go faster and be more fuel-efficient. Not great in a crash, but we'll just drive more carefully,” says Eardley.

He adds that the more reliant consumers become on PINs and passwords, the more they are exposed to the risks these create.

Du Toit also stresses that unstructured supplementary services data (USSD) offers the least amount of security, with weak encryption capabilities to protect information sent over the mobile network and several inherent security issues with the technology itself.

On mobile Web, he argues that, despite including secure sockets layer (SSL) encryption, security on this solution is also problematic.

“For a start, users have to check that their browser trusts the site by looking for clues that differ from browser to browser. Also, in many cases, and especially on older phones, the certifying authority has already been hacked. So despite the browser indicating that a site is trusted, it is, in fact, unsecure.”

He also adds that, unfortunately, the introduction of HTML5 is going to do nothing to improve security on the mobile Web. “Simply put, the specifications haven't considered security at all and new features, such as local storage, make security levels on the mobile Web significantly worse than the status quo.”

To secure mobile banking apps, Maslennikov stresses that, when using the apps, the first important factor to take into consideration is the use of a secure WiFi (with WPA2 encryption) or 3G/4G network, as untrusted networks can be monitored by possible cyber criminals.

“Additionally, it is also necessary to use strong screen-lock passwords in order to prevent unauthorised physical access to a device,” he concludes.

Share