Sophos have created this timeline of mobile threats going back to 2004. It’s by no means comprehensive, but it gives you a good idea of how threats have evolved in a short period of time.
Threats and risks in today’s mobile app marketplace
In terms of mobile security, some mobile application (app) platforms, such as Apple’s AppStore, are known to employ strict rules to which application developers are obliged to adhere.
Other mobile app platforms, such as Android’s Google Play, are more flexible with regards to mobile apps. While providing application developers with a programming platform that is optimized for convenience and ease-of-entry into the app marketplace, it is these very qualities that have made Android the most heavily targeted mobile operating system, with Android apps by far the most widely used vehicle for spreading mobile malware.
Apps are one of the driving forces behind today’s smartphone market. Their download to mobile phones makes them an attractive new attack vector for cybercriminals along with other mobile phone attributes: the shortened URL, low security awareness among users, and the ease of copying a mobile webpage’s layout for malicious purposes.
This risk extends to the corporate setting with companies increasingly adopting Bring- Your-Own-Device (BYOD) policies, in which employees’ devices double as platforms for both personal and work-related communications. Apps that intercept a mobile user’s email and phone communications for example, may gain access to corporate communications, as well.
Types of Rogue App Payloads
According to a research study on Android malware conducted by the Department of Computer Science at North Carolina State University, 86% of Android mobile-malware payloads are repackaged with legitimate apps and are not standalone, making their detection more difficult. The same study found that many others piggyback on genuine app updates to remain undetected.
The payloads these apps install after being downloaded to a device vary widely, and can include:
- SMS Sniffers. Apps that covertly collect SMS text messages, including passwords sent to users’ handsets, and forward this information to a remote drop point. Some of these include other stealth features to avoid raising the user’s suspicion, for example, functionality that turns off the alarm sound when new text messages are received and hides all incoming messages
- Premium dialers. Apps that install themselves on the user’s handset and start dialing phone numbers or sending dummy text messages to premium-rate service numbers. This type of operation requires the setup of a bogus merchant, along with a fraudulent merchant ID through which cybercriminals can collect funds unwittingly siphoned out of user’s accounts. Handset owners would only become aware of the scam when seeing their bill the following month
- SEO enhancers. Apps that repeatedly access a certain website, or websites, to increase their rankings in search engine’s results
- Ransomware. Apps that lock a user’s handset and demand payment from users in return for relinquishing control of the mobile device
- Spyware. Apps that send the attacker or spy (via a remote drop point) information garnered from a victim’s device including GPS data, intercepted calls and text messages, and phone contacts
- Botnet clients / Bridgeheads. Apps that communicate with a cybercriminal via a command & control (C&C) server. These may be used as infrastructure for further malware downloads, much like ready-made PC botnets whose infected systems await to download banker Trojans or other malware pushed from the C&C server. These payloads act as a bridgehead by giving the perpetrator an initial foothold on the compromised device. The payload opens a port on the device, and listens for new commands issued from the fraudster’s C&C point. Later on, an encrypted payload may be downloaded to the user’s device
Android apps and their exploitation
At the end of H2 2012, Google announced that the number of devices running Android has reached 400 million, representing 59% of the world’s smartphone market. And to date, Android’s open source code platform has led to the publication of over 600,000 mobile apps. Android’s source code is based on the Java programming language, and its ease of use and low publisher entry fee has made it the most widely targeted mobile platform by malware developers, and the most widely attacked by today’s Trojans. The increased risk for Android app users has already led several anti-virus companies to release AV software for Android-run devices.
A Secure Venue for Apps
The official venue for Android applications is called “Google Play” (formerly known as “Android Market”). By default, each handset running Android is configured to exclusively allow the installation of apps downloaded from Google Play, and to block installation of apps downloaded from any other venue. This is to ensure a minimal level of security.
Downloading apps from Google Play provides an extra security benefit to Android users, as the store provides a “Remote Application Removal” feature, which allows apps that are retrospectively identified by Google as being malicious to be removed from relevant users’ handsets.
Another important security feature added to Google Play is “Google Bouncer,” which scans new apps, acting as a gatekeeper to keep out those identified as malicious.
Despite Android’s default Google-Play-only settings, Android users can still choose to install apps from venues other than Google Play by manually changing their devices’ security settings. Aware of the security issues this may raise, Android users are presented with a warning message when selecting this option.
Android App Permissions
As a second security measure, prior to the installation of an Android app on most Android-based OSs, the app requests certain system permissions, all which have to be approved before the app can be installed on the device. Whereas legitimate apps normally request only one or two permissions, rogue apps are known to request a long list of permissions before installing themselves.
Currently, this is the main security obstacle for rogue Android apps, which some Trojan coders have managed to bypass through socially engineered schemes. For example, RSA has previously detected a mobile-malware app (SMS sniffer), which presented itself as security software. The app requested nine different permissions, including permission to boot the handset, change system settings, and send text messages. Unsurprisingly, the app was offered from a standalone domain not affiliated with any app store.
Today, the payload app may remain on a device even after the host app (with which it was downloaded) has been removed. This makes initial detection and removal of the app from the app store that proffers it even more crucial.
As with PC-based malware, educating consumers to raise awareness of today’s mobile threats and urging them to take precautions against rogue apps, will be of paramount importance to mitigating mobile threats in years to come.
Phishing Attacks per Month
In August, 49,488 unique phishing attacks were identified by RSA, marking a 17% decrease from July. The bulk of this decrease is a result of fewer phishing campaigns launched against European financial institutions which have accounted for significant spikes in recent months.
Number of Brands Attacked
In August, 290 brands were subject to phishing attacks, marking a 20% increase from July. This considerable increase shows that cybercriminals are expanding their phishing targets wider, to new organizations and new industries not targeted in recent months. More than half of the brands affected by phishing in August were targeted by more than five phishing attacks.
US Bank Types Attacked
In the U.S. financial sector, nationwide banks experienced a 7% decrease in phishing attacks. However, brands in this segment continue to be most targeted by phishing attacks, hit by two out of every three attacks in August.
Top Countries by Attack Volume
In August, the UK continued to get hit by the majority of worldwide phishing attack volume for the sixth consecutive month, accounting for about 70% of all global phishing volume. The U.S. and Canada continued to remain second and third on the list.
Top Countries by Attacked Brands
In August, the U.S., UK and Australia were the top three countries whose brands were most affected by phishing, targeted by 45% of global phishing attacks during the month.
Top Hosting Countries
The U.S. hosted the vast majority of phishing attacks in August with 80%, followed by Canada, the UK and Germany.
Previous RSA Online Fraud Report Summaries:
- The RSA August 2012 Online Fraud Report Summary here.
- The RSA July 2012 Online Fraud Report Summary here.
- The RSA June 2012 Online Fraud Report Summary here.
- The RSA April 2012 Online Fraud Report Summary here.
- The RSA March 2012 Online Fraud Report Summary here.
- The RSA February 2012 Online Fraud Report Summary here.
- The RSA January 2012 Online Fraud Report Summary is here.
- The RSA December 2011 Online Fraud Report Summary is here.
- The RSA November 2011 Online Fraud Report Summary is here.
- The RSA October 2011 Online Fraud Report Summary is here.
- The RSA September 2011 Online Fraud Report Summary is here.
In study commissioned by Juniper Networks the study found that enterprise and consumer mobile devices are being exposed to a record number of security threats.
The study’s key findings Include:
- App Store Anxiety: The single greatest distribution point for mobile malware is application download, yet the vast majority of Smartphone users are not employing an antivirus solution on their mobile device to scan for malware
- Wi-Fi Worries: Mobile devices are increasingly susceptible to Wi-Fi attacks, including applications that enable an attacker to easily log into victim email and social networking applications
- The Text Threat: 17 percent of all reported infections were due to SMS Trojans that sent SMS messages to premium rate numbers, often at irretrievable cost to the user or enterprise
- Device Loss and Theft: 1 in 20 Juniper customer devices were lost or stolen, requiring locate, lock or wipe commands to be issued
- Risky Teen Behavior: 20 percent of all teens admit sending inappropriate or explicit material from a mobile device
- “Droid Distress”: The number of Android malware attacks increased 400 percent since Summer 2010
“These findings reflect a perfect storm of users who are either uneducated on or disinterested in security, downloading readily available applications from unknown and unvetted sources in the complete absence of mobile device security solutions,” said Dan Hoffman, chief mobile security evangelist at Juniper Networks.
“App store processes of reactively removing applications identified as malicious after they have been installed by thousands of users is insufficient as a means to control malware proliferation. There are specifics steps users must take to mitigate mobile attacks. Both enterprises and consumers alike need to be aware of the growing risks associated with the convenience of having the Internet in the palm of your hand.”
“The last 18 months have produced a non-stop barrage of newsworthy threat events, and while most had been aimed at traditional desktop computers, hackers are now setting their sights on mobile devices. Operating system consolidation and the massive and growing installed base of powerful mobile devices is tempting profit-motivated hackers to target these devices”, Jeff Wilson, principle analyst, Security at Infonetics Research.
“In a recent survey of large businesses, we found that nearly 40 percent considered smartphones the device type posing the largest security threat now. Businesses need security tools that provide comprehensive protection: from the core of the network to the diverse range of endpoints that all IT shops are now forced to manage and secure.”
The study specifically reports the following:-
- 400 percent increase in Android malware since summer 2010
- 1 in 20 mobile devices was lost or stolen, requiring locate, lock, or wipe commands
- 20% of all teens admit sending inappropriate or explicit pictures or videos of themselves from a mobile device
- 61% of Juniper Networks-detected malware infections are from spyware
- 17% of Juniper Networks-detected mobile malware infections are from SMS Trojans
- Mobile malware grew 250% from 2009 to 2010
- 1 in 20 mobile devices is lost or stolen, risking loss of confidential and sensitive data.
- 83% of teens use mobile technology to stay connected with friends and family.
- 20% of all teens have been cyberbullied through a mobile device.
- 20% of all teens admit to sending inappropriate or explicit pictures or videos of themselves from a mobile device.
- 20% of teens admit to having sent inappropriate or explicit pictures or videos from their cell phones
- 39% of teens admit to sending sexually suggestive messages from their device
- 29% of teens admit that they are sending suggestive messages, or inappropriate and explicit pictures or videos to someone they have never met
- 44% of teens admit that it is common for suggestive messages that were received to be shared with someone else
The study recommends the following:
- Install an on-device anti-malware solution to protect against malicious applications, spyware, infected SD cards, and malware-based attacks on the device
- Use an on-device personal firewall to protect device interfaces
- Require robust password protection for device access
- Implement anti-spam software to protect against unwanted voice and SMS/MMS communications
- For parents, use device usage monitoring software to oversee and control pre-adult mobile device usage and protect against cyberbullying, cyberstalking, exploitative or inappropriate usage, and other threats
For Enterprises, Government agencies and SMBs:
- Employ on-device anti-malware to protect against malicious applications, spyware, infected SD cards and malware-based attacks against the mobile device
- Use SSL VPN clients to effortlessly protect data in transit and ensure appropriate network authentication and access rights
- Centralize locate and remote lock, wipe, backup and restore facilities for lost and stolen devices
- Strongly enforce security policies, such as mandating the use of strong PINs/Passcodes
- Leverage tools to help monitor device activity for data leakage and inappropriate use
- Centralize mobile device administration to enforce and report on security policies
For further details, click here
In its recent study, Juniper Networks uncovered some very interesting facts on the growing risk to Android base mobile devices.
The time line for the development of the threats is as follows
Android Attacks: 2010
- January 2010: First bank phishing application for Android
- March 2010: First Android “botnet”
- July 2010: GPS monitoring embedded in Tap Snake game
- August 2010: First Android SMS Trojan
- November 2010: “Angry Birds” proof-of concept malware demonstrated
- December 2010: First pirated Android application, Geinimi
Android Attacks: 2011
- January 2011: ADRD and PJApps available in China
- March 2011: Myournet/DroidDream, the first Android malware available and distributed through Android Market on a large scale, affects 50,000 users.
- Google’s solution, the Android Market Security Tool, was also pirated and turned into malware in China.
- April 2011: Walk-and-Text pirate puts egg on users’ faces.
- April 2011: Research at IU Bloomington results in “Soundminer” proof-of-concept communications interception application.
Overall there was a 400% increase in Android malware since summer 2010
In summary, the bad guys have see the growth of the Smartphone market and are turning their skills into the development of tools and attack vectors for the operating systems on them, including Android.
The findings of the reasearch are very interesting as they show how cavalier Smartphone owners are with their information and Identity.
The highlights of the research are below:
- 94% of consumers fear identity fraud and theft yet many keep too much personal data on mobile devices
- 54% of second-hand phones contain personal data including texts, emails and even banking details, identity fraud expert Equifax is urging consumers to think about what personal data they store on their mobile phone and ensure they delete all data from both the phone and SIM card before recycling or selling it
- 40% of smartphone users also don’t use the passcode function, leaving them vulnerable to ID fraud. And this jumps when looking at the younger generation that have most embraced the new technologies
- 62% of 22-25 year olds use their smartphone to regularly check their online banking. Yet despite fears about identity theft, 69% do not use a passcode function on their phone
- 35% admit to regularly clearing their browsing history after they use online banking. It’s also this generation where there’s probably more chance of them having personal items stolen when out shopping or in bars and clubs, making them the perfect target for fraudsters
EQUIFAX’S SMARTPHONE SECURITY TIPS
- Always use the PIN function on your handset
- Don’t store reminders of passwords on your phone
- Think about which accounts you access from your phone – would it be better to wait until you’re at the security of your home
- Wipe browser history, especially if reviewing online banking
- Keep an eye out for malicious software masquerading as apps
- Keep your smartphone safe at all times
- Delete all personal information from the phone and the SIM card before recycling or selling your phone
Read the full press release here.