“One version is a work-at-home opportunity that promises a profitable payday just for sending out email,” IC3 said in its intelligence note. “A link within these advertisements leads to a website that is designed to push Loozfon on the user's device. The malicious application steals contact details from the user’s address book and the infected device's phone number.”
Loozfon was first noticed in August by Symantec as a low-level distribution trojan that targeted Japanese women with a “click to meet a rich man” gambit. Now, it appears it has spread sufficiently to warrant FBI attention.
FinFisher, meanwhile, is a spyware capable of taking over the components of a mobile device (both Android and iPhone, incidentally, though the latter is much less common). When installed, the mobile device can be remotely controlled and monitored no matter where the target is located. Smartphones and tablets will innocently appear to be themselves, but in reality the mobile malware is working in the background to track the device’s location, monitor activity and intercept communications, including emails, voice calls and text messages.
It was originally developed a cyber-espionage tool for governments by Gamma International, which calls it a “governmental IT intrusion and remote monitoring solution.” It gained notoriety during the Arab Spring when the Egyptian Government’s state security apparatus was revealed to be in negotiations to purchase the software to use against insurgents. And, it was used by the Bahrain government against activists, prompting a forensic analysis by Citizen’s Lab.
Unfortunately, it is rather viral thanks to how simple it is to pass on, which means that it is leaking into the general population, not just for use as a governmental tool. “FinFisher can be easily transmitted to a smartphone when the user visits a specific web link or opens a text message masquerading as a system update,” IC3 noted.
IC3 offered several safety tips for protecting a mobile device, including turning on any embedded encryption available to protect the user's personal data in the case of loss or theft, using password protection, enabling screen-lock after just a minute of inactivity, not clicking on unknown links in emails, installing an anti-malware app and not rooting or jailbreaking the device.
When it comes to jailbreaking or rooting, which is the process of breaking a smartphone out of the operating system or carrier’s restrictions on how the device can be used, the procedure often involves exploiting significant security vulnerabilities and increases the attack surface of the device. Anytime a user, application or service runs in "unrestricted" or "system" level within an operating system, it allows any compromise to take full control of the device, IC3 warns.
The FBI also had some words of warning for avoiding malicious application downloads, which can carry trojan viruses and malware. “With the growth of the application market for mobile devices, users should look at the reviews of the developer/company who published the application,” IC3 said. “Review and understand the permissions you are giving when you download applications. [And], be aware of applications that enable geo-location…to track the user's location.”
Location-aware apps can be used to bolster convenience and offer marketing perks, but they also “can be used by malicious actors, raising concerns of assisting a possible stalker and/or burglaries.”
And finally, IC3 warned against rogue networks. “Do not allow your device to connect to unknown wireless networks,” it said. “These networks could be rogue access points that capture information passed between your device and a legitimate server.”