Comment: Myths Plague Perceptions of Mobile Malware

Amit Klein asks: Will your users get caught in the mobile malware firing line?
Amit Klein asks: Will your users get caught in the mobile malware firing line?

We’ve learned the hard way – Nigerian Bankers aren’t going to give us lots of money, DHL does not have a package that we’re not expecting, and our banks haven’t identified fraudulent activity. So, why aren’t people heeding the warning that malware has gone mobile and taking steps to protect themselves?

Perhaps it’s because victims currently are few and far between. Possibly there’s a false sense of security surrounding mobile use. It could be that users don’t think malware infections of their mobile devices are possible. Whatever the reason, if mobile users don’t wake up to the real threat these little devices pose, it could end up as another expensive lesson.

Myth One: Mobile Operating Systems are Sandboxed – So We’re Safe

Anyone that still believes this is living in fantasy land.

We have already seen malware that attacks sandboxing – DroidDream is just one that made the headlines. It exploited a vulnerability in the Android operating system and obtained root privileges – downloading and installing additional arbitrary pieces of software – to assume virtually limitless control of the infected smartphone.

Myth Two: Mobile Apps Are Controlled – Apple and Google Are Watching Our Backs

Anyone that still believes this myth has a serious case of loyalty overload.

DroidDream was found in applications that were being sold through the Google Android Market, proving that this trusted source is failing to properly screen programs it makes available for download. This approach, which is supposed to protect mobile devices and prevent them from being infected with malware, is flawed. It actually makes it easier for fraudsters to distribute malware because users assume applications available in the market are safe.

The simple reason is Google et al. want – and actively encourage – developers to create apps with just a $25 entry fee. It’s unsurprising that malware writers and spammers are happy to flex their muscles and get a piece of the action.

Rogue developers all too easily can get permission or approval to upload their infected applications – that’s what they did with DroidDream. While Google did act swiftly to remove the infected apps from its market, you can rest assured that the developers are looking for ways to obtain sufficient privileges to prevent Google from removing malicious applications moving forward.

In August, according to Macworld, Droid Project members Patrick Wildt and Ricky Taylor hacked Apple's mobile devices to run Linux, meaning the operating system will run on an iPad, iPhone or fourth-generation iPod Touch. This follows the revelations that an app, which grossly violated Apple’s terms of service (by enabling free tethering), made it through Apple’s review process onto the App Store. It managed to reach the second most-popular spot before being taken down. Although the app in question wasn’t malicious, its function runs contrary to Apple’s agreements with AT&T and other providers. It is a real-world example that Apple can’t keep malware off the App Store indefinitely – it’s just a matter of time.

Myth Three: There’s No Money in Mobile Malware, so Fraudsters Are Not Interested

Wake up people – we’re already in the middle of a third generation of financial malware!

Zero generation had users unwittingly dialing premium numbers or sending SMS texts to services that charged them for the privilege. First generation was malware that engaged in simple tricks – for example, changing the host file of an infected device and redirecting the user’s mobile browser to a phishing site.

Second generation saw malware infect the mobile device that works in conjunction with malware already infecting the desktop. In case you’re not sure how this scam works, basically malware infects the mobile device and steals SMS verification messages and reroutes them to the fraudster. With financial transactions, banks offer users additional security by sending authentication codes to the user’s registered mobile; however, if this is controlled by a fraudster, then there’s nothing stopping them from completing financial transactions on your behalf.

The next generation of mobile malware will actually attack the mobile device, focusing on mobile browsers or mobile applications themselves to abuse the current user’s session and commit fraudulent transactions, possibly even with the unintended aid of the user. While at the moment this could be argued as myth, it won’t be long before it becomes reality. We’re just waiting for banks to introduce the service.

Banks are actively advertising their applications for people to download and use from their smartphones and tablets – wherever, whenever. As the money trail becomes mobile, so will the attention of our new age of bank robber.

Stop the Rot Before the Damage is Done

DroidDream was preventable. Yes, Google should have identified the malware and prevented its download in the first place, but that’s not what I mean. DroidDream actually exploited a vulnerability that had already been identified and patched.

The problem for many, unfortunately, is 99% of Android users were still exposed because their smartphone had not been updated. We regularly update the operating software of our PCs, and its time we afforded the same protection to our mobiles.

Fraudsters have all the tools they need to effectively turn mobile malware into the biggest customer security problem we've ever seen. They’re lacking one thing: customer adoption. That’s going to change – it’s started already.

Over the next 12 months more users are expected to start banking from their mobile phone. Fraudsters are already beta testing their malware, waiting to release their heavy guns. Are you going to get caught in the firing line?


As Trusteer’s CTO, Amit Klein manages the company’s Security team, which is one of the world’s leading financial malware research groups. Prior to Trusteer, Klein was chief scientist at Cyota Inc. (acquired by RSA Security), a leading provider of layered authentication solutions. In this role, he researched technologies that prevent online fraud, phishing and pharming and filed several patents in those areas. Prior to this Klein worked as director of security and research at Sanctum, Inc. (acquired by Watchfire), where he was responsible for the security architecture of all Sanctum products.

Klein is a world renowned security researcher, having published over thirty articles, papers and technical notes on the topic of internet security. He was named CTO of the Year by InfoWorld Magazine and has presented at many prestigious conferences including RSA, FSISAC, OWASP and CertConf.

What’s hot on Infosecurity Magazine?