For some years, cyber-criminals have been exploiting desktop operating system and software vulnerabilities, leveraging unpatched web browsers with vulnerable add-ons and using human psychology and social engineering tactics to ensnare unsuspecting users into revealing vital information, giving the perpetrators access to systems and networks, or simply acting as a conduit for malware.
Now though, the focus for cyber-threat activity is shifting to an environment that’s even more potentially fruitful: The massive global user base for smartphones and mobile devices. It’s been predicted that smartphones will become the leading target for cyber-criminals within the next 5 years, putting mobile device security at the forefront of the cybersecurity conversation.
Grand Theft Mobile
There are sound economic reasons for this shift. Currently, there are more mobile phone users than desktop computer operators – and an increasing number of these people are relying on their mobile devices to make online payments, and to store and manipulate currency. In fact, analysts at Juniper Research predict a growth in the market for payments made via mobile banking applications to $1.3 trillion worldwide by 2017.
Cyber-criminals are buying into this trend, and recent activities have targeted online banking credentials and user account information, hacked from mobile phones and tablets. In the latest incidents, thieves are using malware strains like Acecard and GM Bot to steal banking details from mobile phones – credentials which may then be sold on for third parties to steal or commit fraudulent acts, or for the original perpetrators to use to siphon funds out of their victims’ accounts at leisure.
It’s part of an ongoing campaign targeting the financial services industry – and gaining access to financial information via infected mobile devices is a major element in its success.
Stealing money directly from the accounts of hacked users is just one lucrative avenue making cyber-crime against mobile devices a value proposition for the perpetrators. General information and leverage are also high-value commodities – and for this reason the range of online services and web resources to which mobile users subscribe also form a target.
Cloud storage facilities, document creation platforms, video and image-sharing web sites can become a source of trade secrets, confidential data or intellectual property for any hacker who steals the credentials of a subscriber, or manages to intercept the data connection between a user and the service platform. And unsecured email messages, compromising photographs, or off the cuff remarks on social media may be intercepted and used to extort money, or leaked publicly, to cause embarrassment.
Malware with Many Faces
Perpetrators now enjoy a wider range of weapons to wage their campaigns on the mobile realm. In the early days, malware attacks were pretty much restricted to devices using open operating platforms like Windows Mobile, or the Symbian OS interface. This was largely a consequence of major equipment manufacturers throwing the field open for third-party programmers to contribute code and applications to help round out their portfolios.
Notable variants include Cabir, a worm capable of infecting Symbian OS devices up to ten meters away using Bluetooth technology, and the Mosquito Trojan (hidden in the mobile game of the same name), which causes smartphones on which it’s installed to send SMS text messages to several countries at premium rates, without the user’s knowledge or consent.
But the latest set of assaults on financial institutions using the likes of Acecard and GM Bot have targeted Android and iOS systems – so mobile malware is going mainstream and global.
Unsecured wireless connections to the internet remain a serious threat to mobile users on all platforms, especially with the proliferation of WiFi hotspots in public gathering areas, transport hubs, restaurants and hotels. Operating system alerts which warn users that the network they’re about to connect to may not be secure are still largely ignored – and surfers still aren’t using encrypted communication links or virtual private networks (VPNs) to connect as much as they should.
Although updates for mobile operating systems are frequently released and device manufacturers have learned some lessons from the exploits of the past, vulnerabilities can and do still exist. Some analysts estimate that at least one vulnerability is disclosed publicly on a daily basis, and of those flaws that come to light at least 10% are critical ones that could result in an attacker gaining remote access to and control of a device.
Aiding and Abetting
The WiFi warning signs are there – but people tend to ignore them in their desire for an always connected existence. Similarly, in the rush for the latest app or crucial content, users disregard license agreements and Terms & Conditions containing barely concealed references to spyware or adware. And those operating system updates with critical security patches often meet with hesitation as to whether they’ll alter the device performance in some unforeseen or undesirable way.
We’re our own worst enemy, in this regard – and an unwitting accomplice to the cyber-criminals and hackers.
Help From the Industry
Manufacturers and vendors have responded to some extent by adding or improving on the safeguards and security mechanisms built into their mobile operating systems and software. Apple for example has incorporated alert mechanisms into iOS which warn users of content that could potentially be harmful. Likewise, Google has added privacy and security controls to the fabric of its Android operating system.
Self-Help and Basic Protection
Ultimately though, relying on your hardware and its makers to protect you from assault isn’t enough. Secure practices and caution need to be exercised, in addition to measures such as:
- Installing a dedicated mobile anti-virus/anti-malware application from a reputable security firm – and downloaded from a registered app store.
- Using encryption and a VPN (virtual private network) when connecting to WiFi – and exercising discretion in what you do while online.
- Limiting the number of apps you install (from an accredited app store, of course) on your device, to reduce your potential attack surface.
- Reading the license agreements, Terms & Conditions, and fine print before agreeing to install an app, log onto a web resource, or subscribe to a service.
Share this Post