Mobile Malware Appears on Government Radars
mobilesecurity.com [London, UK] When government agencies start releasing warnings about smartphone security, it’s safe to say the threat has become mainstream. So when, in October 2012, an organisation linked to the US Federal Bureau of Investigation (FBI) highlighted mobile malware as a real and present danger, many understood the time had come to take the issue seriously.
Specifically it was IC3, a partnership between the FBI and the National White Collar Crime Center, that issued the warning, raising awareness about two specific pieces of malware that were found ‘in-the-wild’ and affecting mainly Android devices. Some of the latest known versions of this type of malware rely on a user clicking a link, be it in an email or on a website. When clicked, the user’s smartphone is directed to a site containing malicious code that could push malware onto the device.
Such attacks prey on a user's sense of personal safety or believed immunity when using personal devices such as smartphones or tablets, but they aren't unusual tactics. In fact they're more of a mobile variation of desktop phishing attacks. But why did IC3 choose to pick out those specific pieces of malware? Perhaps it was because of a particularly high incident rate, or the quantity of reports that IC3 was receiving, but more likely it was simply a show of sense and a reminder to the public at a critical time.
Cybercriminals can be highly organised and make huge amounts of money from exploiting user data. One of the best ways to prevent them collecting such illicit revenue is to educate users in ways to avoid getting caught out – and with 2013 looking to be an even bigger year for mobile attacks, agencies and device owners both need to be on their toes.
Illustrating the point is a Zitmo (Zeus In The Mobile) Trojan attack which has been found to have made $47million (€36 million) for its owners. The attack, dubbed 'Eurograbber', has been able to claim money from Spanish, Italian, Dutch and German banks, all through a fairly intricate phishing attack set off when a user clicks a bogus link in an email. The user is then asked to provide the make and model number of their phone. Once those details are provided, the attack allows the installation of malware via SMS, and after the device is infected it can be used to circumvent bank security procedures.
Such a multi-step attack indicates that those behind this specific theft are anything but chancers trying their luck. More likely they are organised outfits potentially involved in other crimes. And with the level of ill-gotten funds that such attacks can generate, that government agencies are taking an interest should be somewhat reassuring.
For users, one way to help defend against phishing – which opens the door to such attacks – is to always question emails requesting sensitive details. Additional protection can also be gained from security software like Norton Mobile Security, and advice from legitimate authorities and agencies should certainly be taken on board.