The Green Sheet Online Edition
January 13, 2014 • Issue 14:01:01
The Mobile Buzz
The allure of smartphones and tablet computers has led to an explosion in mobile app development, resulting in mobile app stores that offer apps for a million-and-one uses. In the retail sector, merchants recognize the importance of having their own private-label mobile apps to capture the coveted top-of-wallet placement with consumers.
However, the incredibly diverse and all-pervasive mobile app marketplace is fast becoming a target for fraudsters. All of a sudden, a merchant's new-fangled mobile app can become an attack vector for hackers, and a vector of reputational risk for the merchant.
App fraud detailed
According to The Wild, Wild West of Mobile Apps, a white paper issued by mobile app risk management firm Webroot Inc., it is estimated that the number of mobile threats grew from 7,000 in 2010 to 65,000 in 2012, with the number of infected Android devices exploding by 200 percent in 2012 alone.
Webroot said the reason for this proliferation involves the number of apps in circulation, combined with unpoliced app stores and ever more clever crooks. If the biggest and most popular app stores are well monitored, dozens of other storefronts have popped up that aren't.
"Many of these have little or no ability to identify and block apps that contain malware," Webroot said. "Dubious business people and cyber criminals have gone even further by setting up websites for the purpose of offering pirated apps and apps containing malware."
Additionally, fraudsters have developed a knack for counterfeiting popular apps, like those of Skype and Angry Birds, as well as games like Grand Theft Auto III. The fake apps dupe users into surfing to survey and game websites where users are bilked of their money or tricked into downloading malware that hijacks smartphone text message capabilities.
Malicious apps can also retrieve device owners' email addresses and phone numbers, Webroot noted. Furthermore, fraudsters are adapting phishing and social engineering schemes honed on PCs to steer mobile users to bogus bank websites to trick them into divulging account details and passwords.
Webroot reported that fraudsters are turning their attention to hacking into corporations and government agencies via mobile apps. One attack occurred on a Tibetan human rights organization. In this scheme, attackers repackaged a popular mobile messaging app so that it would "change permissions on smartphones and extract contacts, call histories and SMS [short message service] messages," Webroot said.
The firm also reported how fraudsters can spy on work places via compromised mobile devices - surreptitiously taking pictures, listening into conversations and capturing GPS data. "Computer scientists at the Georgia Institute of Technology even demonstrated how a phone on a desk could use its accelerometer to detect vibrations from a nearby keyboard and capture words with up to 80 percent accuracy," Webroot said.
Unfortunately, user knowledge of these threats is apparently inadequate. "Most people have been exposed to press coverage of phishing, malware and social engineering attacks against laptops and desktop PCs," Webroot noted. "However, far fewer users are aware that threats against mobile devices even exist. Most are also ignorant of how malicious apps manifest themselves on mobile devices - for example, through fast battery drain, slow performance and spikes in data usage."
The company said mobile device fraud prevention techniques include:
- Mobile antivirus software that detects malware
- Mobile device management (MDM) and mobile application management (MAM) solutions that monitor mobile devices, lock settings and delete confidential data if devices are lost
- Education that helps mobile device users avoid suspicious mobile apps and recognize and report potential attacks
- Company policies that mandate the use of approved app storefronts and prohibit employees from installing nonbusiness applications on mobile devices used for business purposes
- Corporate app catalogs that approve and control what apps employees use
But Webroot said such defenses are not enough. "Mobile antivirus products do a good job of blocking known malware, but they can't recognize all variants of malicious and repackaged mobile apps," the company said.
The same goes for MDM and MAM products, where "patches" that keep mobile devices secure are released too slowly to keep pace with the speed of new fraud schemes. "And unless an organization can lock down devices and completely control user behavior, some employees inevitably ignore security education, company policies and approved app catalogs," Webroot said.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.