According to research conducted by Positive Technologies, 75% of Android banking apps are exposed to high-severity vulnerabilities. In fact, some one-time password stealing malware applications often run with zero permissions. Recently, a new Gugi Trojan was released that forced users to give it the right to overlay genuine apps, send and view SMS messages, make calls plus other actions.
The growing danger associated with mobile security is shocking. There are so many threats out there for mobile users now days, check out these cool mobile security solutions for more info on this. So, what needs to change to protect smartphones?
What’s the problem?
Smartphone use is infiltrating every day life – not least our ability to perform many mundane tasks from our arm chairs – mobile banking being a prime example. The issue is that this functionality does present some risks.
Positive Technologies’ researchers found that most common mobile online banking vulnerabilities are classified as medium severity. However, the combination of these ‘bugs’ can easily have a critical impact on a system. For example, if logon is performed via a short PIN code with session IDs stored in the file system, a hacker with physical access to the device can spoof a web server’s response and every time an incorrect PIN code is entered the server will return the true value. In this way, a hacker can obtain full control over a user’s personal account, including changing settings or executing transactions.
One of the systems a Positive Technolgies’ researcher tested allowed a hacker to access a user’s mobile bank, exploiting insecure data transfer. In this case, the system facilitates the use of self-signed certificates while transferring data via HTTPS.
Despite ever-evolving security features, such as the recent Android 6.0 Marshmallow permission update, the next-generation of Android Trojans that have similarly evolved and have no problem bypassing such security measures.
In September 2016 a new version of the bank-account raiding Android Trojan – Gugi, was discovered. This malware steals users’ mobile banking credentials by overlaying their genuine banking applications with counterfeit apps. This latest version had been rooted to bypass V6s new security features that were introduced to block phishing and ransomware attacks.
Hummer is another prolific smartphone Trojan experiencing an uptick in 2016. This malware roots the device to obtain administrator privileges that then prompts pop-up adverts, as well as installing unwanted apps, games, porn and even malware in the background. Having been around since 2014, infection rates soared in 2016 with one report claiming a daily average of 1.2 million devices affected. Assuming criminals are able to generate $0.50 from each infection, this could yield upwards of $500,000 per day.
Arguably, the most dangerous vulnerability is the ‘human factor’. This summer, thousands of smartphone users infected themselves with fake Pokemon Go apps that could track them, listen to their calls or install backdoor for future thefts. The number of some Android trojans’ victims grew ten-fold in just a couple of summer months.
Criminals will always employ various socio-engineering techniques to steal money. The simplicity of mobile payments could be the enemy here as it’s much easier for scammers to trick individuals to push a button to make an instant payment.
Security is no longer a choice
Here are a few ideas to help thwart current smartphone threats:
- The consensus amongst security experts is users should never jailbreak a device as doing so can circumvent the inbuilt protection from the operating system.
- In tandem, when an update is available users should install them as soon as practicable as many will include security updates.
- Avoiding infection in the first place has to be a high priority. By default you can install apps only from Google Play, but Android allows you to change this. As an Android user you should always install apps only from the official marketplace to reduce the risk of rogue programs. Similarly, People need to entertain good impulse control and never click links sent via text from random numbers.
- If you run a company, it could be hard to convince all employees to apply security processes and rules on all personal or even corporative owned devices. However, rules can be forced by applying mobile security policies via MDM (Mobile Device Management) systems or Microsoft Exchange, for example.
- Security systems are available that can monitor, detect and alert suspicious application behaviour.
- When installing applications, make sure to check the permissions that the app demands. Many operating systems will allow users to see what each app has access to and make amendments. Consider whether the free ‘flashlight’ app that demands access to the phone’s contact list is really worth installing.
- The most simplest advice to is avoid risky operations, such as money transfers, via Android mobile apps.
- Finally, if you wouldn’t do it on a PC, or in the real world for that matter, don’t do it on your mobile phone.
In a world where smartphones have become a necessity, the latest security risks associated with mobile applications need to be addressed. Ignorance is not a defence.