“We expect to see a lot more fraud in the next 12 months - much more. As more financial institutions issue Android apps, the fraud will go up,” predicts Amit Klein, manager of the security team at Trusteer, a Boston-based leader in financial services malware research.
Central to Klein’s worries are that Google does not (as Apple does) security check apps before making them available for download to phones. Google also does not (as Apple does) require that all apps be distributed through only one, vetted source (The Apple App Store, in the case of iPhone.)
“We believe this will be a serious threat,” Klein said. “We are not seeing Google putting up a good fight against the fraudsters. We are seeing Google doing what Microsoft did 10 years ago which was basically the bare minimum. That’s not enough; the Android security model is not strong enough.”
With Google, anybody can upload an app to any site – and there is where much mischief arises. A huge trending problem is with cyber criminals taking a legitimate app and “repackaging it,” as the cyber security experts put it. What that means is that malware is injected into an otherwise legitimate app and it is very easy even for savvy users to fall victim.
There are no known instances of financial apps being “repackaged” – but there also is no reason to believe mobile banking apps are immune.
“In the next six to 12 months we will see a lot more financial institutions rolling out mobile banking apps and we will also see a lot more fraud,” predicted Klein.
Not all mobile security experts are as downbeat as Klein. At Lookout, a San Francisco-based mobile security company, CTO Kevin Mahaffey is adamant that – although the Android platform has vulnerabilities – there are also comparatively easy fixes such as urging users to install anti-virus apps.
“We know the steps that need to be taken with Android,” said Mahaffey.
Klein, however, remained cautious. “My advice is to wait and watch what Google does to improve Android security over the next year,” he said.