Mobile Malware Update: Threat of the Week
No news is good news.
That’s the bright takeaway of the state of the threat landscape regarding mobile malware - defined here as significant enough to warrant attention from financial institutions.
That eliminates the many varieties of nuisance malware that send premium SMS and/or dial expensive foreign numbers. That malware has been around as long as there have been apps and, indeed, there are thousands of for-instances.
But aggravating as they are to the victim, this is no big deal to financial institutions, at least not in the sense that Zeus is a very big, multi-million dollar threat.
“We are seeing some significant malware in Europe,” said Bill Nelson, CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC). “Not so much here.”
Nelson did have one big - loud - worry about smartphones (we’ll get to it soon) but he was insistent that the malware threat in the US is more hype than substance.
He specifically pointed to a ransomware app called Svpeng that seizes control of a victim’s phone and demands payment to unlock. That has gotten significant press but, Nelson said, FS-ISAC has not received a single report about an incident in the U.S.
“It hasn’t popped up in the real world,” he said.
That absence of a real threat, Nelson suggested, is today’s norm when it comes to smartphone malware in the U.S.
Fact: there is no meaningful iOS (iPhone) malware.
Fact: there is very little meaningful Android malware distributed via the official Google Play storefront or the Amazon App Store.
Fact: there is a thicket of Android malware available via third party sites and, unlike Apple, Google does not limit how Android apps are distributed.
Any site, anywhere can put up Android apps and, oftentimes, free versions of premium apps — free because they have been stolen — pack toxic payloads. It may look exactly like a $4.99 game, but if it is free on a no-name site, you can bet it is tainted.
So far, however, this malware tends to focus on premium SMS or foreign calls, not financial services credentials. Bothersome, yes. But not a threat to credit unions.
Otherwise, safety reigns in app world. For how long? It is only a matter of time, as cybercriminals adjust to the user shift away from online banking and into mobile banking. Eventually there will be potent, toxic apps. Just not yet, at least not here.
In some countries there already are mature threats. Mick Tsai of San Francisco-based security company Cheetah Mobile said his company has tracked multiple instances of slick spoofs of Korean banking apps that, of course, ask users for their login credentials. They also are able, in some versions, to intercept and respond to authenticating SMS sent to the user’s phone.
Those potential threats are enormous but, note, there are no such instances in the U.S. Furthermore, Tsai acknowledged, the spoofed apps were not available via Google Play. Users downloaded them from third party sites.
Such toxic apps prove that inroads are being made into mobile.
Even so, that is not what presently worries FS-ISAC’s Nelson.
“Phishing in mobile,” he said.
To Nelson, this is the 900-pound gorilla when it comes to smartphones.
Steve Pao, GM Security Business at Campbell, Calif.-based Barracuda Networks, elaborated: “Phishing remains a primary concern regarding financial data security. Due to small screens, many mobile web browsers often times hide the address bar making it difficult to verify the authenticity of URLs that are asking for private information.”
With a smartphone, often lighting conditions are not optimal. Often we are in a rush. Often we are multi-tasking. Together, that means we are prime for criminal assault with phishes that seek login credentials.
Pao added that his company is seeing a sharp rise in phishes designed for mobile channels. He also said he has seen many very clever phishes that look exactly like Facebook emails.
The cure? Member education and reminders that phishing, increasingly, has shifted to mobile devices.
The next step is brace yourself for a tidal wave of bogus logins with legitimate credentials harvested via mobile phishes.
That, the experts said, is coming your way. Be ready.