Threat of the Week: Mobile Malware, Menace or Myth?
When is a threat not a threat?
The press releases pile up in my inbox, shrieking about the discovery of a new mobile malware menace by this or that security firm.
Just one problem: it’s all public relations bloat.
There is no mobile banking malware menace. None.
Read that again: there is just about nothing to worry about in terms of cyber crooks and mobile banking.
A qualifier snuck in there – “just about” nothing – that will be explained momentarily. But the overarching news is that for most of us mobile banking is safe. Probably safer than banking on a Windows computer because Windows machines have 18 years of malware aimed at them and some, such as the keylogger Zeus, are devastatingly effective.
How do we know our mobile is safe? Ask the credit union CIOs. One at a top 25 institution – with a keenly security-conscious membership – wrote in an email: “I haven't received any reports of [mobile malware] from our membership, or even inquiries from other FIs.” He requested anonymity because he is not authorized to speak to the media.
Another CIO, at a top 50 credit union with a highly educated and tech-savvy membership, wrote in an email: “We have not seen, or received any reports from members, regarding mobile malware.”
That’s the norm. Incidents of mobile malware surfacing at credit unions are negligible.
The reality: sophisticated cyber crooks are keeping busy with Zeus and with other attacks on PC- based banking. They are so successful, said sources, their one problem is a shortage of so-called money mules to launder their stolen proceeds.
Another problem is that, yes, Apple and Android phones are largely unprotected against malware but that does not mean it is easy to infect a phone or to concoct malware that actually runs.
Both Apple and Android do application “sandboxing” – which limits the ability of one app to interact with another. With iPhone the sandboxing is rigid, with exceptions only for some Apple apps (Siri, for instance, can access a user’s calendar). There’s more flex in Android – with the user granting exceptions when installing an app – but there still isn’t wide flexibility.
That means the old-fashioned Zeus architecture – where the keylogger operates under other active apps – simply cannot work on smartphones.
Malware needs a big rethink to be made to work on a smartphone and so far the cyber crooks have not put their full attentions on the problem.
What are out there are counterfeit banking apps – essentially a financial institution’s mobile app, modified with the insertion of malicious code that feeds information back to a crook. Mainly this is an Android issue because Android allows installs from third-party apps stores (that modified app is unlikely to pass the screening at the official Google Play store). There are no known instances of counterfeit banking apps on iPhone (Apple allows installs only via its Apps store which rigorously checks banking apps in particular).
But there are no reported cases of counterfeit banking apps involving North American institutions on either platform. The problem is more theoretical than actual.
The other – increasingly common – species of malware is modified premium apps. A crook takes a version of Angry Birds, inserts malicious code into it, then uploads the edited app and offers it for free via off-label apps storefronts. Why would he care? He stole it.
Bargain hunters may pounce on it – it’s free – and they will regret it. But, mainly, these modified apps place calls to pricey 900 numbers or send SMS to high-priced destinations, involving charges of $5 here, $10 there. Experts call these nuisance apps. The aggravation for the victim is high, but compared to the multi-million thefts involving Zeus, this is penny ante.
On paper, there are other, enormously frightening mobile threats. Dodi Glenn, antivirus product manager, ThreatTrack Security, said in an interview that he has seen malware that can intercept SMS messages from a bank that are sent as part of a multi-factor authentication precaution.
Potentially that is an immense problem – but actual infections in the wild are few, and mainly in Europe.
Don’t count on the present era of safety lasting. Crooks see the same statistics you see. The mobile channel is exploding. Malware will follow. Said Dave Jevans, founder of security company IronKey, “Mobile banking security projects at big banks are increasing in size and urgency. They believe that when mobile banking malware hits, it will spread very fast.”
For now, best advice to pass onto worried members is to only download apps from the established apps storefronts (Apple, Google, Amazon). Never download new apps, wait until they have a few thousand downloads. Wary early adopters are quick to blow the whistle on deviant apps. And, of course, never jailbreak (unlock download limitations put on by Apple) a phone. Follow just those three cautions and mobile banking is apt to be very safe. At least until the crooks fire the next round.