Mobile Security: Your #1 Threat

New Trojan Targets Android, But Experts Warn of Other Risks

By , September 29, 2011.
Mobile Security: Your #1 Threat

S

See Also: The Changing Landscape of Data Breaches & Consumer Protection in 2015

ecurity concerns about mobile applications may be overblown, some experts say. Mobile users are more likely to compromise their mobile security via browsing and texting behavior than they are through the download of open-source apps.

But earlier this month, when researchers at Trusteer discovered a new Trojan aimed at hijacking banking credentials from users of Google's Android mobile device, concerns about open-source app vulnerabilities resurfaced, suggesting that companies such as Google should be doing more to enhance security.

Google came under fire in March, when numerous malicious apps were published on its Android Market. The apps, according to Google, took advantage of known vulnerabilities on older Android devices, but did not affect versions 2.2.2 or higher.

"For affected devices, we believe that the only information the attacker(s) were able to gather was device-specific," Google said in March. "But given the nature of the exploits, the attacker(s) could access other data, which is why we've taken a number of steps to protect those who downloaded a malicious application."

Google removed the malicious apps from Android Market, and remotely removed the apps from affected devices. A security update was then issued, to prevent hackers from accessing additional information housed on the phones.

More Malware Hits Android

In September, the Trojan's M.O. was a bit different. Rather than being planted in the Android Market, the hackers relied on social engineering, targeting Android users with text messages that contained malicious links.

The SpitMo attack, a variant of the SpyEye Trojan, fooled Android users into clicking links for phony apps. Once installed, the Trojan could steal bank account details and redirect text messages related to financial transactions.

When downloaded, the Trojan fooled users by asking them to complete fields, which appeared to be part of the banking app, about their mobile phone numbers and their international mobile equipment identity numbers. The IMEI is a unique signature for a specific mobile device.

Google would not comment about the September Android attack, but was willing to provide background about general security measures it's taken to ensure integrity of its mobile software, apps and platform.

Google's Security Measures

Google says Android relies on a number of security features, such as "sandboxing," to protect mobile apps.

Downloaded Android apps operate within a proverbial sandbox, so they aren't able to touch other parts of the phone. If a user wants an app to connect with other apps, such as Facebook, then the user must set special permissions.

Google says it supports its open-app environment, which allows developers to upload apps they create. The open environment is what makes Android popular.

And Google reiterates that it vets all apps available in the Market, but is quick to point out that Android users ultimately bear the responsibility of ensuring the apps they download are safe. Android users are advised to check reviews, app popularity and the length of time an app has been in the Market before they download.

That said, if a malicious app is identified, Google will immediately remove the app from the Market and remotely remove it from infected devices.

But giving consumers so much control is concerning to most mobile security experts. In fact, most agree mobile-use behavior is the industry's biggest worry, not the proliferation of malicious apps. [See Unknown Risks of Mobile Banking.]

Experts: It's the User

"Mobile security is still much better than other areas of security," says Dr. Giles Hogben of the European Network and Information Security Agency.

But the way users behave on mobile devices is not secure.

"Phones are social devices, and people are more naïve when it comes to using their mobile devices," says Dr. Markus Jakobsson, security expert in the field of phishing and crimeware. "When people talk on their mobile devices, they are usually talking with people in a less protected way, and that rubs off on the way they use the device, whether for browsing, accessing and responding to e-mail, banking, or payments. Their behavior is much riskier."

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Senate Intel Panel OK's Info-Sharing Bill

The Senate Intelligence Committee has passed a cyberthreat information sharing bill known as CISA,...

Latest Tweets and Mentions

ARTICLE Senate Intel Panel OK's Info-Sharing Bill

The Senate Intelligence Committee has passed a cyberthreat information sharing bill known as CISA,...

The ISMG Network