Digital Version of November/December 2014 Print Edition
Mobile malware could be biggest security problem ever seen, says CEO
Boodaei: bad apps
Black Hats have almost everything they need to turn mobile commerce into a security nightmare, save one thing: targets. But that should change in the coming months as communication companies and financial institutions push a rash of applications into the market for buying and banking with a mobile phone.
Those sentiments were expressed July 11 in a blog by Mickey Boodaei, CEO of Trusteer, a malware battling company located in Israel.
"Fraudsters have all the tools they need to effectively turn mobile malware into the biggest customer security problem we've ever seen," Boodaei wrote. "They are lacking just one thing — customer adoption."
"The number of users who bank online from their mobile devices is still relatively low," he continued. "Additionally, transactions are not yet enabled for mobile devices on many banks’ Websites. Since online fraud is mostly a big numbers game, attacking mobile bankers is not yet an effective fraud operation. But expect a change."
"In a year from now this is all going to look completely different as more users start banking from their mobile phone and fraudsters release their heavy guns," he added. "Trusteer has just released figures predicting that within 12 to 24 months over one in 20 (5.6 percent) of all Android phones and iPads/iPhones could become infected by mobile malware if fraudsters start integrating zero-day mobile vulnerabilities into leading exploit kits."
In the Android world, creating and distributing bad apps is criminally simple, he argued. "Fraudsters can easily build applications that have access to sensitive operating system resources such as text messages, voice, location, and more," he elaborated. "Users installing these applications do get a message with a list of resources the app is requesting access to but would usually ignore it as many applications request access to an extensive list of resources."
"Building a powerful fraudulent Android application that steals and abuses your identity and your bank account is almost trivial," he wrote.
"Distributing these applications on the Android Market is even more trivial," he added. "There are no real controls around the submission process that could identify and prevent publishing malicious applications on these stores. Compared to Apple's App Store, Android Market is the Wild West."
Apple's mobile operating system, iOS, keeps a tight rein on access control on apps running on its smartphone. It also has a tough review process to keep bad programs out of its App Store. However, there is crack in the walled garden that Apple's raised around its mobile environment: jailbreaking.
"A jailbroken iOS device doesn't enforce access control and basically allows any app to do whatever it wants on the device," Boodaei explained.
"Unfortunately many users jailbreak their devices as they want to run all sorts of applications that are not on the App Store," he continued. "But what's more unfortunate is that vulnerabilities in iOS could allow malicious websites to jailbreak a device and infect it with malware without the user's consent or knowledge."
That was demonstrated earlier this month when the makers of a popular jailbreaking program, Jailbreakme, released the latest version of the app as a direct-from-Website upgrade. "A website like JailBreakMe is making it easy to jailbreak your iPhone or iPad — but it could also be said to be giving a blueprint to malicious hackers on how to infect such devices with malware," one security analyst commented.
"In the US alone, 50 percent of mobile phones are smart phones with Android and iPhone being the clear market leaders," Boodaei wrote. "In April of this year, Toronto-based Solutions Research Group survey among smartphone users showed that 38 percent of them use a banking application. These two numbers are on constant increase and are just about to become big enough for fraudsters to start using their heavy guns."
"All the building blocks are in place," he continued. "Fraudsters are researching iOS and Android for vulnerabilities. They have effective exploit kits which can automate this process. They have large scale operations which compromise Websites and force them to distribute malware. And they have effective malware for mobile which can commit fraud."
"In my opinion," he observed, "this all leads to one conclusion — we are about to face one of the worse security problems ever and it won't be long before we do."