Mobile Security: Your #1 Threat

New Trojan Targets Android, But Experts Warn of Other Risks
Mobile Security: Your #1 Threat
Security concerns about mobile applications may be overblown, some experts say. Mobile users are more likely to compromise their mobile security via browsing and texting behavior than they are through the download of open-source apps.

But earlier this month, when researchers at Trusteer discovered a new Trojan aimed at hijacking banking credentials from users of Google's Android mobile device, concerns about open-source app vulnerabilities resurfaced, suggesting that companies such as Google should be doing more to enhance security.

Google came under fire in March, when numerous malicious apps were published on its Android Market. The apps, according to Google, took advantage of known vulnerabilities on older Android devices, but did not affect versions 2.2.2 or higher.

"For affected devices, we believe that the only information the attacker(s) were able to gather was device-specific," Google said in March. "But given the nature of the exploits, the attacker(s) could access other data, which is why we've taken a number of steps to protect those who downloaded a malicious application."

Google removed the malicious apps from Android Market, and remotely removed the apps from affected devices. A security update was then issued, to prevent hackers from accessing additional information housed on the phones.

More Malware Hits Android

In September, the Trojan's M.O. was a bit different. Rather than being planted in the Android Market, the hackers relied on social engineering, targeting Android users with text messages that contained malicious links.

The SpitMo attack, a variant of the SpyEye Trojan, fooled Android users into clicking links for phony apps. Once installed, the Trojan could steal bank account details and redirect text messages related to financial transactions.

When downloaded, the Trojan fooled users by asking them to complete fields, which appeared to be part of the banking app, about their mobile phone numbers and their international mobile equipment identity numbers. The IMEI is a unique signature for a specific mobile device.

Google would not comment about the September Android attack, but was willing to provide background about general security measures it's taken to ensure integrity of its mobile software, apps and platform.

Google's Security Measures

Google says Android relies on a number of security features, such as "sandboxing," to protect mobile apps.

Downloaded Android apps operate within a proverbial sandbox, so they aren't able to touch other parts of the phone. If a user wants an app to connect with other apps, such as Facebook, then the user must set special permissions.

Google says it supports its open-app environment, which allows developers to upload apps they create. The open environment is what makes Android popular.

And Google reiterates that it vets all apps available in the Market, but is quick to point out that Android users ultimately bear the responsibility of ensuring the apps they download are safe. Android users are advised to check reviews, app popularity and the length of time an app has been in the Market before they download.

That said, if a malicious app is identified, Google will immediately remove the app from the Market and remotely remove it from infected devices.

But giving consumers so much control is concerning to most mobile security experts. In fact, most agree mobile-use behavior is the industry's biggest worry, not the proliferation of malicious apps. [See Unknown Risks of Mobile Banking.]

Experts: It's the User

"Mobile security is still much better than other areas of security," says Dr. Giles Hogben of the European Network and Information Security Agency.

But the way users behave on mobile devices is not secure.

"Phones are social devices, and people are more naïve when it comes to using their mobile devices," says Dr. Markus Jakobsson, security expert in the field of phishing and crimeware. "When people talk on their mobile devices, they are usually talking with people in a less protected way, and that rubs off on the way they use the device, whether for browsing, accessing and responding to e-mail, banking, or payments. Their behavior is much riskier."

Don Jackson, director of research for the Counter Threat Unit at Dell SecureWorks, says a user might think twice about clicking a link that he or she receives in an e-mail on a PC; on a mobile device, the reaction is typically not so well thought-out. "You're more likely to click on something right away and follow someone on Twitter, for instance, on the mobile phone than you would be on the PC, and that's where the real problem is," Jackson says. "There's no real way to predict the user's behavior."

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.