MOBILE MALWARE CASES WILL SEE INCREASE
A New Year always arrives with new promises – the ones we make to ourselves but more often fail to keep. It also arrives with prognostications about where the financial markets will head, who will be triumphant on the political front or for that matter predictions about where information technology will be heading and what that will mean to the way we do things. Information technology forecasts, like those in most other arenas tend to rely on extrapolating past trends. And so in trying to look into the crystal ball to foretell what may come to pass this year, I will take a look at what has transpired and then use broad brush strokes to paint an image of what could happen.
Hitherto, malware and its perpetrators have targeted Windows-based PCs for their exploits mainly because these devices have been ubiquitous. As computing platforms merge with communication and entertainment platforms, through what many call “digital convergence,” a plethora of devices of the mobile ilk will rapidly catch up with the ubiquity of Windows PCs. These mobile devices – smartphones, tablets and their brethren – are mainly iOS (Apple), Android or Blackberry OS based. In the near future, we will most likely see these new mobile devices draw abreast and possibly pass the Windows PCs in dominance and consequently draw the evil eye of the cyber underworld. Keeping in mind the extremely high return on investment from Android-based malware (cost $25 for an Android Developers’ Kit with a potential return in the thousands from a Trojan App) and the ease of distributing these apps, I predict an increasing number of attacks on Android-based devices and a consequent rise in a new class of protective apps and services for these devices.
We will start seeing increased incidence of smartphone scareware. Scareware is a class of malware that has generated oodles of cash for its perpetrators. Mobile malware creators are using search-engine optimization techniques to poison search results (such as Google) for popular mobile apps with malicious links that result in scareware being downloaded to the device and tricking the user into doing online scans of the phones and forcing the user to download apps such as VirusScanner, which uses the phone to send text messages to premium numbers and running up the user’s phone bill.
Further, use of the smartphone has started expanding into new areas with the proliferation of apps such as digital wallets, banking and social networking. In other words, our smartphones have become our all-in-one credential center and communicator – convenience for sure, but vulnerability beyond all comparison. Besides the possibility that the phone could be lost or stolen, there will be increased likelihood that it could be hacked and the data on it stolen and used fraudulently. Needless to say, the loss or damage from a compromised smartphone could be quite significant and hence it makes sense to examine some commonsense approaches to smartphone handling to avoid such calamities.
Typically, mobile malware spreads via App Stores. More so from third-party App Stores than the phone’s official App Store. Since there is a larger third-party market for Android Apps, it goes without saying that Android devices tend to be more exposed to the possibility of a malware infection than, say, the Apple iPhone, which can only access Apple’s App Store. Again with the growing market share of Android devices, the overall level of exposure is increased. As third-party App Stores are more likely to be purveyors of malware, it stands to reason that we should try and stick to downloads from Official Phone Vendor App Stores.
As we go through this year, we will see increased availability of public Wi-Fi connectivity and the consequent increase in connected mobile devices such as iPads and Tablets. Folks should keep in mind that public Wi-Fi networks are not secure and hence any information transmitted or received on one, is accessible to anyone using certain listening devices. Thus, as people increasingly use mobile apps connected to a public Wi-Fi network and mobile apps typically do not connect securely, the data exchanged will not be encrypted and eavesdroppers will be enabled to sniff out the transmission contents. It is significantly safer for users to avoid banking and online shopping Apps when connected to a public Wi-Fi network and instead use the mobile web browser to access the App’s Web site with an HTTPS:// connection. This caveat especially holds true for Facebook and other Social Media Apps. When you are connected to a secure Wi-Fi network such as your home or work network, however, use of apps may be less risky.
Malware pushers and hackers follow the path of least resistance for maximum impact. Therefore, any platform (Windows), class of devices (Android mobile devices) or class of Web sites (Social Networking), with extensive following, tends to attract the unwelcome attention of these unsavory characters. Web sites such as Facebook have received more than their fair share of unwanted attention. During 2011, using compromised Web sites and apps, attackers have hacked into user accounts and pushed malware, phishing invites and scams to numerous Facebook users. They have also propagated their dangerous payload via wall posts, links, photo tags and comments. With Facebook boasting upwards of 800 million active users, 2012 should bring forth increased threats and scams. Users should follow the same defensive tactics as with e-mail scams – do not click on suspicious links even if they appear to come from friends, be cautious of any apps that you allow on Facebook and periodically review the apps in your approved apps list to remove those that you don’t use or that appear suspicious.
Finally, during 2012, we will continue to see an increasing trend in Internet crime. The reason is quite obvious. Internet crime has a low-entry threshold, provides easy widespread reach and perhaps, most important, almost no accountability – the Internet criminal almost never gets caught. Consider the following statistics: according to an FBI 2011 report, 300,000 people were victims of internet crime and the loot was to the tune of $1.1 billion and this represents just the tip of the iceberg – a typical Internet hacker carries out hundreds of thousands of these crimes with just the click of a button and almost never gets caught. And those who do get nabbed probably serve at most a few years in a low-security prison. The statistics for identity theft are even worse – according to the FBI, these crimes affect as many as 8.3 million victims here in the United States (nearly 1 out of every 25 persons), while the number of arrests from 2003 through 2006 were only between 1,200 and 1,600, of which only a third were convicted. That means one identity thief was convicted for 20,000-plus victims.
Arun Marballi has worked in the Information Technology arena for more than 22 years with extensive experience in software development, process design and network/workstation management. For comments, questions, tips or suggestions, e-mail [email protected].