Malware: The Hidden Threat to Your Mobile Device

Many mobile device users are aware of basic fraud prevention steps like not clicking on suspicious links or downloading unknown apps. But what if the malware threats of the future come preinstalled on the mobile device itself?

According to a recent article on Ars Technica, such a situation was recently uncovered by Check Point Software Technologies when their software detected preinstalled malware on 38 Android devices at two unidentified companies. As for how they got there—blame appears to rest on the phone’s long manufacturing supply chain. Somewhere along the line someone planted malware deep within the device in a scheme that appears to have targeted the two organizations.

The covertly installed apps on the mobile devices were designed to steal information and display ads but one, called “Loki”, was particularly vicious. The malware attempts to gain full system privileges and, if it gets them, can corrupt and delete data, erase the hard drive, steal personal information, hijack the computer screen and spam contacts.

Other devices in the scheme were preinstalled with a ransomware program called “Slocker” that blocks usage of the device until a ransom is paid. The only other option to free up the system is to erase everything on it by doing a factory reset.

This is a chilling development and underscores the fact that the malware threat to mobile, once thought minimal, is very real. What is to be done if the tools we purchase unknowingly contain threats buried deep within them? It’s clear to security professionals that malware checks are now a necessary procedure to establish the device’s integrity before it is even used. Such steps should be considered part of the standard security protocol.

Fraudsters Follow the Money

As this case highlights, fraudsters are increasingly turning their attention to the mobile channel. The technology’s speed, power, and storage has grown to an extent that it permeates every aspect of users’ lives. Mobile is used by just about everyone now to perform routine tasks like texting, paying bills, managing financial accounts, shopping and so much more.

As such, the mobile platform presents an attractive target for fraudsters, especially considering that the proper security protocols are still in development. According to researchers at the University of Cambridge, 87 percent of all Android smartphones are exposed to at least one critical vulnerability and Zimperium Labs found 95 percent of Android devices could be hacked with a simple text message.

The problems in mobile aren’t confined to Android either. According to Kaspersky Lab, 40 apps were pulled from the Apple app store in September of 2015 after it was discovered they were infected with XcodeGhost, malware designed to turn the device into a botnet. This is significant as apps listed in the Apple Store are screened by professionals for threats and somehow XcodeGhost still made it in.

This is particularly important for financial institutions to be aware of, especially because they are charged with protecting their customer’s most important asset—their money. Financial institutions have been adopting and offering mobile banking to customers at a rapid clip and the mobile malware threat is growing alongside it, according to Julie Conroy, research director at Aite Group, “We're seeing not only the number of strains of mobile malware increase, but also the portion of them that are malicious.”

Protecting Businesses and Consumers Against Malware Threats

For this reason, businesses need to implement device intelligence solutions that have the ability to detect whether or not a device is infected with malware before it transacts with that organization.

One step involves scanning for specific malware signatures, as well as scanning for crimeware, a category of malware. Crimeware is a form of a malicious application typically used by criminals for the purpose of defrauding banks or merchants or their customers through the use of location spoofers, keyloggers, SMS forwarders, and other tactics.

However, malware is not always caught by signatures, which is often the case when a new malware variant is released. A device therefore must also be scanned for suspicious behavior, for example, has the device been rooted or jailbroken – perhaps without the customer’s knowledge - or has the customer mistakenly loaded a malicious app?

In addition, protecting the mobile device from malware and allowing it to still transact is important. In this situation, protection against replay attacks, man in the middle, man in the application, or session hijack attacks are important. To protect against this, end to end encryption from an application to the organizations’ server is critical. Financial and healthcare applications transmit a lot of very sensitive information: credentials, personal data, account information, transaction information, application information, and other details. If malware is running and has bypassed other detections, it is important to ensure this information can’t be decrypted, intercepted, or replayed and only the consumer within the application itself can read the messages.

A holistic approach examining high-risk indicators will help the organization understand device trustworthiness, including a complete scan for malware. In addition, preventing malware from intercepting information even if it is undetected is critically important.

Having the ability to detect malware infection on their users’ devices or protect a device and information even in the presence of malware allows businesses to seamlessly authenticate good consumers, make more confident transaction decisions, and expand mobile channel functionality without the risk of fraud.