With individuals and businesses becoming increasingly dependent on mobile devices for everything from email to banking, cybercriminals have turned their attention to mobile platforms as a new target for attack.
Colin Thornton, CEO of Dial a Nerd, says that one of their most common strategies is mobile phishing, which is different from the regular definition of phishing. Hackers are predominantly using applications as the hook or entryway. Mobile apps are an independent entity, yet they are increasingly leaving users vulnerable to attack.
As it stands, there are two main ways that a hacker can create a false sense of trust in the mobile environment, Thornton says.
“The first approach is via an illegitimate application ‘acting’ as a legitimate application,” he says. “So although that iOS or Android app file may look like the real deal, be wary! This doesn’t only apply to Android – a jailbroken iPhone is also at risk. This is mainly an issue for users who want to download apps from places other than the Google Play Store.
“The second and increasingly common approach is to tamper with or modify the content within an application,” he says. “Many mobile apps will display Web-based content via an internal browser. Because of that Web-based content, exploits like man-in-the-middle can be leveraged to modify the content that is being shown.”
Recently, Trend Micro identified over 800 apps on Google Play that infect your smartphone or tablet with Xavier Spyware.
“Xavier’s impact has been widespread,” Thornton says. “Based on data from Trend Micro Mobile App Reputation Service, we detected more than 800 applications embedded the ad library’s SDK that have been downloaded millions of times from Google Play.”
Apps containing the virus range from data watching apps to ringtone modifiers. The most dangerous element here is that once an infected app is installed, it can download malicious software on to your device without your authorisation.
“Arguably, the best way to protect your devices is to only install from verified app developers and always use legitimate stores,” Thornton says. “In addition, always take note of what permissions these platforms ask for when you are installing an app. It also helps to read the reviews posted by other users. Finally, keep your devices update with the latest software.
“Phishing is just one example of how a traditional attack can be adapted to the mobile environment,” he adds. “It’s a newer category for security professionals to consider in their ever-evolving fight, and one that IT players are all watching closely.”