Rogue Mobile Apps, Phishing, Malware and Fraud

By: Limor Kessem, 

Information highways have long crossed the borders of the static PC over to mobile devices and now, more than ever before, into the realms of that platform. With technology galloping forward, millions of users use mobile devices to access the Internet, shop, pay, check their accounts, work, communicate and socialize. Nowadays, this all easily and simultaneously happens on one device that is always on, always connected, and driven by small, yet efficient mobile apps.

To enjoy and maximize the use of mobile devices users need applications. Apps, and the content they provide, are the reason smartphones and tablets are so popular; recent statistics show that mobile users around the globe download over 67 million app every day! Although these numbers are staggering, security-awareness did not follow, and it was a matter of time – and only logical for cybercriminals – before online threats, such as phishing and malware, became a reality on mobile devices.

And so, if in the mobile world apps are king, then apps are the way to go. Cybercrime can be blamed for many things, but never for lagging behind… Enter rogue apps — those impersonating other apps, or legitimate ones using names and logos of known brands without permission. Other rogues may harbor malicious content, such as phishing, malware, or good apps that just let sensitive and private information leak into the hands of shady developers and criminals.

Within the context of information security, the mobile platform is without doubt the new and emerging threat (and fraud) vector. Beyond the immeasurable adoption of mobile devices by people in all geographies, there are more pointed and interesting reasons as to why cybercriminals literally prefer reaching potential victims on their mobile…

  • Mobile phone users are at least three times more likely to become victims of phishing attacks than desktop users, they are less careful and less aware.
  • Because the mobile device is always on and in most cases physically close by, their owners tend to check their communications closest to real time, and thus are the first to get to phishing attacks.
  • Discerning whether or not a page is legitimate is harder when looking at a small device where the complete URL is not displayed.
  • Mobile users are much less aware of mobile security options
  • Mobile users are accustomed to entering their credentials into simple interfaces on their mobiles; in fact, 40% of smartphone users enter passwords into their phones at least once a day.
  • Mobile login screens are often very simple, which makes them easier for attackers to copy.
  • Mobile users are easy to download games or look for an app they need without researching the developer or knowing what types of permissions they should suspect.

Browsing the net, shopping for apps, downloading and running rogue applications on their mobile devices, users are exposed to all the threats they know from the PC: phishing, vishing, malware, email scams and even just the unintentional transmission of sensitive data. Mobile threat coders have adapted their techniques to the new platforms, taking advantage of exploits, deploying mobile botnets, and even using rootkit[1] functionality to target users where they spend much of their time.

Thanks to the Internet and to mobile apps, cybercrime is now part of the game on all mobile platforms. And the best way for blackhats and fraudsters alike to get into more pockets, in more ways than one, is by tricking users into letting them in — Rogue apps? That’s one great way to do that.

Limor Kessem is one of the top Cyber Intelligence experts in RSA, The Security Division of EMC. She is the driving force behind the cutting-edge RSA FraudAction Research Lab blog Speaking of Security. Outside of work you can find Limor dancing salsa, reading science fiction or tweeting security items on her Twitter feed @iCyberFighter.


[1] ‘Rooting’ and ‘jailbreaking’ devices

Leave a Reply

Your email address will not be published. Required fields are marked *

No Comments