|
Attackers increasingly are exploiting the trust
users place in brand names and companies they do business with in order
to commit fraud without the need to install any malware code. Users
have gotten accustomed to accepting excessive permission requests from
the apps they download. Typically, they don't have a choice in the
matter -- if they want the app, they have to agree to the permissions.
|
Traditional attack methods, like those used with the recent mobile online banking Trojan Svpeng, involve the installation of malware on the device to steal information and commit fraud.
However, new techniques are emerging that would enable an attacker to
compromise a device and steal private information from the owner -- for
example, the typical copycat app on a third-party app store. It looks
official. It has a corporate logo on it and perhaps a link to the
genuine news feed from that corporation.
Once downloaded, it prompts the user to accept a long list of
permissions -- for accessing the phone's camera, recording audio,
accessing the device's contact list, and a long list of other functions
-- many of which offer at least potential access to confidential data.
Of course, there are legitimate reasons a given app might need those
permissions to operate -- but they permit access to the same data that
malware also would like to get at.
Therein lies the problem. Unfortunately, anyone can download JPGs from a
corporate website and wrap them around their own app in order to make
it look official. Attackers increasingly are exploiting the trust users
place in brand names and companies they do business with in order to
commit fraud without the need to install any malware code.
For instance, applications with a billing interface easily can be
used to steal financial information without employing malware, and
without triggering any antivirus warning.
Meanwhile, users have gotten accustomed to accepting excessive
permission requests from the apps they download, since novice software
developers often find standard lists of permissions and install them in
their code without trimming them.
Part of the problem is the lack of best practices related to types of
permissions that are appropriate for different classes of apps.
Typically, users don't have a choice in the matter -- if they want the
app, they have to agree to the permissions.
This excessive permissions problem is widespread, as indicated by
recent security research
on popular Android apps. (Most problem apps are in the Android
environment, which is the most popular operating system for mobile
devices.)
Sixty-eight percent of Android apps examined by security researchers
required that the user grant permission to send SMS messages, according
to Zscaler research. Of that 68 percent, 28 percent also were able to
access SMS, putting them in a position to spy on mobile authentication
methods.
Thirty-six percent required that the users grant the app permission
to access the device's GPS data, leaving their location unsecure.
Forty-six percent of the apps required permission to access the device's
phone state.
Ten percent required permission to access the address book, which
would put them in position to hijack. Four percent required permission
to check the calendar, which would give them insight into upcoming
events in the individual's life or where the person might be at a given
date and time.
Playing Defense
For corporate users, exposure of data could lead to violations of
various privacy requirements, such as the Payment Card Industry Data
Security Standard (PCI DSS), or even federal statutes, such as the
Health Insurance Portability and Accountability Act (HIPAA), or the
Gramm-Leach-Bliley Act.
Meanwhile, out-and-out malware like the recently discovered Svpeng
Trojan continues to proliferate and grow more insidious over time. This
latest variant locks up the phone completely and demands a US$200 ransom
to unlock it, although unlocking without a system erase appears
unlikely. It has data-stealing code that may have been included for
future use.
Again, there is nothing to stop someone from downloading selected
JPGs, creating an official-looking app, and embedding a Trojan in it.
The liability of the hoaxed corporation is undefined, but the damage to
its reputation and goodwill is easily imagined.
Fortunately, there is a way for corporations to fight the problem,
and prevent dangerous apps -- or blatant malware -- from circulating in
their names. As it turns out, most such apps are acquired at third-party
app stores, which number close to 90.
Some of these online stores are tightly policed and minimize the
presence of malware or noncompliant apps. Others are marginally policed
or even open to all comers, and anything is likely to be found there.
Services are available that can scan third-party app stores for apps
that make inappropriate, unauthorized, or illegal use of corporate
brands, as well as look for the presence of malicious or dangerous code
by decompiling and analyzing suspicious apps.
There is a pressing need for such services -- 21 percent of financial
services firms, which are the most exposed to mobile malware, never
scan online app stores, Osterman Research found. On the other hand, 18
percent scan daily. Another 29 percent scan less than quarterly, while 4
percent do it quarterly, 7 percent do it monthly, and 21 percent do it
weekly.