The bad news: Fraudsters have all the tools they need to effectively turn mobile malware into the biggest customer security problem we’ve ever seen. They are lacking just one thing: customer adoption. The number of users who bank online from their mobile devices is still relatively low. Additionally, transactions are not yet enabled for mobile devices on many banks’ websites.
Since online fraud is mostly a big numbers game, attacking mobile bankers is not yet an effective fraud operation, but expect that to change. A year from now, this is all going to look completely different as more users start banking from their mobile devices and fraudsters bring out the big guns. IBM has just released figures predicting that within 12 to 24 months, more than one in 20 (5.6 percent) Android phones and iPads/iPhones could become infected by mobile malware if fraudsters start integrating zero-day mobile vulnerabilities into leading exploit kits.
Mobile Malware Heaven: Google Android
Android’s security architecture is not currently up to the challenge. This is reflected mainly in the ease of generating powerful fraudulent applications and the ease with which they can be distributed. Fraudsters can easily build applications that have access to sensitive operating system resources such as text messages, voice, location and more. Users installing these applications do receive a message with a list of resources to which the app requests access, but will usually ignore it, since many applications request access to an extensive list of resources. Building a powerful fraudulent Android application that steals and abuses your identity and bank account is almost trivial; distributing these applications on the Android Market is even more trivial. There are no real controls built into the submission process that could identify and prevent the publishing of malicious applications. Compared to Apple’s App Store, Android Market is the Wild West: You can’t always trust applications you download from it.
Fraudsters have already started to abuse this big security hole. Dozens of malicious applications have already been identified on Google Play; Google has removed most of them, but more keep coming. IBM has identified malicious applications on Google Play that have remained available for weeks before being taken down by Google. The average user will find it hard to locate the page that allows you to request Google to review and remove inappropriate applications from the Play store. And don’t expect Google to react quickly to anything you submit through this form — we have used it a few times ourselves with no results. In order to take down an application from Google Play, we actually had to use contacts within Google that aren’t available to the average user. The process of identifying and removing malicious applications from Google Play requires major improvements.
Most of the malicious applications that hit Android are not financial. However, in May of this year, we saw the previously discovered Man-in-the-Mobile (MitMo) malware — which has attacked Symbian, BlackBerry and Windows phones — ported to Android. This attack is designed to bypass banks’ SMS Out-of-Band (OOB) Authentication and transaction verification processes. The proximity of this attack to the recent FFIEC guidance that advises banks to consider, among other options, OOB to fight malware attacks is ironic; it demonstrates exactly why the fraudsters are two steps ahead.
For those of you who don’t know how OOB works, here is a short description: The general idea is to fight malware that infects the user’s machine. Once the user browses to a bank’s website from a PC infected with financial malware such as Zeus or SpyEye, the malware takes over the Web session and injects fraudulent transactions on behalf of the user. With OOB in place, the bank sends a text message to the user’s preregistered phone number. The message includes the transaction details and a verification code. The user must copy the verification code from the mobile device back to the browser on the PC. The assumption is that if the transaction was generated by malware, the user will not complete the process and will not copy the confirmation code back to the browser, and as a result, the bank will not approve the transaction.
Old Techniques, New Channel: Mobile Malware Adapting PC Threat Techniques
The MitMo attack breaks this assumption by doing the following: Once the user is infected and tries to access the bank’s website, the malware kicks in and asks the user to download an authentication or security component onto their mobile device to complete the login process. The user wrongly assumes this message comes from the bank, when in reality, it comes from the malware. Once the user installs the malware on the mobile device, the fraudsters control both the user’s PC and the user’s phone.
Next, the malware generates a fraudulent transaction on behalf of the user. The bank then sends a confirmation message to the user’s mobile device. The malware on the user’s device reads the confirmation message and sends it to the malware on the PC. It then deletes the confirmation message from the user’s mobile device so the user will not see it. The malware on the user’s PC enters the confirmation code and approves the transaction.
MitMo Attack Cycle
The Android malware that spread in May of this year came in different flavors. One such flavor even used the IBM Security Trusteer brand to gain users’ trust and convince them to download the application. The malware itself was used in conjunction with Zeus 18.104.22.168. Users were first infected with Zeus on their PC, and then Zeus showed the message requesting that users download the Android malware component. Those who have already downloaded IBM Security Trusteer Rapport are protected from this type of attack.
MitMo fraudulent Android application abusing the Trusteer brand.
Apple iOS: Not as Secure as One May Think
iOS is the operating system of the iPhone, iPad and iPod. It’s a slightly different story with iOS malware. It’s not easy to create malicious applications that have access to device resources because iOS applies strict access control on applications. It’s also not easy to introduce malicious applications on the App Store since Apple conducts a manual review of each submitted application, which allows them to detect fraudulent apps. However, there is a hole in this security architecture, and it’s called jailbreaking. A jailbroken iOS device doesn’t enforce access control and basically allows any app to do whatever it wants on the device. Unfortunately, many users jailbreak their devices because they want to run applications that are not available on the App Store. But what’s more unfortunate is that vulnerabilities in iOS could allow malicious websites to jailbreak a device and infect it with malware without a user’s consent or knowledge. Last week we saw a good example of that.
JailbreakMe published an exploit that allows the automated jailbreaking of iOS devices from a special website. PDF files that exploit this vulnerability are reportedly publicly available. Even clicking a crafted PDF document or surfing to a website hosting the PDF documents is sufficient to infect the mobile device with malware. The concept of malicious websites serving exploits to infect endpoint devices has been mastered by fraudsters; the notorious BlackHole exploit kit and other kits such as Fragus and Neosploit provide automation of these processes. BlackHole is extremely dangerous and widely used since it is distributed for free.
Millions of websites are being compromised to run these exploit kits. When users browse to one of these compromised websites, they get infected with malware. Note that fraudsters can use the same exploit kit to serve any piece of malware they choose. Once the authors of BlackHole add iOS vulnerabilities to their kit, we’ll start seeing a quick increase in malware distribution on iOS devices. This recent vulnerability is not the first to allow fraudsters to compromise iOS devices, and it won’t be the last. This is just the beginning of the issue. Fraudsters will continue to research iOS and discover more vulnerabilities, which will allow them to compromise devices and commit fraud. I hope I’m wrong, but a year from now this may be so common that it will not even hit the news.
In the U.S. alone, 50 percent of all mobile phones are smartphones, with Android and iPhone being the clear market leaders; a survey of smartphone users from Toronto-based Solutions Research Group showed that 38 percent of these smartphone owners use a banking application. These two numbers are increasing constantly and are just big enough for fraudsters to start using their heavy guns. All the building blocks are in place: Fraudsters are researching iOS and Android for vulnerabilities; they have effective exploit kits that can automate this process; they have large-scale operations that compromise websites and force them to distribute malware; and they have effective malware for mobile that can commit fraud. In my opinion, this all leads to one conclusion: We are about to face one of the worst security problems of our time, and it won’t be long before we do.
Anti-malware solutions for mobile phones are hardly the answer to this problem. These solutions are no different than their PC counterparts: They’re based on scanning applications installed on the device against a list of known malicious applications. This type of solution cannot scale when the number of malicious applications explodes. As mobile malware numbers increase, we’re about to see the very same problem we currently face with desktop antivirus solutions: low effectiveness.
A new solution that takes a different approach for mobile security is required — one that can prevent these devices from getting infected to begin with and protect mobile communication with banks from malware that may end up on the device.
Recommendations to secure mobile banking:
- Check ratings, user reviews and comments for each mobile application you download. Avoid low-rated, new applications or those with bad reviews.
- Carefully review the permission requested by Android applications when you install them. Applications that ask for access to text messages and other sensitive information should raise a red flag and be further researched before you download.
- Protect your PC with an online banking security software such as IBM Security Trusteer Rapport, which you can download from your bank’s website. This software can break MitMo attacks by blocking fraudsters from the Web channel.
- Regularly install updates for your mobile device.
Calculation of Smartphone Infection Rates for Zero-Day Exploits
IBM statistics for June 2011 show that each day, one out of 1,500 users accesses a website infected with the BlackHole exploit kit. Out of one million users, 667 will access the BlackHole exploit kit every day; assuming the BlackHole kit incorporates a zero-day exploit, this indicates 667 infected users per 1 million per day. Assuming it takes Apple or Google one week to fix the vulnerability and that it takes an average of two weeks for users to update their mobile phones with a new release, this translates to an average of 21 days of exposure. In this time, 14,000 users per million will get infected with the zero-day attack. Assuming four of these zero-day exploits per year, we’re looking at 56,000 infections per year per million users, which is a total of 5.6 percent of all users — an extremely high number.