Smart Phone Malware Risk Rises Banks Must Enhance Mobile App Protections, Trojan Detection

Mobile malware is exploding at a time when financial institutions are increasing their mobile banking offerings and consumers are making broader use of smart phones and tablets.

See Also: How Cybercriminals Use Phone Scams To Take Over Accounts and Commit Fraud

A recent study from software and security firm Trend Micro finds that mobile malware attacks hit record numbers in the third quarter, with Android devices as the primary targets.

"The threat is dramatic, but traditional countermeasures are not well-suited," says Dr. Markus Jakobsson, a mobile security expert and chief technology officer at FatSkunk, which specializes in malware mitigation. "Traditional countermeasures either require many more updates than is practical on handsets, or consume too much battery power - or both."

Security experts and law-enforcement authorities say anything stored on a mobile device or input via mobile applications could potentially be at risk. As smart phone adoption increases, experts say, so will the threats.

To mitigate risk, banking institutions have to address user behaviors. For example, mobile device users are often too hasty to provide sensitive personal and financial information when prompted by an app or browser request.

But the most critical area to address is technology. Security specialists say many banks and credit unions have not invested enough in malware detection and protection technologies, regardless of the channel.

With the ongoing adoption of mobile banking, enhanced malware detection is critical, and 2013 is the year banking institutions need to up the ante.

Hackers Targeting Mobile

Malicious or potentially malicious mobile applications jumped to 175,000 at the end of the third quarter from 28,000 at the end of the second quarter, according to Trend Micro's latest cyberthreat report. Those mobile apps primarily targeted devices running Google's Android operating system, and most contained adware or spyware.

Adware is often pushed to mobile users as a free software offer in exchange for consumer information. Although some adware is legitimate, hackers are using adware that morphs into spyware to collect user information for nefarious purposes.

The trend should be especially alarming to banking institutions, Jakobsson says. "Now that more banks are offering mobile banking, this is where criminals will focus their attention," Jakobsson says. Hackers already highjack out-of-band authentication measures put in place to verify transactions initiated via online banking, as well as steal credentials and other sensitive information input via mobile-banking apps and mobile browsing, he says.

Many mobile device users and banking institutions are not prepared to detect mobile malware or the fraud that results, Jakobsson contends.

Banking institutions often rely on two types of behavioral analytics: one to detect malware on a device, typically part of an anti-virus system, and the other to establish transactional history on the banking system's back-end. An account's typical transaction patterns are collected and a profile is developed. If a transaction falls outside the norm of the profile, then a flag goes up.

But what banking institutions need to do is enhance fraud detection and look for better mobile malware detection software they can push to customers and members, says Andrew McLennan, chief security officer at Metaforic, which specializes in mobile-app and data security. Part of that enhancement will come from baking detection and protection into the mobile apps themselves, he says.

"The latest attacks we've seen are getting in between the application and server," McLennan says. "The solution is to put the security back into the application and to put some sort of security back at the server end, because the server verifies the application."

Smart Phones: Known Targets

Trend Micro's Q3 update coincided with a late October alert issued by the Federal Bureau of Investigation's Internet Crime Complaint Center about newly identified spyware risks targeting Android devices. The FBI identified two new Android Trojans known as Loozfon and FinFisher. Loozfon is designed to steal mobile numbers and contact details saved in address books, while FinFisher is spyware that enables hackers to remotely control and monitor a compromised device. The aim of both Trojans: To steal or collect personal and sensitive information stored on Android devices.

Mobile malware threats, like the ones noted last month by the FBI, are exploiting mobile browsers as well as mobile apps, says Ted Bissell, a mobile payments expert at PA Consulting Group, an IT consulting and technology firm. URLs for mobile websites - on phones or tablets - appear differently than they do on laptops or desktop PCs, so users are more likely view and click links they would otherwise deem suspicious.

More than half of the U.S. population now uses smart phones, Bissell estimates. "So anything you launch in the U.S., as far as malware or something else, is going to go after smart phone users," he says. "It only makes sense.

Malware Detection

Experts say banks and credit unions need to invest in new mobile malware defenses. "Traditional anti-virus techniques simply are not well suited for smart phones," Jakobsson says.

External server to assess the security posture of mobile devices, he says. "The device itself cannot be in charge of managing its security," Jakobsson explains.

Mobile communication protocols pose additional malware-detection challenges, too, McLennan says. "It's far better to run new communication protocols from new applications. That's how security is built into the app."

With new communication protocols, a banking-platform server also has enhanced ability to detect and reject a malicious app before it pulls critical information about the user's account, McLennan says.

A server's ability to identify which apps to trust and which to turn away is at the core of detection. To attain that level of heightened security, institutions have to ensure security tools are built into any app that touches their ecosystems, he says.

"Banks have to say, 'We will not allow a transaction to go through if we have not vetted the app or helped with the security,'" McLennan says. "And going forward, I see that being the direction most banks take. They don't have a choice."

Educating Users

But mobile-banking security is a shared responsibility, and users definitely play a role.

"Users have not started to think about the mobile device as a computer," Jakobsson says. "They don't feel that the mobile phone or tablet is something that can be compromised."

Android's significant mobile market share, coupled with its openness and users' reluctance to proactively secure Android devices, has made it an easy target for cybercrime, he says. "But other devices are vulnerable, too."


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.





Around the Network