Smart Phone Malware Risk Rises

Banks Must Enhance Mobile App Protections, Trojan Detection

By , November 14, 2012.
Smart Phone Malware Risk Rises

Mobile malware is exploding at a time when financial institutions are increasing their mobile banking offerings and consumers are making broader use of smart phones and tablets.

See Also: 2015 Financial Services Cybersecurity Agenda: An Inside Out Look at a New Risk Mitigation Approach

A recent study from software and security firm Trend Micro finds that mobile malware attacks hit record numbers in the third quarter, with Android devices as the primary targets.

"The threat is dramatic, but traditional countermeasures are not well-suited," says Dr. Markus Jakobsson, a mobile security expert and chief technology officer at FatSkunk, which specializes in malware mitigation. "Traditional countermeasures either require many more updates than is practical on handsets, or consume too much battery power - or both."

Security experts and law-enforcement authorities say anything stored on a mobile device or input via mobile applications could potentially be at risk. As smart phone adoption increases, experts say, so will the threats.

To mitigate risk, banking institutions have to address user behaviors. For example, mobile device users are often too hasty to provide sensitive personal and financial information when prompted by an app or browser request.

But the most critical area to address is technology. Security specialists say many banks and credit unions have not invested enough in malware detection and protection technologies, regardless of the channel.

With the ongoing adoption of mobile banking, enhanced malware detection is critical, and 2013 is the year banking institutions need to up the ante.

Hackers Targeting Mobile

Malicious or potentially malicious mobile applications jumped to 175,000 at the end of the third quarter from 28,000 at the end of the second quarter, according to Trend Micro's latest cyberthreat report. Those mobile apps primarily targeted devices running Google's Android operating system, and most contained adware or spyware.

Adware is often pushed to mobile users as a free software offer in exchange for consumer information. Although some adware is legitimate, hackers are using adware that morphs into spyware to collect user information for nefarious purposes.

The trend should be especially alarming to banking institutions, Jakobsson says. "Now that more banks are offering mobile banking, this is where criminals will focus their attention," Jakobsson says. Hackers already highjack out-of-band authentication measures put in place to verify transactions initiated via online banking, as well as steal credentials and other sensitive information input via mobile-banking apps and mobile browsing, he says.

Many mobile device users and banking institutions are not prepared to detect mobile malware or the fraud that results, Jakobsson contends.

Banking institutions often rely on two types of behavioral analytics: one to detect malware on a device, typically part of an anti-virus system, and the other to establish transactional history on the banking system's back-end. An account's typical transaction patterns are collected and a profile is developed. If a transaction falls outside the norm of the profile, then a flag goes up.

But what banking institutions need to do is enhance fraud detection and look for better mobile malware detection software they can push to customers and members, says Andrew McLennan, chief security officer at Metaforic, which specializes in mobile-app and data security. Part of that enhancement will come from baking detection and protection into the mobile apps themselves, he says.

"The latest attacks we've seen are getting in between the application and server," McLennan says. "The solution is to put the security back into the application and to put some sort of security back at the server end, because the server verifies the application."

Smart Phones: Known Targets

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE St. Louis Fed Confirms DNS Hijacking

The Federal Reserve Bank of St. Louis says its DNS settings were hacked, and visitors redirected to...

Latest Tweets and Mentions

ARTICLE St. Louis Fed Confirms DNS Hijacking

The Federal Reserve Bank of St. Louis says its DNS settings were hacked, and visitors redirected to...

The ISMG Network