Arr0w
Professional
- Messages
- 137
- Reaction score
- 28
- Points
- 28
The Federal Bureau of Investigation has issued a consumer alert warning of malware attacks against mobile devices that run the Android operating system.
Trojans pose serious risks for any personal and sensitive information stored on compromised Android devices, the FBI warns. But experts say any mobile device is potentially at risk because the real problem is malicious applications - which in an open environment are impossible to control. And anywhere malicious apps are around, so is the potential for financial fraud.
Two Trojans
Related Content
Bank Attacks: 7 Steps to Respond
Global Payments: Breach Exam Complete
Wire Fraud Settlement: The Legal Implications
Teaming Up to Fight ACH Fraud
SMBs Need to 'Feel' Cyberthreat to Act
Related Whitepapers
BYOD & the Year of Mobile Security
Mobile Device Management Policies: Best Practices Guide
Fighting Mobile Fraud - Protecting Businesses and Consumers From Cybercrime
Mobile Device Management: Your Guide to the Essentials and Beyond
Start Here for Your BYOD Policy
The alert from the Internet Crime Complaint Center, a unit of the FBI, addresses two new Android Trojans known as Loozfon and FinFisher.
Recent attacks showed Loozfon has the ability to steal a mobile user's phone number as well as contact details. In one type of Loozfon attack, unsuspecting consumers were lured in by advertisements promoting fraudulent work-at-home opportunities.
The alert does not specify how those ads were promoted - through e-mail, SMS/text or both. But the FBI warns that links within the ads lead to websites designed to push Loozfon to users' device.
FinFisher, on the other hand, is spyware that targets Android smart phones, hijacking specific components that enable hackers to remotely control and monitor a compromised device, regardless of its location. The spyware is transmitted to a smart phone by clicking infected web links or by opening SMS messages sent directly to the mobile user, usually falsely appearing to provide links to system updates, the FBI states.
Bad Rap for Android?
Jason Malo, a research director at CEB TowerGroup who focuses on financial fraud and mobile, says the Android operating system is not the cause of the problem.
"It's the openness of the app marketplace that allows malware to run rampant," Malo says, not the Android OS itself.
"This is one of the first consumer-focused, security-oriented lists for mobile I've seen," Malo says. "That's a good thing, but it also is a pretty definite signal that security is becoming a problem."
Until the mobile industry can figure out a way to better control or vet readily available apps, mobile malware concerns will mount, Malo contends. "I'm not saying there should only be one store, but there does need to be some sort of reputational measure, akin to what SSL [secure socket layer] site certificates can help provide."
Link to Financial Fraud
George Tubin, a malware and financial security expert at anti-malware vendor Trusteer, says the FBI's warning is alarming because these types of attacks can easily lead to incidents of financial account takeover.
"What I think may happen, and what may have already happened and triggered the FBI to issue this alert, is that login credentials, such as username and password, for online banking access could be stolen," Tubin says. "When a hacker gets access to a mobile device and is able to take it over, he can get all of the information that is on that device."
So mobile users who access online accounts through mobile browsers, or those who save online-banking credentials somewhere on their devices, are at obvious risk, he says. Additionally, any online purchase that is made through an e-commerce site on a compromised device also could expose credit and debit details, including three-digit security codes required for card-not-present transactions, he adds.
"There also could be vulnerabilities for P2P [peer-to-peer] payments," Tubin says. Anytime a transaction is routed through a mobile device that has been infected, it's safe to assume the hackers who infected that device are monitoring everything the user does, he adds.
"We've heard about mobile malware concerns for a while, and the vulnerabilities inherent to Android because of its openness," he says. "But the alerts we are now seeing coming out from the FBI are highlighting some very different attack vectors. We have to take these threats seriously."
Exploited Security Features
In its list of privacy concerns, the FBI notes that the activation of geo-location features, which some institutions have relied on to help authenticate mobile users and transactions, can be exploited for fraudsters' gain.
				
			Trojans pose serious risks for any personal and sensitive information stored on compromised Android devices, the FBI warns. But experts say any mobile device is potentially at risk because the real problem is malicious applications - which in an open environment are impossible to control. And anywhere malicious apps are around, so is the potential for financial fraud.
Two Trojans
Related Content
Bank Attacks: 7 Steps to Respond
Global Payments: Breach Exam Complete
Wire Fraud Settlement: The Legal Implications
Teaming Up to Fight ACH Fraud
SMBs Need to 'Feel' Cyberthreat to Act
Related Whitepapers
BYOD & the Year of Mobile Security
Mobile Device Management Policies: Best Practices Guide
Fighting Mobile Fraud - Protecting Businesses and Consumers From Cybercrime
Mobile Device Management: Your Guide to the Essentials and Beyond
Start Here for Your BYOD Policy
The alert from the Internet Crime Complaint Center, a unit of the FBI, addresses two new Android Trojans known as Loozfon and FinFisher.
Recent attacks showed Loozfon has the ability to steal a mobile user's phone number as well as contact details. In one type of Loozfon attack, unsuspecting consumers were lured in by advertisements promoting fraudulent work-at-home opportunities.
The alert does not specify how those ads were promoted - through e-mail, SMS/text or both. But the FBI warns that links within the ads lead to websites designed to push Loozfon to users' device.
FinFisher, on the other hand, is spyware that targets Android smart phones, hijacking specific components that enable hackers to remotely control and monitor a compromised device, regardless of its location. The spyware is transmitted to a smart phone by clicking infected web links or by opening SMS messages sent directly to the mobile user, usually falsely appearing to provide links to system updates, the FBI states.
Bad Rap for Android?
Jason Malo, a research director at CEB TowerGroup who focuses on financial fraud and mobile, says the Android operating system is not the cause of the problem.
"It's the openness of the app marketplace that allows malware to run rampant," Malo says, not the Android OS itself.
"This is one of the first consumer-focused, security-oriented lists for mobile I've seen," Malo says. "That's a good thing, but it also is a pretty definite signal that security is becoming a problem."
Until the mobile industry can figure out a way to better control or vet readily available apps, mobile malware concerns will mount, Malo contends. "I'm not saying there should only be one store, but there does need to be some sort of reputational measure, akin to what SSL [secure socket layer] site certificates can help provide."
Link to Financial Fraud
George Tubin, a malware and financial security expert at anti-malware vendor Trusteer, says the FBI's warning is alarming because these types of attacks can easily lead to incidents of financial account takeover.
"What I think may happen, and what may have already happened and triggered the FBI to issue this alert, is that login credentials, such as username and password, for online banking access could be stolen," Tubin says. "When a hacker gets access to a mobile device and is able to take it over, he can get all of the information that is on that device."
So mobile users who access online accounts through mobile browsers, or those who save online-banking credentials somewhere on their devices, are at obvious risk, he says. Additionally, any online purchase that is made through an e-commerce site on a compromised device also could expose credit and debit details, including three-digit security codes required for card-not-present transactions, he adds.
"There also could be vulnerabilities for P2P [peer-to-peer] payments," Tubin says. Anytime a transaction is routed through a mobile device that has been infected, it's safe to assume the hackers who infected that device are monitoring everything the user does, he adds.
"We've heard about mobile malware concerns for a while, and the vulnerabilities inherent to Android because of its openness," he says. "But the alerts we are now seeing coming out from the FBI are highlighting some very different attack vectors. We have to take these threats seriously."
Exploited Security Features
In its list of privacy concerns, the FBI notes that the activation of geo-location features, which some institutions have relied on to help authenticate mobile users and transactions, can be exploited for fraudsters' gain.
 
	