Book Proposal Form Archives Catalog Auerbach Publications Book Proposal Form Catalog

Information Security Today Home

New Books

<font size=-2></font>
Supply Chain Risk Management: Applying Secure Acquisition Principles to Ensure a Trusted Technology Product by Ken Sigler, Dan Shoemaker, and Anne Kohnke; ISBN 978-1-138-19733-6
SMACing the Bank: How to Use Social Media, Mobility, Analytics and Cloud Technologies to Transform the Business Processes of Banks and the Banking Experience by Balaji Raghunathan and Rajashekara Maiya; ISBN 978-1-4987-1193-7
Security Opportunities in Nano Devices and Emerging Technologies by Mark Tehranipoor, Domenic Forte, Garrett S. Rose, and Swarup Bhunia; ISBN 978-1-138-03577-5
Empirical Research for Software Security: Foundations and Experience by Lotfi ben Othmane, Martin Gilje Jaatun, and Edgar Weippl; ISBN 978-1-4987-7641-7
Big Data Analytics with Applications in Insider Threat Detection by Bhavani Thuraisingham, Pallabi Parveen, Mohammad Mehedy Masud, and Latifur Khan; ISBN 978-1-4987-0547-9

Mitigating Mobile Crimeware

By Mike Lynch, Chief Strategy Office, InAuth

Crimeware Turns to Mobile

Crimeware is a form of malware, or malicious application, typically used by criminals for the purpose of defrauding banks, merchants, or their customers in order to intercept confidential information or data, remove funds from an account or to complete unauthorized transactions. This is typically done through the use of key loggers, SMS forwarders, spyware, ransomware, and other tactics such as redirecting the user to a counterfeit website.

Crimeware has always been pervasive on the browser channel and many institutions have taken steps to search for crimeware on their consumers' browser or recommend antivirus or crimeware-specific products for browser interactions.

But fraudsters are now increasingly turning their attention to the mobile channel, using crimeware as a means to perpetrate criminal activity. The mobile phone's speed, power, and storage has grown to an extent that it permeates every aspect of users' lives and is used prolifically to perform tasks like paying bills, managing financial accounts, shopping and so much more.

As such, the mobile platform presents an attractive target for fraudsters, especially considering that the proper security protocols are still, at times, inadequate.

While security continues to evolve and newer versions of Androids are widely recognized as more secure, there are still issues. According to a May 2017 Digital Trends interview with Joshua J. Drake, vice president of Platform Research and Exploitation at Zimperium, "eighty-four percent of phones are not upgraded, which means most mobile devices are still at risk."

In the same Digital Trends interview, Maik Morgenstern, CEO of antivirus rating organization AV-Test, said, "Up-to-date versions of Google Android can be considered secure. But especially in many older Android versions, more and more vulnerabilities are surfacing and many vendors donít supply updates for their devices. Currently, over 800 vulnerabilities are known."

The problems in mobile aren't confined to Android, however. According to Kaspersky Lab, 40 apps were pulled from the Apple app store in September of 2015 after it was discovered they were infected with XcodeGhost, malware designed to turn the device into a botnet.

These mobile phone vulnerabilities are particularly important for financial institutions to be aware of, especially because they are charged with protecting their customers' most important asset: their money. Financial institutions have been adopting and offering mobile banking to customers at a rapid clip and the mobile malware threat is growing alongside it, according to Julie Conroy, research director at Aite Group, "We're seeing not only the number of strains of mobile malware increase, but also the portion of them that are malicious."

Fraudsters have even turned to a surprising technique in pushing malware out into the ecosystem by preinstalling malware on the mobile device itself.

According to Check Point Software Technologies mobile threat researchers, such a situation was uncovered when their software detected preinstalled malware on 36 Android devices at two unidentified companies. As for how they got there, Check Point researchers concluded, "The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain."

The covertly installed apps on the mobile devices were designed to steal information and display ads, but one, called "Loki," was particularly vicious. The malware attempts to gain full system privileges, and if it gets them, can corrupt and delete data, erase the hard drive, steal personal information, hijack the computer screen and spam contacts.

Other devices in the scheme were preinstalled with a ransomware program called "Slocker" that blocks usage of the device until a ransom is paid. The only other option to free up the system is to erase everything on it by doing a factory reset.

Stopping the Threats

  1. Scan for specific malware signatures
  2. Scan for suspicious behavior
  3. Protect the mobile device from malware while still allowing it to transact is important
  4. Ensure that financial and healthcare information canít be decrypted, intercepted, or replayed and only the consumer within the application itself can read the messages
  5. Adopt a holistic approach examining high-risk indicators
  6. Develop the ability to detect malware infection on their usersí devices, as well as protect a device and the information it is transmitting even in the presence of malware
  7. Educate the customer

With the rapid increase in mobile crimeware, financial institutions that want to protect their consumers' information need to implement device intelligence solutions that have the ability to detect whether or not a device is infected with malware before it transacts with that organization.

One step involves scanning for specific malware signatures, particularly crimeware. However, crimeware is not always caught by signatures, which is often the case when a new malware variant is released.

As the next layer of defense, a device should also be scanned for suspicious behavior. As an example, a device can be scanned to ensure it is not rooted or jailbroken, which can sometimes happen without the customerís knowledge when a malicious app is installed. Application validation is another defense technique which attempts to match the consumer app in use to the approved version of an organizations app, and ensures a consumer hasn't downloaded a malicious app that will collect consumer information without the consumer's knowledge.

In addition, protecting the mobile device from malware while still allowing it to transact is important. In this situation, protection against replay attacks, man-in-the-middle, man-in-the-application, or session hijack attacks are important. To protect against this, end to end encryption from an application to the organizationsí server is critical.

Financial and healthcare applications transmit very sensitive information: credentials, personal data, account information, transaction information, application information, and other details. If malware is running and has bypassed other detections, it is important to ensure this information canít be decrypted, intercepted, or replayed and only the consumer within the application itself can read the messages.

A holistic approach examining high-risk indicators will help the organization understand device trustworthiness, including a complete scan for malware and crimeware. In addition, preventing malware from intercepting information even if it is undetected is critically important.

Having the ability to detect malware infection on their usersí devices, as well as protect a device and the information it is transmitting even in the presence of malware, allows businesses to seamlessly authenticate good consumers, make more confident transaction decisions, and expand mobile channel functionality without the risk of fraud.

Finally, customer education is also part of the process. Mobile device users should be made aware of basic fraud prevention steps like not clicking on suspicious links or downloading unknown apps, and the risks of rooting or jailbreaking their phone.

With fraudsters increasingly turning their attention to the mobile channel, and the use of mobile increasingly exponentially for many types of transactions, organizations have to implement technologies to detect crimeware to protect their consumers and their own reputation.

About the Author

Michael Lynch is InAuth's Chief Strategy Officer and is responsible for developing and leading the companyís new products strategy, as well as developing key US and international partnerships. He brings two decades of experience in key roles within financial services, consulting, and Fortune 500 companies, specializing in security and technology leadership.

Subscribe to
Information Security Today

Bookmark and Share

© Copyright 2018 CRC Press