Phishing & Malware: Mobile Device Edition
By Ben Thomas
Malware is malicious software used by hackers to gain access to our computers and mobile devices, gathering sensitive data along the way. Malware that plagues mobile devices is a completely different beast than those found on desktop computers. The vast majority of mobile threats use a combination of phishing, user error, and fake apps.
The most common targets for mobile malware fall under the following categories:
- Personal data
- Corporate intellectual property
- Classified information
- Financial assets
Mobile browsers are the target of choice for hackers due to a combination of factors
- Many features that desktop users take for granted (e.g. a full address (URL) bar, a physical keyboard, and a status bar that reveals mouse-over details) are absent from mobile browsers due to the hardware limitations of mobile devices. For example:
- To conserve screen space, mobile browsers hide or allow the website to hide the address bar. Even when the address bar is shown, the addresses are often truncated.
- The lack of a physical keyboard and the difficulty of typing on a touch keyboard make mobile device users more prone to click on links. This reluctance to type coupled with an invisible address bar make otherwise wary users more vulnerable to phishing.
- Some phishing sites can draw fake address bars using mobile OS specific tricks. As a user, there is no reasonable method you can use to detect this forgery by looking at the screen. (See also the research paper iPhish: Phishing Vulnerabilities on Consumer Electronics, where the authors implemented this attack and tried it out; they learned that users could not detect it, not even computer science graduate students with knowledge of security, not even when they had been warned in advance of phishing attacks.)
As of now, there is no reliable way to detect phishing attacks on mobile browsers by looking at the screen. The only way to protect yourself is to go straight to the site yourself before entering your credentials: never get there via a link.
How do we protect our data while using our beloved Android/iOS device?
Treat smartphones like PCs:
- Install antivirus/ antimalware apps (mobile antivirus apps are currently available only for Android devices),
- Enforce device-side encryption,
- Use VPN when connecting to Hamilton resources, and
- Use a passcode to unlock the device.
Automatic locking: configure the smartphone in such a way that it locks automatically after a short period of inactivity.
Check reputation: before installing or using new smartphone apps or services, check their reputation. Only download apps from recognized app stores like the Google Play Store or the Apple App Store.
Periodic updates/reload: most Android and iOS devices can be wiped and reset to factory settings. Just be sure to make backups of all data as sometimes smart devices can be remote wiped by a remote attacker.
Auto-destruct/data-wiping: In the event of a stolen or lost device, or if the password is entered incorrectly more than 10 times, the ability to remotely wipe all data off the device will help ensure that the data remains uncompromised. On iOS devices, this feature can be enabled through iCloud. Android devices require third party antivirus apps (Avast, Lookout Mobile, BitDefender, etc.) for this function.
Permission requests: scrutinize permission requests when using or installing smartphone apps or services. Here’s a guide that further explains the relation between apps and permission requests. On iOS devices (iPhone, iPad, iPod) users aren’t privy to the data the apps have access to and Apple would like to keep it that way. For those interested in knowing more about how apps behave, Clueful from BitDefender is available as an app for the android and as a web resource for Apple apps. ZAP from Zscaler is another App Watchman that analyzes web traffic generated by mobile apps. The exact process is detailed here in this video.
- Brandel, Mary. "Smartphones Need Smart Security - Computerworld." Computerworld - IT news, features, blogs, tech reviews, career advice. N.p., n.d. Web. 10 June 2013. www.computerworld.com/s/article/345297/Smartphones_Need_Smart_Security.
- Georgia Institute of Technology (2012, December 5). “Mobile browsers fail Internet safety test.” Science Daily. Retrieved June 10, 2013, from www.sciencedaily.com/releases/2012/12/121205112829.
- Gross, Ben. "Smartphone Anti-Phishing Protection Leaves Much to Be Desired | Messaging News." Messaging News | The Technology of Email and Instant Messaging. N.p., 26 Feb. 2010. Web. 10 June 2013.
- Taylor, JoVona. "Phishing, spam and porn are the biggest threats to your smartphone | IT PRO." IT PRO | Enterprise & Business IT News, Reviews, Features & How Tos. N.p., 11 Feb. 2013. Web. 10 June 2013. www.itpro.co.uk/645607/phishing-spam-and-porn-are-the-biggest-threats-to-your-smartphone.
- "Top Ten Smartphone Risks” ENISA." ENISA. N.p., n.d. Web. 10 June 2013. www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-applications/smartphone-security-1/top-ten-risks.