Android: financial attacks and current security status

With an increasing amount of people using mobile devices for work, security of the data stored therein has become a hot topic. And since people also use mobile devices to access their finances, that makes them a prime target for cybercriminals. Android is the most popular mobile OS in the world right now, and the most targeted. How are users attacked and what is the current security status of Android?

With an increasing amount of people using mobile devices for work, security of the data stored therein has become a hot topic. And since people also use mobile devices to access their finances, that makes them a prime target for cybercriminals. Android is the most popular mobile OS in the world right now, and the most targeted. How are users attacked and what is the current security status of Android?

Historically speaking

Android is routinely reported as the most targeted mobile OS with over 98% of mobile malware written specifically for it. Despite Google’s Herculean efforts to set things right, Android users are still in the special risk zone.

Android is also the most popular mobile system in the world (the author of this post is the owner of an Android-based smartphone). This means it inevitably draws a lot of interest from cybercriminals looking for an easy target.

Reasons for trouble

The reasons for this are both very simple and very complicated. First, unlike Apple’s iOS, Android has been licensed to interested vendors and developers, and these vendors introduced a lot of their own peculiarities, hacks, and features – and following the best practices wasn’t always the case. As a result, the system went on to be quite segmented, and it took time for Google to start regathering the stones.

Apple iOS users are bound to Apple’s app store where security is tight. Android users can install apps from a large array of various app stores, not limited to Google Play. Some have very good security, some don’t.

Popularity among users also means a popularity among the developers, and not all developers are impervious: there are bugs, there are errors, there are vulnerabilities, and there are bad guys eager to exploit them.

Vulnerabilities and negligence of the users make for a good opportunity for criminals to reach for others’ money.

Tools of trade

The most antique and most used kind of financial attacks on Android are SMS spam with lots of messages sent to premium numbers without a user’s knowledge and/or consent. This is, however, mostly an end-users’ problem, unless it’s a corporate-sponsored handset used.

More of a problem for businesses are the banking Trojans currently enjoying a surge of popularity. According to Securelist, at the beginning of 2013 there were just a few hundred Trojan bankers in Kaspersky Lab’s collection. By late 2014, there were 13,000 of them, and that number shows no signs of decreasing any time soon.

Some of these Trojans are merely a slightly advanced version of SMS scammers, while others like ZitMo or Faketoken are notoriously sophisticated tools capable of working in tandem with PC malware. They intercept one-time confirmation codes (mTAN) sent by the bank in an SMS, so that criminals – in the worst cases – get unfettered access to the bank account and wipe it clean.

There are also multi-purpose malware that is capable of performing a number of illicit operations, or, simply put, bring profit to their owners in a number of different ways. Discovered in 2013, Backdoor.AndroidOS.Obad.a has been awarded with the title “most sophisticated Android Trojan“. It was capable of sending SMS to premium-rate numbers; downloading other malware programs, installing them on the infected device and/or sending them further via Bluetooth; and remotely performing commands in the console. It was indeed deeply thoughtful, with obfuscated code, exploiting a number of vulnerabilities in Android, one of them – zero-day (at the time when it was discovered).

It was impossible to delete the malicious program from the smartphone after it had gained extended privileges. Clearly a serious problem.

Figures

Statistics show that the number of financial malware attacks against Android users grew by 3.25 times in 2014. According to a Kaspersky Lab study “Financial Cyberthreats in 2014“, 48.15% of the attacks against users of Android-based devices blocked by Kaspersky Lab products utilized malware targeting financial data (Trojan-SMS and Trojan-Banker).

The study also shows that 98.02% of all attacks by Android banking malware were accounted for by only three malicious families –  Faketoken, Svpeng, and Marcher. Svpeng and Marcher are capable of stealing credentials for online banking as well as credit card information by replacing the authentication fields of mobile banking apps and app stores apps on an infected device. And Faketoken was made for intercepting mTAN codes used in multifactor authentication systems and forwarding it to criminals.

An earlier study conducted jointly by INTERPOL and Kaspersky Lab showed that 60% of Android attacks used financial malware – mostly Trojan-SMS. Trojan-Bankers are accounted for just 1,98% of attacks, but it is well explained by the fact that Trojan-SMS have to infect dozens or even hundreds of mobile devices for their operator to get any sensitive gain, while the Trojan-Bankers are a more “surgical” weapon, and just a single infection is enough to bring criminals a good profit.

It is worthwhile to mention that, according to “Financial cyber threats in 2014” study, cybercriminals in general are now less interested in “mass” malicious attacks, preferring fewer, more targeted ones.

And it puts businesses with weaker mobile protection at an increased risk, since it is them criminals would be targeting the most.

Counter-Efforts

Every next version of Android is more secure than the previous, but it doesn’t mean that a) no new mistakes are introduced, discovered and exploited b) that the older versions with all their bugs go away the moment the new ones emerge. Vendors release new handsets expecting users to buy them, not updating firmware/OS versions for ages. While the users prefer to keep using the working handset as long as possible.

Lately, Google tends to “encourage” users to change their handsets: earlier this year it was announced that the users of Android 4.3 and below aren’t going to receive security updates for vulnerabilities in WebView tool.

This, according to early reports, meant that up to two-thirds of Android users weren’t going to receive a critical update. Google later explained that patching older versions of the OS can be difficult, and that users can run patched browsers, even on older versions of Android. WebView has been replaced in Android 4.4 and later.

But just like with most of the other cyberthreats, developers’ mighty efforts may be futile if the end-users and businesses are ignorant about the dangers, or are willing to “cooperate” with criminals and don’t do enough to protect their mobiles.

Kaspersky Lab’s business-oriented security suites – Kaspersky Endpoint Security (Select and Advanced) as well as Kaspersky Small Office Security – include tools to protect mobile devices from the existing cyberthreats, as well as the features to protect electronic payments from fraud attempts. Mobile devices today – and especially Android-based ones – require as much protection from cyberthreats as desktops and laptops do, and it is easier and less expensive to prevent incidents from happening than to recover post-factum.

Tips