2012 has been an eventful year in the world of information security. Just this month, a new variant of the well-known Zeus banking trojan was discovered, targeted specifically at European smartphones.
This trojan, dubbed Eurograbber, is suspected of stealing around $47 million USD from more than 30 European banking institutions in the past year. The virus first infects the users computer and modifies the fields on the users online banking website to ask for a cellphone number. The victim types in the cell number and then receives a text message, seemingly from the bank, asking the user to install a security patch before proceeding. Upon installing that patch, which is actually the smartphone variant of Eurograbber, both the victims computer and phone are compromised.
Eurograbber is specifically designed to defeat cellphone-based two-factor authentication, a security measure implemented by many secure banking facilities. When a user logs in to a bank account with two-factor authentication enabled, the user must type in both a password and a security code sent to the user via text messaging. The theory behind this extra precaution is that even if a password gets compromised, the attacker still needs the cellphone security key to access the account. Eurograbber circumvents that protection completely.
Also earlier this year, malware targeted at the Android platform surreptitiously recorded more than 14 million pieces of personally identifiable information. The apps containing these viruses were downloaded more than 100,000 times by Japanese users who were using what they thought was the official Google Play store. Even after the alleged perpetrators of these crimes were arrested Oct. 30, new malware strains continued to plague the Japanese Android app market.
These two incidents are not isolated, and they present a grim picture of what may be looming on the horizon for U.S. smartphone users in 2013. While mobile malware is absolutely present in the U.S., incidents of infection have largely been incidental. As of now, we have not faced massive, widespread malware infections like the two incidents mentioned above.
However, this is no reason to rejoice. The attacks on European and Japanese smartphone users reflect the changing attitudes of the criminals developing malware for mobile devices. The attacks are sophisticated, targeted to very specific geographic groups of victims and created with a singular purpose in mind: stealing information. The numbers simply do not lie: $47 million and 100,000 pieces of stolen personally identifiable information show that the mobile platform is ripe for exploitation. It is just a matter of time before U.S. smartphone users face a widespread mobile malware threat.
Use a password. Run an antivirus program. Send unknown emails and text messages to the trash. These are all common practices for nearly every computer user today, yet these same users ignore those practices when it comes to their phones.
Make it your New Years resolution to stop ignoring them.
Neal B. Custer, president of Reveal Digital Forensics & Security, a subsidiary of Custer Agency Inc. Adjunct professor at Boise State University. email@example.com
Written with Reveal information security expert Dylan Evans.