Smartphone Malware Exploits On The Rise

Lately there have been a spate of incidents involving smartphone apps for the iPhone and Android phones that were discovered to be malicious in various ways.  The important commonality in these revelations was that cyber-criminals had actually modified legitimate apps by hijacking several developer’s credentials, including their “Developer Certificate.”  The developer key provides a digital signature that validates the app as being the genuine product of a legitimate app developer.

There also has been similar mischief around the “Enterprise Certificate” system, which allows businesses to develop custom smartphone apps for their own in-house company use, and are not supposed to be available to the public.  These apps do not get the same security scrutiny as public apps get.

Both Apple and Google have had to remove apps from their respective stores that were found to be malicious, over intrusive, or that violated user privacy and code of conduct rules for apps.  Also,  security firm ESET. has reported that cyber-criminals have taken to the Google Play Store to misdirect cryptocurrency transfers made on Android smartphones.

There are different classes of smartphone malware, and most of these start life as an app, or posing as an app.

  • Adware – Some apps contain adware elements that keep track of your browsing and social media feeds to track your interests, and then push annoying ads at you.  This is probably the least dangerous, but most intrusive exploits.
  • Chargeware – Chargeware is embedded in valid-looking apps, and used to charge a user for services without proper notification or knowledge. Often associated with Internet porn apps.  These apps then download chargeware modules and the spurious phone charges begin.
  • Insecure apps – Also known as “riskware,” these are legitimate apps that lack certain security features that make them exploitable, and can allow an attacker to install a backdoor and to take over a mobile device.
  • Spyware and trackers – These modules are part of almost every app.  They collect data, usually with the permission of the user, including location, contacts, stored pictures including metadata and other files.  This information is sold to marketers and information brokers by the app company.  In worse case scenarios, this information is collected by malicious apps and sold on the Dark Web.
  • Trojan horse – Most everything we have described so far fits the definition of a Trojan horse, i.e., and malicious applications presenting themselves as useful or valuable programs.  Current popular mobile Trojans include crypto-jacking, crypto-mining, email hijacking, and banking malware.

Protecting your phone and yourself from these threats is easily done.

  • Learn about and use the security features on your phone
  • Install an anti-malware app such as Sophos Mobile Security
  • Keep an eye on your phone when out in public to make sure it doesn’t walk off in the hands of a thief.
  • Install all OS and app updates
  • Close apps and websites you are not using.
  • Enable or install remote wiping apps for your phone.
  • Don’t click on links in emails or texts unless you are sure they are legitimate.

More information:

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.