What can malware do? Mobile malware part 2
In the previous post we discussed what malware can do once it is active on your phone. But, how do end-users get malware in the first place? You might think that you’re protected if you don’t really do anything else than messaging and Facebook on your phone, but that is not the case.
How to get Malware
There are a few broad categories for how users get malware:
The most common vector is most likely when users are tricked into installing it themselves. An example is a phishing email that looks like it comes from your bank, which looks trustworthy (your full name, contains maybe a card number) and tells you to update your banking client. Another way might be those annoying pop-ups that you might get in a game, where you might end up clicking on an «Install now» button that you shouldn’t have done.
Another vector is what is called a drive-by attack, where the download and install are unintentional, and the attacker is exploiting a weakness in a web browser or a mail program. You don’t even have to visit a questionable web site, as there have been many cases where the malware has spread through ad campaigns on otherwise reputable sites.
A third, and even more scary vector is what is called a remote exploit, where you basically don’t have to do anything at all for your phone to get infected. Examples of this kind of attack are attacks against phone provisioning, vulnerable SIM cards and even OS functions for unpacking MMS messages. Common to all of these attacks is that they can happen at any time and that the user does not need to be involved for the phone to be infected.
A fourth and somewhat more surprising way to get malware is when it is already installed on the device as you buy it. This is particularly the case with very cheap phones from small manufacturers in the far-East. It might not come as a big surprise, but the quality control for a 35$ no-name phone bought from Aliexpress can be quite lacking.
If your phone is «rooted» or «jailbroken» it is not by default more insecure than otherwise, as the same process which lets you root your phone also allows for it to be updated faster than what the manufacturer intends. But, it also provides a mechanism for malware to gain more rights without having to exploit operating system vulnerabilities, which might make malware harder to detect.
So, what can you as an end-user do to avoid malware? Here is a list of quick tips:
Be wary of email scams and pop-ups which tell you to «update your software now». There have been many cases of fake apps that mimic banking apps, which basically trick you into submitting your username and password.
Avoid running old versions of Android if possible, and make sure to choose a phone from a producer that provides OS updates. iOS and the larger Android manufacturers usually provide more rapid updates for a longer time period.
Don’t get fooled into installing software from outside the Android App store. It is very, very unlikely that your bank will tell you to install an update of their app from a non-verified location.
For Android, you can be more vulnerable if you’re running the web browser that came with the phone when you bought it. So, make sure that you install Chrome or Firefox instead. On iOS, you’re «lucky» in that Apple does not allow for 3rd party web-browsers to implement their own browsing engine. With Firefox it is also possible to use an ad-blocker, which helps protect against drive-by attacks.
When you’re installing apps be wary of apps that require permissions such as «receive SMS» or which install new accessibility services, as these can be used to receive OTP pins sent by SMS and to remote control the user interface of apps.
Software Solutions and Okay
There are some software solutions, such as antivirus packages, that claim to protect you against malware, but it is questionable if they can offer much protection. With a Windows or Mac computer, it is possible to install Administrator or root level software which can analyze the files read and the running processes, but this is not possible on Android and iOS. On a phone, the software can at most check if there are programs with questionable names installed, and perhaps monitor your non-encrypted web traffic. This provides little protection against malware which does not have to follow official developer guidelines that do not allow for gaining root access on your phone.
With Okay one of our fundamental assumptions is that all device either has malware, is vulnerable to malware, or will be vulnerable to malware very soon. This is perhaps a pessimistic view of the world, but it is hard not to be too pessimistic when the stakes are so high: The value of all transactions verified on phones every day worldwide is certainly in the hundreds of million euro, or even more. For criminals, this is a very tempting target. This is why we simply aim to make security around authentication and transaction security as strong as possible.