From our vantage point, there’s little doubt that mobile apps have become the newest area of extreme vulnerability for financial organizations, leaving them exposed to fraud, security breaches, and other acts of piracy. With users moving in droves from PCs and laptops to smartphones, it is inevitable that malware will migrate to the new device of choice, and in rapid succession. The stats bear this out: for example, RSA detected 350,000 malicious Android app samples in 2012, up from just 1,000 in 2011. Banking trojans found on the desktop have morphed to mobile attack mode: the Citadel trojan, one of the fiercest banking attacks online, was modified to become CitMO (Citadel-in-the-Mobile), a worm that can install itself on Android devices and intercept one-time passwords and authentication messages sent by a bank to a mobile device.
Fraud, IP infringement, brand misuse, and copyright abuse are thriving in app marketplaces, which are less transparent than the Internet, challenging to comprehensively search and require special capabilities to do so. Mobile’s smaller screen size and slower download times add to the opacity. In short, it’s much easier to miss the bad app in the barrel.
There is an inverse relationship between security and accessibility. To make something ultra-secure you have to make it pretty much inaccessible. This is why Apple’s mobile platform is widely considered more secure than Android’s. Apple’s iOS opts for a closed operating system and a walled garden App Store, versus an open operating system and web-based app marketplace. If a castle is a paradigm for security, now think how you further secure it with a moat; now consider that same castle and moat at the top of a mountain -- more secure, less accessible. The same is true of IT security. Mobile devices have provided that level of accessibility. Users have access to everything, all of the time. This often means putting rapid access and slick delivery ahead of security, with app development often falling prey to this mindset.
In general, mobile provides a more casual computing environment. Devices are often used on the go, encouraging a relaxed state of mind that may prevent users being properly alert to security concerns. The necessity of making mobile devices easy to use has produced the reaction of creating greater difficulty in performing basic tasks that may be commonplace on desktop computers, such as spotting fraudulent emails or phishing attempts – for example, it’s harder to view specific URLs in email applications and analyze web pages in mobile browsers. Additionally, consumers are usually less aware of mobile device security options and general best practice security hygiene.
The Android operating system in particular is frequently exploited by malware designed to harvest credentials, keylog, and capture other information vital to a bank’s security and credibility. Symantec recently profiled a piece of malware called Andorat, which is able to bundle itself, undetected, with any legitimate app and install without the user’s knowledge, allowing a hacker full remote control of an Android device. A different type of Android malware was inadvertently downloaded nearly nine million times from the official Google Play store, sending phone numbers and personal information to command and control servers every four hours.
It is therefore the new imperative for financial services organizations to monitor all app marketplaces for those apps that open them up to fraud and security breaches – and remove them efficiently and quickly once located. Protecting a financial institution’s brand and customers’ security on mobile app stores requires vigilance, and the ability to delve into the furthest corners of this rapidly expanding world. The solution lies in monitoring, detecting, enforcing, and being responsive to the rapid changes taking place in the mobile landscape – making it possible to respond in real time.
Gary McIlraith, CEO of NetNames, the world’s largest corporate brand protection specialists, is a leading authority on mobile and online piracy issues. He can be reached at Gary.McIlraith@NetNames.com.