Mobile and Social - the Threats You Should Know About

Exclusive offer: get 50% off this eBook here
Mobile Security: How to Secure, Privatize, and Recover Your Devices

Mobile Security: How to Secure, Privatize, and Recover Your Devices — Save 50%

Keep your data secure on the go with this book and ebook

$26.99    $13.50
by Darla Nykamp Jaya Nampalli Joseph Anderson Mari Heiser Tim Speed | September 2013 | Open Source

In this article, created by Tim Speed, Darla Nykamp, Mari Heiser, Joseph Anderson, and Jaya Nampalli, the authors of Mobile Security: How to Secure, Privatize, and Recover Your Devices, we will take an in-depth look at various scams, phishing, spear phishing, social engineering, Cloud security, viruses, worms, and other threats a user may encounter, and future threats.

In this article, we will review various threats that you need to be aware of. They are as follows:

  • Scams
  • Malware
  • SMS spoofing
  • Social engineering
  • Phishing
  • Cloud computing
  • Virus

(For more resources related to this topic, see here.)

A prediction of the future (and the lottery numbers for next week) scams

Security threats, such as malware, are starting to be manifested on mobile devices, as we are learning that mobile devices are not immune to virus, malware, and other attacks. As PCs are increasingly being replaced by the use of mobile devices, the incidence of new attacks against mobile devices is growing. The user has to take precautions to protect their mobile devices just as they would protect their PC.

One major type of mobile cybercrime is the unsolicited text message that captures personal details. Another type of cybercrime involves an infected phone that sends out an SMS message that results in excess connectivity charges.

Mobile threats are on the rise according to the Symantec Report of 2012; 31 percent of all mobile users have received an SMS from someone that they didn't know. An example is where the user receives an SMS message that includes a link or phone number. This technique is used to install malware onto your mobile device. Also, these techniques are an attempt to hoax you into disclosing personal or private data. In 2012, Symantec released a new cybercrime report. They concluded that countries like Russia, China, and South Africa have the highest cybercrime incidents. Their rate of exploitation ranges from 80 to 92 percent. You can find this report at http://now-static.norton.com/now/en/pu/images/Promotions/2012/cybercrimeReport/2012_Norton_Cybercrime_Report_Master_FINAL_050912.pdf.

Malware

The most common type of threat is known as malware . It is short for malicious software. Malware is used or created by attackers to disrupt many types of computer operations, collect sensitive information, or gain access to a private mobile device/computer. It includes worms, Trojan horses, computer viruses, spyware, keyloggers and root kits, and other malicious programs.

As mobile malware is increasing at a rapid speed, the U.S. government wants users to be aware of all the dangers. So in October 2012, the FBI issued a warning about mobile malware (http://www.fbi.gov/sandiego/press-releases/2012/smartphone-users-should-be-aware-of-malware-targeting-mobile-devices-and-the-safety-measures-to-help-avoid-compromise).

The IC3 has been made aware of various malware attacking Android operating systems for mobile devices. Some of the latest known versions of this type of malware are Loozfon and FinFisher. Loozfon hooks its victims by emailing the user with promising links such as: a profitable payday just for sending out email.

It then plants itself onto the phone when the user clicks on this link. This specific malware will attach itself to the device and start to collect information from your device, including:

  • Contact information
  • E-mail address
  • Phone numbers
  • Phone number of the compromised device

On the other hand, a spyware called FinFisher can take over various components of a smartphone. According to IC3, this malware infects the device through a text message and via a phony e-mail link. FinFisher attacks not only Android devices, but also devices running Blackberry, iOS, and Windows.

Various security reports have shown that mobile malware is on the rise. Cyber criminals tend to target Android mobile devices. As a result, Android users are getting an increasing amount of destructive Trojans, mobile botnets, and SMS-sending malware and spyware. Some of these reports include:

As stated recently in a Pew survey, more than fifty percent of U.S. mobile users are overly suspicious/concerned about their personal information, and have either refused to install apps for this reason or have uninstalled apps.

In other words, the IC3 says:

Use the same precautions on your mobile devices as you would on your computer when using the Internet.

Toll fraud

Since the 1970s and 1980s, hackers have been using a process known as phreaking . This trick provides a tone that tells the phone that a control mechanism is being used to manage long-distance calls. Today, the hackers are now using a technique known as toll fraud . It's a malware that sends premium-rate SMSs from your device, incurring charges on your phone bill. Some toll fraud malware may trick you into agreeing to murky Terms of Service, while others can send premium text messages without any noticeable indicators. This is also known as premium-rate SMS malware or premium service abuser .

The following figure shows how toll fraud works, portrayed by Lookout Mobile Security:

According to VentureBeat, malware developers are after money. The money is in the toll fraud malware. Here is an example from http://venturebeat.com/2012/09/06/toll-fraud-lookout-mobile/:

  • Remember commercials that say, "Text 666666 to get a new ringtone everyday!"? The normal process includes: Customer texts the number, alerting a collector—working for the ringtone provider—that he/she wants to order daily ringtones.
  • Through the collector, the ringtone provider sends a confirmation text message to the customer (or sometimes two depending on that country's regulations) to the customer.
  • That customer approves the charges and starts getting ringtones.
  • The customer is billed through the wireless carrier.
  • The wireless carrier receives payment and sends out the ringtone payment to the provider.

Now, let's look at the steps when your device is infected with the malware known as FakeInst :

  • The end user downloads a malware application that sends out an SMS message to that same ringtone provider.
  • As normal, the ringtone provider sends the confirmation message. In this case, instead of reaching the smartphone owner, the malware blocks this message and sends a fake confirmation message before the user ever knows.
  • The malware now places itself between the wireless carrier and the ringtone provider. Pretending to be the collector, the malware extracts the money that was paid through the user's bill.

FakeInst is known to get around antivirus software by identifying itself as new or unique software.

Overall, Android devices are known to be impacted more by malware than iOS. One big reason for this is that Android devices can download applications from almost any location on the Internet. Apple limits its users to downloading applications from the Apple App store.

SMS spoofing

The third most common type of scam is called SMS spoofing . SMS spoofing allows a person to change the original mobile phone number or the name (sender ID) where the text message comes from. It is a fairly new technology that uses SMS on mobile phones. Spoofing can be used in both lawful and unlawful ways. Impersonating a company, another person, or a product is an illegal use of spoofing. Some nations have banned it due to concerns about the potential for fraud and abuse, while others may allow it. An example of how SMS spoofing is implemented is as follows: SMS spoofing occurs when the message sender's address information has been manipulated. This is done many times to impersonate a cell phone user who is roaming on a foreign network and sending messages to a home area network. Often, these messages are addressed to users who are outside the home network, which is essentially being "hijacked" to send messages to other networks.

The impacts of this activity include the following:

  • The customer's network can receive termination charges caused by the valid delivery of these "bad" messages to interlink partners.
  • Customers may criticize about being spammed, or their message content may be sensitive. Interlink partners can cancel the home network unless a correction of these errors is implemented. Once this is done, the phone service may be unable to send messages to these networks.
  • There is a great risk that these messages will look like real messages, and real users can be billed for invalid roaming messages that they did not send.

There is a flaw within iPhone that allows SMS spoofing. It is vulnerable to text messaging spoofing, even with the latest beta version, iOS 6. The problem with iPhone is that when the sender specifies a reply-to number this way, the recipient doesn't see the original phone number in the text message. That means there's no way to know whether a text message has been spoofed or not. This opens up the user to other spoofing types of manipulation where the recipient thinks he/she is receiving a message from a trusted source.

According to pod2g (http://www.pod2g.org/2012/08/never-trust-sms-ios-text-spoofing.html):

In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you loose track of the origin.

Mobile Security: How to Secure, Privatize, and Recover Your Devices Keep your data secure on the go with this book and ebook
Published: September 2013
eBook Price: $26.99
Book Price: $44.99
See more
Select your format and quantity:

Social engineering

For many attacks to exist, the victim is required to disclose personal information in some way; this is known as social engineering. Hackers are everywhere and they never sleep, whether it might be an SMS text message with an evil intention or a phishing e-mail that is watching every step of yours on your mobile devices.

Whether you're an IT manager protecting employees and corporate systems or you're simply trying to keep your own personal data safe, these threats—some rapidly growing, others still emerging—pose a potential risk.

A good source for a definition of social engineering is http://en.wikipedia.org/wiki/Social_engineering_(security).

Social engineering is committing an act of manipulating people into executing actions or disclosing confidential information, such as an ID and password or bank account, credit card, or social security number. There are two forms of social engineering: one is phishing and the other is spear phishing, where persons represent themselves as trustworthy entities in an electronic communication.

Phishing

Phishing is the fraudulent act of attempting to capture personal-sensitive information by masquerading through a trustworthy/legitimate source e-mail. These types of attacks can utilize social engineering tactics. Phishing e-mails may include links leading to websites that are infected with malware. Using this trust, they then attempt to acquire sensitive information such as usernames, account passwords, credit card data, and sensitive corporate information. These attacks are pretty broad-based, typically involving spam e-mail or other communications distributed to many people. An example is the kind of e-mail requesting "verification" of information while warning of some dire consequence if it is not provided. Be particularly wary of unsolicited communications. It is better to type the URL out directly than copy and paste it.

Here is an example:

A user receives an e-mail from their bank, asking them to verify their account information such as username and password. The user clicks on the link where they enter their username and password.

Here is another example:

If the Groupon application on the iPhone wants to share something on Facebook, the program typically pops up a window that invites the user to sign into that website. But, there's usually no way to be sure that the login site is legitimate and that the phone's owner is really sending their username and password to Facebook. Users are manipulated this way; therefore, you should never enter any sensitive information and always use extra caution.

Overall, it is difficult for mobile phone users to distinguish real websites from fake ones. The smaller screens on mobile phones don't help this identification process.

Types of phishing

There are a variety of attack types; let's review a few:

  • Malware-based phishing : This type of phishing involves running malicious software on users' devices. It is easy to introduce malware as a downloadable file on a website or an e-mail. One easy target is smaller companies and/or end users that don't keep their devices up to date with the latest antivirus software.
  • Deceptive phishing : Using e-mail as a primary delivery mechanism, deceptive phishing uses e-mail to trick the end user into sharing information about their account information. Though not totally limited to e-mail, this type of trickery will try to tell you that you have fictitious account fees. As a result, end users share personal information.
  • DNS-based phishing (pharming) : This is an advanced type of phishing. Pharming, specially, is the modification of a system host's file. This can also impact a Domain Name System (DNS). This is as dangerous as it sounds. Hackers are messing with a corporate host file and/or the DNS system and as a result, they can route URLs to the hacker's sites.
  • Content Injection phishing : Content Injection is where a hacker replaces some part of a legitimate website in order to redirect the user to a fake site. This can also be a modified site where information is in effect stolen from the end user and sent directly to the hacker.
  • Data theft : This is the most common type of phishing. PCs that are not well managed are easy targets for hackers. These types of PCs are not authorized PCs, or PCs that don't have all of the needed virus scanning software installed. These unsecure PCs can be used to access corporate servers and steal a business's intellectual data.
  • Search engine phishing : This phishing type provides a user with very sophisticated, attractive, and legitimate sounding genuine offers that shows up in the proper index of the search engine. Hackers create these searchable websites. These websites show up during the normal course of a user searching for products or services and are tricked into giving up their sensitive information. A prime example of this type of scam is where scammers set up false banking sites with lower credit rates or better interest rates for mortgages or personal loans. Victims are lured to these sites in order to make more interest or even save themselves from interest charges. The victim is encouraged to give up their personal information.

Other types of attacks include:

  • System reconfiguration attacks : This type of attack will modify configuration settings on a user's desktop. Once these malicious settings have been installed, hackers can control devices.
  • Keyloggers and screenloggers : This is a very old type of attack. Keyloggers have been around for a long time. This attack will actually track each of the keys pushed and then send that data out to the hackers' servers.

Spear phishing

Now that we have introduced you to phishing, let's now talk about spear phishing. Spear phishing is another method that can be used to steal your identity. Spear phishing targets individuals. This type of attack is customized to one person at a time. This type of attack is on the rise mostly on mobile devices. Mobile devices are being used more and more for corporate access. This attack exposes not only the end user, but also the corporation's network they connect to. Spear phishing uses data that is directly from an end user; for example, social media information or e-mail. These are very personalized attacks.

BYOD devices today are hooked into the corporate network. This access includes access not only to the end user's information, but also corporate information, like a corporate directory of users. If the corporate directory is compromised, hackers now have a larger set of end users they can attack.

How spear phishing works

Spear phishing normally uses e-mail as the delivery mechanism. One example includes an e-mail that has a URL (hyperlink) that points to a fake website. The fake website will collect personal information once it is accessed. In many cases a file is attached. This can be very convincing, as the source message looks to be real. The user launches the attachment and then executes the malware that can destroy the device, or in this example, will extract personal information from the device and send it directly to the hacker.

Other examples

Let's have a look at some examples of spear phishing.

Receiving e-mails from a "friend"

The spear phisher grows vigorously by using familiarity. Cyber criminals know your first and last name, your e-mail address, and at least a little something personal about yourself. The e-mail message salutation is very likely to be personalized: "Hi Steve" instead of "Dear Sir/Madam." The e-mail may make reference to a "mutual/common friend", to a recent search you've made about a product or an item, or a recent online purchase you've made. Because the e-mail sender's information is from someone you are very familiar with, you may be less vigilant and provide them with any information they ask for. With an urgent request for action, you may be tempted to act before thinking, especially when it's a company you frequently access that is asking.

Using your web presence against you

Do you know you are becoming a target for spear phishing? The information you are providing on the Internet from your PC or a smartphone can make you a target. For example, they might scan social networking sites, find your e-mail address, your page, a recent post by you telling friends about the cool new laptop or a tablet you bought at an online retail site, and your friends list. By using this information, a spear phisher could pose as a friend, send you an e-mail, and ask you for personal information or a password to your photo page. If you respond with the password, the phishers will try that password and many combinations of it in order to try to access your personal accounts on that online shopping site you mentioned. If they find the right one, they'll use it to run up a nice big expensive tab for you; or the spear phisher might pose as somebody from the online retailer by using the same information and ask you to reset your password, or re-verify your credit card number. If you do this, you'll mess up your financial information and cause yourself harm.

Keeping your secrets secret

Are you safe and is your information safe? It really depends in part on you being careful. Check your online presence with your names. Check your social networking threads. Be aware of your information and how much is out there about you that could be pieced together for someone to scam you. Also, the data you put on the Internet "stays on the Internet". Some of this information can include:

  • Your name.
  • E-mail address.
  • Friends' names.
  • Your friends' e-mail addresses.
  • Are you on, for example, any of the popular social networking sites?
  • Be sure and look at your daily posts on various social networking sites.
  • Beware of giving too much information on social sites. Don't over share.
  • Be proactive and don't reveal too much.
  • Is there anything you don't want a scammer to know?
  • Have you posted something on a friend's page that might reveal too much?

Be sure to ask yourself all these questions. Google your name and be aware. Refer to the following example screenshot:

Passwords that work

A lot of people have common passwords. They use the same password on multiple sites and services, use "easily guessed passwords", or both. Rethink about all of your passwords. Do you use just one or easy to figure out variations on just one? If you do either, you shouldn't, because you're making yourself a target for a scammer to get access to your sensitive financial information. Every password for every site you visit should be different, really unique. Random letters, upper or lower cases, and numbers work best. Change them frequently, every two to three months. Your Internet security software and operating system can help you keep track of your passwords.

Here is a common technique that hackers use to find your passwords:

Hackers will obtain information about you: your name, your e-mail, or other personal information. Also, the hacker will find where your bank is and/or what corporate sites you use. Word lists are very common on the Internet; hackers will obtain these lists as a starting point. Hackers will write simple code to create password lists. Each password will be modified so it can be used as an attack against your websites; for example, e-mail.

Passwords will be created using a simple algorithm: [Base word] & [character change] & [Character add].

For example, Base words – password, or your last name.

Formula, "password" & [change the letter a to @] & [add a "01"].

This creates the following potential passwords:

  • p@ssword01
  • p@ssword02
  • p@ssword03
  • p@ssword04
  • p@ssword05
  • p@ssword06
  • p@ssword07
  • p@ssword08
  • p@ssword09

Follow the Johnson example: "johnson" & [change the letter 's' to $] & [add a "01" to "09"].

  • John$on01
  • John$on02
  • John$on03
  • John$on04
  • John$on05
  • John$on06
  • John$on07
  • John$on08
  • John$on09

Based on the preceding example, you can see why you need more complex passwords and why passwords should be changed on a regular basis. Now with personal information extracted from you (or even via a search engine), hackers will attack your account with the same username (mike.johnson@example.com) and then each of the passwords created. This is an automated process and has a high success rate. Yes, this can take a while, but hackers will have used thousands of PCs they would have gotten control of via other techniques. Review this article to see how powerful this technique is: http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/.

Patches, updates, and security software

Always keep your software patches up to date. When you get notices from software vendors to update your software, never ignore these notifications, just do it. Most operating system and browser updates include security patches. Sometimes, it only takes your name and e-mail address for a hacker to slip through a security hole into your system. And it almost goes without saying, you should be protected by Internet security software.

Be vigilant

Always be vigilant and proactive. If a "friend" e-mails and asks for a password or other information, call or e-mail (in a separate email) that friend and ask them to verify that they really contacted you. As we have noted before you need to check with your vendor (bank or other) and make sure these messages are valid. Keep in mind that most legitimate businesses will never e-mail you asking for passwords or account numbers. This may not sound fair, but it is up to you to be alert. If in doubt, don't select the link that is in the e-mail. Now regarding texting, please don't send personal information via text; this is just asking for trouble.

Cloud computing security

Cloud computing is a service that is provided on the Internet using shared computing resources such as hardware and software. These services are implemented, managed, and in many cases provide a controlled secure environment for customers. These services are available to users when requested via the Internet from a Cloud computing provider's servers, including hardware, software, and in many cases networking. This computing service does not use a company's own servers. Also, there are hybrid solutions that are provided to customers that can be used as transition services and/or a set of partial services that a customer can purchase. It is designed to provide users easy access to applications, shared resources, and services managed by the Cloud service provider. Some examples of Cloud services are online data storage, backup solutions, web-based e-mail services, hosted office suites, and document collaboration services. There are many public Cloud services that can be used to create, store, back up, and share data, including Google Docs, Dropbox, Microsoft 365 Apps, Carbonite, Apple iCloud, and SlideShare. Most likely, most of you out there have already used some forms of Cloud computing. If you have any kind of web-based e-mail service like Gmail, Yahoo! Mail, or Hotmail, you have some experience with Cloud computing. The software and storage is stored in your online account and it does not exist on your computer.

How it works

When speaking about cloud computing architecture, it's useful to separate it into three levels: the frontend, the network layer, and the backend. All these ends are connected through a network, usually the Internet. The frontend is the user side of the computer or a mobile device, while the backend is the Cloud section of the system.

The following figure shows a sample Cloud solution:

Recently, cloud computing has picked up speed and is transforming the Internet computing infrastructure. Also, mobile applications and mobile devices have developed rapidly. Mobile devices can use the Cloud for data processing, storage, and other intensive processing operations. Mobile Cloud computing refers to the availability of Cloud services in a mobile environment. It is a combination of the mobile network and Cloud computing, thereby providing optimal services for mobile users. Cloud computing exists when tasks and data are kept on the Internet rather than on individual mobile devices, providing on-demand access. Applications run on a remote server and are then sent to the user.

Since mobile Cloud computing users are growing, the issue of Cloud security comes into picture. Cloud security threats comes in all shapes and sizes. Securing a mobile Cloud computing user's privacy and integrity of data or applications is one of the key issues most Cloud providers are giving attention too. Although mobile Cloud computing is a combination of mobile networks and Cloud computing, the security risks are divided into two areas: the mobile network user's security and Cloud security.

The mobile user's security

Some of the greatest concerns for mobile devices include:

  • Security : The idea of a company handing over important data to another company for computing services causes concern for some people. Users are very skeptical to take advantage of the Cloud computing system. The concern revolves around the security risks inherent with the use of mobile applications. The simplest ways to detect security threats will be installing and running through software and antivirus programs on their mobile devices.
  • Privacy : Providing private personal information such as indicating your current location and user's important information creates scenarios for privacy issues. For example, the use of location-based services ( LBS ) provided by Global Positioning System ( GPS ) devices could expose the user's privacy to a threat. Threats could be minimized through selecting and analyzing the enterprise's needs and requiring only specified services to be acquired and moved to the Cloud.

The following table shows some of the mobile security features that are manifested between iOS and Android:

Features

iOS

Android

Methods of application distribution

By default, the iOS applications can only be downloaded through the Apple App store.

Android has larger distribution channels. More downloadable places are available to download applications from. Inadvertently, this makes it a higher risk.

Weaknesses

Every iOS device running on lower than version 4.3.5 is vulnerable to a flaw called SSL MITM, which hackers can exploit easily.

Millions of Android phones that are still under contract cannot be updated to the latest version of the Android OS.

SandBox

Both iOS 5 and Android 4.0 Ice Cream Sandwich use sandboxing to isolate applications from each other and from sensitive operating system features.

Both iOS 5 and Android 4.0 Ice Cream Sandwich use sandboxing to isolate applications from each other and from sensitive operating system features.

Remote wipe

Both platforms support remote wipe.

Both platforms support remote wipe.

Jailbreak or rooting

If a device owner chooses to jailbreak their phone, he/she can be more vulnerable to malware.

If a device owner chooses to root their phone, he/she can be more vulnerable to malware.

Malware

iPhone jailbreak exploits security holes that may also be exploited by hackers.

The lack of review has led to an increasing volume of Android specific malware.

Android application marketplace has limited security implementation via limited inspection. In general, Google chose to allow nearly any application hosted on the marketplace for users to download.

Even with improved security over traditional desktop-based operating systems, both iOS and Android are still vulnerable to many existing categories of attacks.

Cloud security

The following list shows several cloud security/issues that users should be aware of:

  • Data location : Cloud data can be hosted most anywhere. Your personal data and/or corporate data can be hosted on a server anywhere connected to the Internet. The data can be in any city or country. Before you host your data, or corporate data, be sure to learn about security hosting laws. One example is the Safe Harbor Act: http://export.gov/safeharbor/eu/eg_main_018476.asp.
  • Data segregation : This refers to storage of Cloud data stored in a shared architecture alongside others users data. In some cases, data can be encrypted within the Cloud. Also, data can be segregated within the cloud. Be sure to check with your provider and see how they manage your data in the Cloud.
  • Privileged user access : When you host your data outside your own computer, someone will have access to that data. Make sure you obtain information about the people who manage this data and verify what processes they use to keep your data safe.
  • Security compliance : At the end of the day, you are responsible for the security of your data, even if the data is hosted by a third party. Again, check with your service provider and ask how your data is managed.
  • Disaster recovery (DR) : Disaster recovery is the process where data is hosted in several locations. If the primary site shuts down and/or is destroyed, a secondary site can bring your data back online. Contact your provider and ask about the service levels they use on hosting your data. If you are really interested in DR, check out NISSST800-34 (http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf). Contact your service provider and ask them how long it takes to bring your secondary data source online for your access.
Mobile Security: How to Secure, Privatize, and Recover Your Devices Keep your data secure on the go with this book and ebook
Published: September 2013
eBook Price: $26.99
Book Price: $44.99
See more
Select your format and quantity:

Virus/worms/others

We, as mobile device users, think that we are not capable of getting infected by any kind of viruses on our mobile devices. But, the truth is, we are vulnerable to all kinds of threats. Anyone who has any kind of mobile device are at risk of getting a virus if you are not careful or do not protect yourself. Some of the most common notable mobile viruses, Trojans, and worms are:

  • Skulls : This Trojan virus replaces all phone desktop icons with images of a skull and the device becomes useless.
  • ZitMo : The ZitMo malware targets users' online banking information. Once this malware is installed, the bad software will forward all incoming SMS messages to a command and control center. Once this data has been shared with the hackers, they will use that data to attack your banking accounts.
  • DroidKungFu : This is a powerful Trojan for Android applications that obtains manager/master privileges on your device. This virus collects and sends the data to a remote server.
  • Zeus : Another Trojan horse that steals banking information. This malware is executed by a process known as man-in-the-browser keystroke logging. Zeus is spread mainly through drive-by downloads and phishing schemes.
  • CommWarrior : This is one of the first worms that uses Multimedia Messaging Service ( MMS ) in order to spread to other devices.
  • SpyEye : This injects new fields into a web page. This technique is called HTML injection. It results in a request for data from users trying to use their banking websites. This malware can include login prompts and password requests. Once hackers have this data, they can access your bank accounts.
  • Ikee : This particular malware only works on phones that are jailbroken. This article discusses the risk with jailbreaking and this is one of the big ones.
  • Gingermaster : This malware was created for the Android platform. This particular malware spreads by installing an application that contains a hidden set of code that runs in the background on the device. This virus exploits a specific release of the Android software, Gingerbread 2.3. The result is that the malware creates a service that steals information from the targeted device.

Future threats

In the short history of mobile devices, one of the areas that has received a lot of attention is BYOD. Bringing your own device to work is not only a significant part of recent history, but will be a part of our near future. Looking at the future, we judge that we will see more and more malware for mobile devices. Overall, we expect to see more of the following:

  • Malware that takes advantage of your location via the Global Positioning System (GPS). You use this as part of your map programs, and vendors are also starting to use GPS to help identify customers as they walk in their door. More and more applications are using GPS.
  • Hackers will take data from your device and use it for phishing and social engineering. This is why it is so important for you to protect your personal information. It is easy for hackers to violate your privacy and then use your data against you.
  • We also predict more applications that look to be legitimate, but in reality are a platform for hackers to attack you.
  • More use of SMS and other messages to deliver infected payloads of malware.
  • We will also see more malware that is customized to you.
  • As more mobile devices are infected, a greater number of corporate networks will be infected. This will be a big issue for corporate administrators.

Steps you can take to protect yourself

If you are using a smartphone, tablet, or any other mobile device, follow these guidelines to protect yourself:

  • Always use extra caution and install only approved applications available through your vendor's official application store.

    Also, be sure to check any feedback from the download site. This can clue you into any known issues.

  • Do not jailbreak or root your smartphone or tablet computer, as this disables critical security features in the device's operating system.
  • Before using Wi-Fi hotspot functionality, including smartphones and portable hotspot devices, WPA2 Wi-Fi encryption security must be enabled and configured with a strong password to prevent unauthorized access to the Wi-Fi network created by the device.
  • Use a password/pin that is difficult for others to guess.

    There is an advanced feature that you can use, known as two-factor authentication . Ask your vendor/application provider if they support this.

  • Change your phone and voicemail password often. One suggestion is at least every three months. Also, make sure you don't use any "default" passwords.
  • As you don't know who is lurking around or watching you, don't provide too much personal information online; this includes pictures.
  • Don't view sensitive personal information on public Wi-Fi.
  • It is very important for you to sign out of your applications when you are done.
  • Check your Twitter/Facebook privacy settings.
  • Don't reveal too much on social media sites and be discrete.
  • Lock down your security on your mobile device.
  • Avoid clicking e-mail links.
  • Use mobile security software; for example, Lookout.
  • Use mobile device management software.
  • Install OS updates and security hotfixes as soon as it is available for download to ensure your mobile device firmware is up to date.

Summing it up

Mobile security threats are on the rise, and this trend is destined to grow as more people turn to using any kind of mobile device, whether smartphone or tablet, in their day-to-day lives. The best approach for any device user is to practice mobile security and be aware of the various issues and risks. Take all the necessary safety precautions or measures to protect yourself against hackers taking control of your mobile devices.

Summary

In this article, we looked at various types of scams and threats related to the use of mobile devices. We provided ways of recognizing or being aware of all the necessary threats that are out there, including the following details:

  • Scams or threats have been increasing in the last four to five years.
  • Malicious software (malware) written to benefit others at your expense.
  • Toll fraud sends premium-rate SMS from your device, incurring charges on your phone bill.
  • SMS spoofing allows a person to change sender's mobile number, which is the ID and also the name where the text messages come from.
  • The increased use of mobile devices for shopping, banking, and other activities requiring personal and sensitive personal information.
  • Social engineering and how it impacts mobile devices, divulging sensitive confidential information, and also manipulating users into performing actions.
  • A fraudulent act of attempting to capture personal sensitive information by masquerading through a trustworthy/legitimate source e-mail.
  • Several known types of phishing acts.
  • Spear phishing is the new black mark in identity theft. It is important for you to recognize the known types of spear phishing.
  • Recognizing and understanding what Cloud computing is.
  • Knowing and understanding Cloud security risks.
  • Mobile security is divided into two areas: mobile user's security and Cloud security.
  • Android devices have higher security risk factors than iOS devices.
  • Recognizing and understanding known viruses and worms.
  • The permanence of your data once it reaches the Internet.
  • Future threats to be aware of.
  • Steps you can take to protect yourself.

Resources for Article :


Further resources on this subject:


About the Author :


Dale Cruse

Since 1995, Boston-area web developer Dale Cruse has been publishing websites for high-profile clients ranging from the U.S. Army to Bloomingdale's. He has been a guest lecturer at the Art Institute of New England & is currently pursuing speaking opportunities. Contact him at http://dalejcruse.com. He is also the author of the Champagne blog Drinks Are On Me at http://drinksareonme.net.

Darla Nykamp

Darla Nykamp is an Internal Auditor with IBM, joining the company in 1996 after more than a decade in the IT industry. She has focused on software design and development, security policy design and implementation, business controls and compliance, and served as IBM's first Global Privacy Delivery Leader.

In her spare time, Darla earned a Doctorate of Law, a Master's degree in International Business Management, a Bachelor's degree in Computer Science, and certifications in security and privacy professions.

Jaya Nampalli

Jaya Nampalli is a Managing Consultant for IBM Software Services for Collaboration. She is responsible for the development of high quality solutions for IBM customers in response to specific business requirements. She is a technical lead developer working on solution feasibility studies or requirements analysis, application assessments, custom design, implementation, testing, and system integration. She works with clients to facilitate the execution of information strategies that are innovative and well aligned based on a client's business needs. At IBM, she considers working on the IBM Centennial project as one of the highlights of her career. Jaya has worked on both small- and large-scale projects. Jaya stays current with web technology advances and other IBM product offerings by self-education and collaborating with other IBM team members. Jaya has been an IBM employee for over 12 and half years.

Joseph Anderson

Joseph Anderson is an IBM Certified Managing Consultant from the IBM Collaboration Solutions Software Team. Joseph has worked with IBM Notes/ Domino, IBM Connections, IBM Sametime, IBM WebSphere Portal, and IBM Quickr since the early 1990s, primarily as a consultant. He is currently responsible for managing complex Customer Engagements focusing on assisting customers with the development, licensing, and deployment of complex environments. Prior to working in the consulting industry, Joseph worked in the legal industry as a Director of Operations, where he leveraged his Master's of Science in Legal Administration from the University of Denver College of Law. Joseph is the co-author of two books: IBM Lotus Notes and Domino 8.5.3: Upgrader's Guide by Packt Publishing and Lotus Notes Domino 8: Upgrader's Guide by Packt Publishing. Additionally, Joseph was a Technical Reviewer for IBM Lotus Notes 8.5.3 How-to by Packt Publishing.

Mari Heiser

Mari Heiser is an IBM and Open Group Master Certified Architect with over 20 years of architecture, governance, risk, compliance, and technical management experience in networks and web technologies, specializing in security, compliance, and Service Oriented Architecture (SOA). Mari is also an expert in Identity and Access Management, Cloud, Security Analytics, and leads the IBM internal Information Security Community of Practice for the Americas. Mari's industry-specific experience has been concentrated in banking, manufacturing, distribution, bio-tech, education, and aerospace industries.

Tim Speed

Tim Speed is an IBM Senior Certified Systems Architect with IBM Software Services for Collaboration. In that capacity, he is responsible for designing, implementing, and supporting various engagements with IBM customers. Tim has been an IBM employee for over 18 years in a variety of networking, technical, hardware, and software support and consulting positions. He has been working with Lotus Notes for over 20 years, focusing on administration roles and infrastructure. He also has international experience with working on infrastructure engagements in Spain, The Bahamas, Japan, Hong Kong, Singapore, Malaysia, the UK, and Indonesia.

Books From Packt


Android Application Programming with OpenCV
Android Application Programming with OpenCV

WordPress 3 Ultimate Security
WordPress 3 Ultimate Security

 Instant XenMobile MDM [Instant]
Instant XenMobile MDM [Instant]

 Spring Security 3.1
Spring Security 3.1

Oracle 11g Anti-hacker's Cookbook
Oracle 11g Anti-hacker's Cookbook

Android Application Security Essentials
Android Application Security Essentials

Joomla! Web Security
Joomla! Web Security

BackTrack - Testing Wireless Network Security
BackTrack - Testing Wireless Network Security


No votes yet

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
5
Z
r
x
8
C
Enter the code without spaces and pay attention to upper/lower case.
Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software