As the number of apps and smartphones increase, they are becoming an attractive target for the criminal gangs behind PC scams who are looking to expand into mobile. For these gangs smartphones are attractive because they are tied into payment mechanisms such as premium SMS in ways that traditional PCs are not.
And although the individual amounts may seem trivial, it is important to bear in mind that extracting £1 from a million users adds up.
Smartphones can be quite complex for some consumers to use and understand. The criminals know this and are looking to exploit it using social engineering attacks via SMS, Facebook and Twitter etc. to trick unsuspecting consumers into downloading apps from untrusted sources outside of the official app stores.
Recent research from North Carolina State University found that 86 percent of Android malware was repackaged legitimate apps. This is because it can be reasonably easy to download and modify legitimate apps by adding rogue code to them. Criminals can then relist them on unregulated app stores or promote them directly via social media, sharing money and leaking data to hackers.
As the scammers moved “off market” they altered their tactics. For example, there are a number of rogue apps that make dubious claims about being able to conserve your battery, enticing a user to sign up to a premium SMS service for little or no improvement to their battery life.
The scammers are using banner ads, or push notifications, within legitimate apps that have been deliberately designed to make them appear like genuine system updates that can fool unsuspecting consumers into downloading them.
Increasingly the scammers are stepping back and using affiliate marketing networks to promote the apps on a pay-per-install basis. This trend looks set to continue as we have seen “copycat” postings on job boards looking for developers to duplicate these rogue apps, including international premium SMS billing services.
The reality is that while consumers express outrage when they believe their data may not be secure, many are unwilling to protect themselves or take responsibility. The thrill of trying out a hot new app, particularly if it’s free, leads the majority of users to ignore the ‘annoying’ requests for permissions which can give access to personal data.
Research we carried out recently showed that while two-thirds of consumers hate apps leaking their data, 75 percent may be giving away their physical location when downloading them.
So with consumers unwilling to protect themselves, who do they expect to keep them secure?
Interestingly the research found that most people expect their mobile operator to keep their personal data secure, with 83 percent of subscribers admitting that they would change operator if their privacy was compromised. Two-thirds of consumers also said that they’d like more information from their mobile operator on how to protect themselves from mobile security threats – showing that education has a part to play.
But operators also need to provide the tools to protect subscribers from these increasingly sophisticated threats. It is only by providing complete ‘network to handset’ protection that operators can protect their customers’ personal data, location and financial details.
As hackers develop more intelligent and incisive ways of gaining consumer information and data – and consumers continue to rank trust and solid security high on their list of priorities when choosing an operator – it is imperative that operators take the lead in educating and protecting their subscribers and use security to leverage the trust in their brands.
It is only by providing bespoke security that protects against the ever changing threats that operators can reduce churn, increase revenue and neutralise threats to their own network infrastructure.
Ciaran Bradley, VP of Handset Security at AdaptiveMobile
The editorial views expressed in this article are solely those of the author(s) and will not necessarily reflect the views of the GSMA, its Members or Associate Members