{"id":15063,"date":"2015-04-28T16:10:22","date_gmt":"2015-04-28T16:10:22","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=3901"},"modified":"2020-02-27T03:55:36","modified_gmt":"2020-02-26T16:55:36","slug":"android-financial-attacks-and-current-security-status","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/android-financial-attacks-and-current-security-status\/15063\/","title":{"rendered":"Android: financial attacks and current security status"},"content":{"rendered":"<p>With an increasing amount of people using mobile devices for work, security of the data stored therein has become\u00a0a hot\u00a0topic. And since people also use mobile devices to access their finances, that makes them a prime target for cybercriminals. Android is the most popular mobile OS in the world right now, and the most targeted. How are users attacked and what is the current security status of Android?<\/p>\n<p><strong>Historically speaking<\/strong><\/p>\n<p>Android is routinely reported as the most targeted mobile OS with over 98% of mobile malware written specifically for it. Despite Google\u2019s <a href=\"https:\/\/business.kaspersky.com\/security-features-in-android-5-0\/2908\" target=\"_blank\" rel=\"noopener nofollow\">Herculean efforts to set things right<\/a>, Android users are still in the special risk zone.<\/p>\n<p>Android is also the most popular mobile system in the world (the author of this post is the owner of an Android-based smartphone). This means it inevitably draws a lot of interest from cybercriminals looking for an easy target.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>#Android: financial attacks and current security status #protectmybiz #enterprisesec<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2F3wYm&amp;text=%23Android%3A+financial+attacks+and+current+security+status+%23protectmybiz+%23enterprisesec\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p><strong>Reasons for trouble<\/strong><\/p>\n<p>The reasons for this are both very simple and very complicated. First, unlike Apple\u2019s iOS, Android has been licensed to interested\u00a0vendors and developers, and these vendors introduced a lot of their own peculiarities, hacks, and features \u2013 and following the best practices wasn\u2019t always the case. As a result, the system went on to be quite segmented, and it took time for Google to start regathering the stones.<\/p>\n<p>Apple iOS users are bound to Apple\u2019s app store where security is tight. Android users can install apps from <a href=\"http:\/\/www.digitaltrends.com\/mobile\/android-app-stores\/2\/\" target=\"_blank\" rel=\"noopener nofollow\">a large array of various app stores,<\/a> not limited to Google Play. Some have very good security, some don\u2019t.<\/p>\n<p>Popularity among users also means a popularity among the developers, and not all developers are impervious: there are bugs, there are errors, there are vulnerabilities, and there are bad guys eager to exploit them.<\/p>\n<p>Vulnerabilities and negligence of the users make for a good opportunity for criminals to reach for others\u2019 money.<\/p>\n<p><strong>Tools of trade<\/strong><\/p>\n<p>The most antique and most used kind of financial attacks on Android are SMS spam with lots of messages sent to premium numbers without a user\u2019s knowledge and\/or consent. This is, however, mostly an end-users\u2019 problem, unless it\u2019s a corporate-sponsored handset used.<\/p>\n<p>More of a problem for businesses are the banking Trojans currently enjoying a surge of popularity. <a href=\"https:\/\/securelist.com\/analysis\/publications\/68916\/the-enemy-on-your-phone\/\" target=\"_blank\" rel=\"noopener\">According to Securelist,<\/a> at the beginning of 2013 there were just a few hundred Trojan bankers in Kaspersky Lab\u2019s collection. By late 2014, there were 13,000 of them, and that number shows no signs of decreasing any time soon.<\/p>\n<p>Some of these Trojans are merely a slightly advanced version of SMS scammers, while others like ZitMo or Faketoken are notoriously sophisticated tools capable of working in tandem with PC malware. They intercept one-time confirmation codes (mTAN) sent by the bank in an SMS, so that criminals \u2013 in the worst cases \u2013 get unfettered access to the bank account and wipe it clean.<\/p>\n<p>There are also multi-purpose malware that is capable of performing a number of illicit operations, or, simply put, bring profit to their owners in a number of different ways. Discovered in 2013, Backdoor.AndroidOS.Obad.a has been awarded with the title \u201c<a href=\"https:\/\/securelist.com\/blog\/research\/35929\/the-most-sophisticated-android-trojan\/\" target=\"_blank\" rel=\"noopener\">most sophisticated Android Trojan<\/a>\u201c. It was capable of sending SMS to premium-rate numbers; downloading other malware programs, installing them on the infected device and\/or sending them further via Bluetooth; and remotely performing commands in the console. It was indeed deeply thoughtful, with obfuscated code, exploiting a number of vulnerabilities in Android, one of them \u2013 zero-day (at the time when it was discovered).<\/p>\n<p>It was impossible to delete the malicious program from the smartphone after it had gained extended privileges. Clearly a serious problem.<\/p>\n<p><strong>Figures<\/strong><\/p>\n<p>Statistics show that the number of financial malware attacks against Android users grew by 3.25 times in 2014. According to a Kaspersky Lab study \u201c<a href=\"http:\/\/25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com\/files\/2015\/02\/KSN_Financial_Threats_Report_2014_eng.pdf\" target=\"_blank\" rel=\"noopener nofollow\">Financial Cyberthreats in 2014<\/a>\u201c, 48.15% of the attacks against users of Android-based devices blocked by Kaspersky Lab products utilized malware targeting financial data (Trojan-SMS and Trojan-Banker).<\/p>\n<p>The study also shows that 98.02% of all attacks by Android banking malware were accounted for by only three malicious families \u2013\u00a0 Faketoken, Svpeng, and Marcher. Svpeng and Marcher are capable of stealing credentials for online banking as well as credit card information by replacing the authentication fields of mobile banking apps and app stores apps on an infected device. And Faketoken was made for intercepting mTAN codes used in multifactor authentication systems and forwarding it to criminals.<\/p>\n<p>An earlier study conducted jointly by INTERPOL and Kaspersky Lab <a href=\"http:\/\/media.kaspersky.com\/pdf\/Kaspersky-Lab-KSN-Report-mobile-cyberthreats-web.pdf\" target=\"_blank\" rel=\"noopener nofollow\">showed that 60% of Android attacks used financial malware<\/a> \u2013 mostly Trojan-SMS. Trojan-Bankers are accounted for just 1,98% of attacks, but it is well explained by the fact that Trojan-SMS have to infect dozens or even hundreds of mobile devices for their operator to get any sensitive gain, while the Trojan-Bankers are a more \u201csurgical\u201d weapon, and just a single infection is enough to bring criminals a good profit.<\/p>\n<p>It is worthwhile to mention that, according to \u201cFinancial cyber threats in 2014\u201d study, cybercriminals in general are now less interested in \u201cmass\u201d malicious attacks, preferring fewer, more targeted ones.<\/p>\n<p>And it puts businesses with weaker mobile protection at an increased risk, since it is them criminals would be targeting the most.<\/p>\n<p><strong>Counter-Efforts<\/strong><\/p>\n<p>Every next version of Android is <a href=\"https:\/\/threatpost.com\/google-report-lauds-android-security-enhancements\/111989\" target=\"_blank\" rel=\"noopener nofollow\">more secure than the previous<\/a>, but it doesn\u2019t mean that a) no new mistakes are introduced, <a href=\"https:\/\/threatpost.com\/renewed-attention-on-android-apps-failing-ssl-validation\/112378\" target=\"_blank\" rel=\"noopener nofollow\">discovered<\/a> and <a href=\"https:\/\/threatpost.com\/new-banking-trojan-targets-android-steals-sms\/110819\" target=\"_blank\" rel=\"noopener nofollow\">exploited<\/a> b) that the older versions with all their bugs go away the moment the new ones emerge. Vendors release new handsets expecting users to buy them, not updating firmware\/OS versions for ages. While the users prefer <a href=\"http:\/\/en.wikipedia.org\/wiki\/Android_(operating_system)#Platform_usage\" target=\"_blank\" rel=\"noopener nofollow\">to keep using the working handset as long as possible<\/a>.<\/p>\n<p>Lately, Google tends to \u201cencourage\u201d users to change their handsets: earlier this year it was\u00a0announced that the users of Android 4.3 and below aren\u2019t going to receive security updates for vulnerabilities in WebView tool.<\/p>\n<p>This, according to early reports, meant that up to two-thirds of Android users weren\u2019t going to receive a critical update. Google later <a href=\"https:\/\/threatpost.com\/google-engineer-explains-companys-decision-not-to-patch-bug-in-older-android-versions\/110648\" target=\"_blank\" rel=\"noopener nofollow\">explained<\/a> that patching older versions of the OS can be difficult, and that users can run patched browsers, even on older versions of Android. WebView has been replaced in Android 4.4 and later.<\/p>\n<p>But just like with most of the other cyberthreats, developers\u2019 mighty efforts may be futile if\u00a0the end-users and businesses are <a href=\"https:\/\/business.kaspersky.com\/mobile-malware-perception-vs-reality\/3782\" target=\"_blank\" rel=\"noopener nofollow\">ignorant about the dangers<\/a>, or are willing to \u201ccooperate\u201d with criminals and don\u2019t do enough to protect their mobiles.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>#Android gets more secure, but users should get smarter too. #protectmybiz #enterprisesec<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2F3wYm&amp;text=%23Android+gets+more+secure%2C+but+users+should+get+smarter+too.+%23protectmybiz+%23enterprisesec\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Kaspersky Lab\u2019s business-oriented security suites \u2013 Kaspersky Endpoint Security (<a href=\"https:\/\/www.kaspersky.com\/business-security\/endpoint-select\" target=\"_blank\" rel=\"noopener nofollow\">Select<\/a> and <a href=\"https:\/\/www.kaspersky.com\/business-security\/endpoint-advanced\" target=\"_blank\" rel=\"noopener nofollow\">Advanced<\/a>) as well as <a href=\"http:\/\/en.wikipedia.org\/wiki\/Android_(operating_system)#Platform_usage\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Small Office Security<\/a> \u2013 include tools to protect mobile devices from the existing cyberthreats, as well as the features to protect electronic payments from fraud attempts. Mobile devices today \u2013 and especially Android-based ones \u2013 require as much protection from cyberthreats as desktops and laptops do, and it is easier and less expensive to prevent incidents from happening than to recover post-factum.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>With an increasing amount of people using mobile devices for work, security of the data stored therein has become a hot topic. And since people also use mobile devices to access their finances, that makes them a prime target for cybercriminals. Android is the most popular mobile OS in the world right now, and the most targeted. How are users attacked and what is the current security status of Android?<\/p>\n","protected":false},"author":209,"featured_media":15370,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,2994],"tags":[105,783],"class_list":{"0":"post-15063","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-android","10":"tag-business-security"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/android-financial-attacks-and-current-security-status\/15063\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/android-financial-attacks-and-current-security-status\/15063\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/android-financial-attacks-and-current-security-status\/15063\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/android\/","name":"Android"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/15063","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=15063"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/15063\/revisions"}],"predecessor-version":[{"id":26699,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/15063\/revisions\/26699"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/15370"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=15063"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=15063"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=15063"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}