In the past, malware developers concentrated on the over one billion PCs in the world. However, as the number of mobile users has skyrocketed, smartphones have become an attractive target for digital bandits. Now a mobile security company has identified a new crime it’s calling “mobile pickpocketing,” and the group’s research suggests smartphone users are more susceptible to falling victim to the offense this year than in 2011.
“With more powerful and feature rich smarphones come increasingly complex schemes to exploit the many new apps and services we enjoy,” Lookout Mobile Security says in its report, titled, “Malwarenomics: 2012 Mobile Threat Predictions.”
Mobile pickpocketing works like this: Because many mobile devices now have the ability to charge a user’s phone bill via SMS billing and phone calls, malware has begun using these mechanisms to steal from user accounts. With mobile phones, money is just a click away through carrier billing fraud.
“For the bad guys, this is a dramatic improvement over PC-based malware, where a hacker has to first steal bank or credit card credentials and then find a way to access the accounts,” Lookout’s report says.
GGTracker, discovered last June, was the first example of a mobile pickpocket app targeting U.S. users. This and other mobile threats stole an estimated one million dollars from users in 2011.
In December, Lookout identified a burst of mobile pickpocketing activity and issued a warning about a new wave of apps collectively called RuFraud, which targeted users in multiple European countries. The initial batch of malicious applications appeared on the official Android Market as horoscope apps with a fairly well-hidden “Terms of Service” indicating the charges that would be made.
Lookout notified Google of nine malicious applications that appeared as wallpaper apps for popular movies and downloaders for hit games such as “Angry Birds.” Google quickly pulled the apps from the Android Market, although not before users download them about 14,000 times.
Be an even smarter mobile user in 2012
In its report, Lookout lists five instances in which users should exercise additional caution:
When visiting third party app stores: Lookout found that malware writers test malware in alternative app markets before trying to place it on the Android Market or App Store.
When discovered, malware is usually pulled more quickly from these primary distributors than it is from alternative markets. The likelihood of you encountering malware on an alternative app store increases dramatically.
When downloading gaming, utility and adult-oriented apps: Check reviews on these apps before downloading them. Lookout found that these kinds of apps are most likely to have malware hidden inside of them.
When tapping on a shortened URL in an SMS message or on a social networking site: Users are three times more likely to load a phishing link on their mobile device than they are on their PC, Lookout says in its report. Because the company expects malware writers to increase Web-based distribution, it’s time to start using extra caution when tapping on links on a mobile phone.
When an app asks you to click “OK”: Don’t “auto pilot” through the prompts an app shows you in order to perform a certain function or deliver a service. Sometimes, these apps are greyware, which hide in fine print that they will charge you via premium rate text messages.
Clicking on in-app advertisements: Not all advertisements are bad. In fact, most are okay. But some are examples of “malvertising,” and could direct you to a malicious Web site, prompt you to download malware, or violate your privacy. When clicking on ads, make sure the ad directs you to where you expect to be directed.
“Bad guys will always follow the money, and with the meteoric growth of mobile devices, there’s more money to be made in mobile fraud than ever before,” Lookout’s report says. “Easy distribution combined with efficient monetization will keep malware developers and perpetrators of Web-based fraud hard at work designing the next great mobile scam. The good news is that mobile technology gets savvier every day, and users can protect themselves. Following a few simple tips, being careful about the links you tap, keeping your device up to date, and scanning for malware will go a long way toward protecting your privacy and shielding you from fraud in 2012.”