McAfee MWC 2019 announcements highlight the security issues with
mobile phones and a 550% increase in fake
and malicious apps.
McAfee’s Mobile Threat Report is scary stuff, and it is fitting that its release is at the world’s largest mobile trade show and congress – MWC 2019 in Barcelona.
McAfee MWC 2019 announcements will scare you – mobile malware is about three things
Getting in (to the device)
Searching for gems – contacts, passwords, photos,
emails, messages (payload)
Exfiltrating that data (reward)
Smart malware is virtually undetectable – after all why but
the hand that feeds you? Malware that does damage like wipe files is more for show after it has what it wants – your data.
McAfee says, “As we march toward an average of over 100 apps
on our smartphones the smartphone is a key target for ransomware developers,
identity thieves, and nation states.”
Trojanised apps from legitimate app stores – hidden
inside fake versions of popular apps games
– Fake Fortnight is a prime suspect. Google works hard to keep fakes out, but sometimes they are there for hours to days
Third-party app stores if the phone is rooted
(Asia and India)
SMS encouraging direct downloading (not via
Google Play) of an app, e.g. to play a
voice message from a ‘known’ person
Pieces of the puzzle. Undetectable pieces of the
malware eventually join as users download more recommended apps or visit poisoned
Fake apps are convincing, with the same images, music, and
loading screens as the legitimate app. After prompting for a login, the user gives
‘mobile verification’ and then sent to a
link with instructions on how to unlock their phone and get the game, porn etc.
Often the malware ‘loader’ lies dormant running
in the background until a trigger event
Cybercriminals are interested in money, not
glory so the most usual actions are ad click fraud, distributed denial of
service attacks, sending spam and phishing emails
Often a fake app asks for root access – never give
it. This enables the malware to control
the device and to do anything you could do on it.
In 2018 McAfee said there was a 77% increase in banking trojans
and that number could only grow – regrettably it was right. Most of these fake
apps were finance related – loan calculators, legitimate looking banking apps etc.
The malware collects the data it needs and then sends it via
an encrypted tunnel to a command and control server.
Other wonderful malware news
Social engineering is now a malware tool
McAfee says special interest groups (North Korean Defectors),
special events (Israeli FIFA World Cup Fans), collectors etc are now the new targets.
The FoulGoal campaign Golden Cup app put spyware on victims’
devices. This app promises users streams of games from the Russian 2018 FIFA
World Cup, as well as a searchable database of previous World Cup records. It stole
the user’s phone number, device details, installed packages, data files, SMS
messages, contacts, GPS details, and audio recordings. Most downloads were in
the Middle East after a Twitter post in
Hebrew promoted the app.
IoT or voice assistants are next
“Hey Robot, will my home be hacked today?”
“I am sorry Dave, it has already been compromised.”
No one knows for sure where this will go, but the move to voice shopping via stored
credit cards is the biggest concern.
MacAfee says all IoT devices can become botnets, perpetrate
click fraud, or threaten property or reputation damage unless you pay a ransom –
money is the goal.
Then there is the ‘sky is falling’ claim. Hackers could get
access to the microphone and monitor everything said. Smart speakers could perform
actions by some other device with a speaker, such as embedding commands in a TV
program or Internet video. Customised
actions could alter one of your automated IFTTT tasks into something that
performs additional steps to benefit the criminal.
Three steps for securing IoT
Set-up a secondary network for your IoT that does not share access to your primary network and the devices
and data connected
Get a router with built-in Wi-Fi security
features, making it easier to protect all the devices
in your home from one access point
Set your device
to auto-updates, so you always have the
latest software and be sure to change all default passwords once you purchase a
There are more than 600 malicious apps that contain cryptomining. The latest apps can jump from a smartphone to other connected devices like Android TV. These apps use surplus CPU cycles to mind bitcoin and drain the battery. In some reported cases the malware overheats the processor and of course uses your paid mobile data.
It is not a nice world
While the majority of malware is on Android, there is malware on Apple iOS. And once that walled-garden is cracked wide open, there will be considerably more damage.
2019 is the year of everywhere malware. Detections of
backdoors, cryptomining, fake apps, and banking Trojans all went up substantially
in H2, 2018. Attacks on other connected IoT things around the house gained
momentum as well. While hidden apps and Adware remain by far the most common
form of mobile threats in Android, the others are growing and learning how to
infect other types of devices as well.
In IoT, the weakest link
is that the device was never made for
security and that mandates the addition of network security overlays. In the smartphone
case, you would be crazy not to have paid
anti-virus/malware software – that you can trust.
McAfee preloads on Samsung Galaxy S10 Smartphones
Note that this is a free 60-day trial and requires a paid subscription after. GadgetGuy makes the point that there are very good Android and desktop offerings from Norton, Bitdefender, Kaspersky, Sophos, AVG, ESET, Malwarebytes, Trend Micro and more. You should decide on what suits you across all devices before accepting a free trial. At worst install Google’s Play Protect app, but free apps do not offer overall protection.
And finally, read GadgetGuy to help remain vigilant.