McAfee MWC 2019 announcements highlight the security issues with mobile phones and a 550% increase in fake and malicious apps.
McAfee’s Mobile Threat Report is scary stuff, and it is fitting that its release is at the world’s largest mobile trade show and congress – MWC 2019 in Barcelona.
McAfee MWC 2019 announcements will scare you – mobile malware is about three things
- Getting in (to the device)
- Searching for gems – contacts, passwords, photos, emails, messages (payload)
- Exfiltrating that data (reward)
Smart malware is virtually undetectable – after all why but the hand that feeds you? Malware that does damage like wipe files is more for show after it has what it wants – your data.
McAfee says, “As we march toward an average of over 100 apps on our smartphones the smartphone is a key target for ransomware developers, identity thieves, and nation states.”
Getting in
- Trojanised apps from legitimate app stores – hidden inside fake versions of popular apps games – Fake Fortnight is a prime suspect. Google works hard to keep fakes out, but sometimes they are there for hours to days
- Third-party app stores if the phone is rooted (Asia and India)
- SMS encouraging direct downloading (not via Google Play) of an app, e.g. to play a voice message from a ‘known’ person
- Pieces of the puzzle. Undetectable pieces of the malware eventually join as users download more recommended apps or visit poisoned websites
Fake apps are convincing, with the same images, music, and loading screens as the legitimate app. After prompting for a login, the user gives ‘mobile verification’ and then sent to a link with instructions on how to unlock their phone and get the game, porn etc.
Payloads
- Often the malware ‘loader’ lies dormant running in the background until a trigger event
- Cybercriminals are interested in money, not glory so the most usual actions are ad click fraud, distributed denial of service attacks, sending spam and phishing emails
- Often a fake app asks for root access – never give it. This enables the malware to control the device and to do anything you could do on it.
Exfiltration
In 2018 McAfee said there was a 77% increase in banking trojans and that number could only grow – regrettably it was right. Most of these fake apps were finance related – loan calculators, legitimate looking banking apps etc.
The malware collects the data it needs and then sends it via an encrypted tunnel to a command and control server.
Other wonderful malware news
Social engineering is now a malware tool
McAfee says special interest groups (North Korean Defectors), special events (Israeli FIFA World Cup Fans), collectors etc are now the new targets.
The FoulGoal campaign Golden Cup app put spyware on victims’ devices. This app promises users streams of games from the Russian 2018 FIFA World Cup, as well as a searchable database of previous World Cup records. It stole the user’s phone number, device details, installed packages, data files, SMS messages, contacts, GPS details, and audio recordings. Most downloads were in the Middle East after a Twitter post in Hebrew promoted the app.
IoT or voice assistants are next
“Hey Robot, will my home be hacked today?”
“I am sorry Dave, it has already been compromised.”
No one knows for sure where this will go, but the move to voice shopping via stored credit cards is the biggest concern.
MacAfee says all IoT devices can become botnets, perpetrate click fraud, or threaten property or reputation damage unless you pay a ransom – money is the goal.
Then there is the ‘sky is falling’ claim. Hackers could get access to the microphone and monitor everything said. Smart speakers could perform actions by some other device with a speaker, such as embedding commands in a TV program or Internet video. Customised actions could alter one of your automated IFTTT tasks into something that performs additional steps to benefit the criminal.
Three steps for securing IoT
- Set-up a secondary network for your IoT that does not share access to your primary network and the devices and data connected
- Get a router with built-in Wi-Fi security features, making it easier to protect all the devices in your home from one access point
- Set your device to auto-updates, so you always have the latest software and be sure to change all default passwords once you purchase a new device
Cryptomining
There are more than 600 malicious apps that contain cryptomining. The latest apps can jump from a smartphone to other connected devices like Android TV. These apps use surplus CPU cycles to mind bitcoin and drain the battery. In some reported cases the malware overheats the processor and of course uses your paid mobile data.
It is not a nice world
While the majority of malware is on Android, there is malware on Apple iOS. And once that walled-garden is cracked wide open, there will be considerably more damage.
2019 is the year of everywhere malware. Detections of backdoors, cryptomining, fake apps, and banking Trojans all went up substantially in H2, 2018. Attacks on other connected IoT things around the house gained momentum as well. While hidden apps and Adware remain by far the most common form of mobile threats in Android, the others are growing and learning how to infect other types of devices as well.
In IoT, the weakest link is that the device was never made for security and that mandates the addition of network security overlays. In the smartphone case, you would be crazy not to have paid anti-virus/malware software – that you can trust.
McAfee preloads on Samsung Galaxy S10 Smartphones
Note that this is a free 60-day trial and requires a paid subscription after. GadgetGuy makes the point that there are very good Android and desktop offerings from Norton, Bitdefender, Kaspersky, Sophos, AVG, ESET, Malwarebytes, Trend Micro and more. You should decide on what suits you across all devices before accepting a free trial. At worst install Google’s Play Protect app, but free apps
