Tuesday, October 23, 2012

FBI Warns of Mobile Malware Risks

Android Devices Hit by Two New Trojans

The Federal Bureau of Investigation has issued a consumer alert warning of malware attacks against mobile devices that run the Android operating system. Trojans pose serious risks for any personal and sensitive information stored on compromised Android devices, the FBI warns.

But experts say any mobile device is potentially at risk because the real problem is malicious applications - which in an open environment are impossible to control. And anywhere malicious apps are around, so is the potential for financial fraud.

Two Trojans

The alert from the Internet Crime Complaint Center, a unit of the FBI, addresses two new Android Trojans known as Loozfon and FinFisher.

Recent attacks showed Loozfon has the ability to steal a mobile user's phone number as well as contact details. In one type of Loozfon attack, unsuspecting consumers were lured in by advertisements promoting fraudulent work-at-home opportunities.

The alert does not specify how those ads were promoted - through e-mail, SMS/text or both. But the FBI warns that links within the ads lead to websites designed to push Loozfon to users' device.

FinFisher, on the other hand, is spyware that targets Android smart phones, hijacking specific components that enable hackers to remotely control and monitor a compromised device, regardless of its location. The spyware is transmitted to a smart phone by clicking infected web links or by opening SMS messages sent directly to the mobile user, usually falsely appearing to provide links to system updates, the FBI states.

Bad Rap for Android?

The Android operating system is not the cause of the problem. It's the openness of the app marketplace that allows malware to run rampant, not the Android OS itself. This is one of the first consumer-focused, security-oriented lists for mobile I've seen. That's a good thing, but it also is a pretty definite signal that security is becoming a problem.

Until the mobile industry can figure out a way to better control or vet readily available apps, mobile malware concerns will mount. I'm not saying there should only be one store, but there does need to be some sort of reputational measure, akin to what SSL [secure socket layer] site certificates can help provide.

No comments: