The mobile threats you can’t even see

By on Mar 04, 2020

Over the last year, we’ve seen more stories in the news than ever before about the big picture of cybersecurity, with politicians being increasingly public about how technology is affecting international relationships. All of this can make it feel like staying safe online is out of consumers’ hands, with decisions being made at the top level having the decisive impact on personal online security.

However, people have been getting smarter about their security for years, with initiatives like World Password Day highlighting the simple steps that people can take to really improve safety. Unfortunately, as consumers get better at protecting themselves, and as companies like McAfee get better at detecting threats, criminals will change tactics and find new ways to attack people online.

Today, there is a whole new arena for criminals to explore, and it’s growing rapidly. According to the GSMA, there are now more than 5bn people with mobile phone service subscriptions globally, while a recent report has predicted that by 2030 the average person will own fifteen different connected devices. With the exception of nation-state attacks, most cybercriminals are looking at this huge, desirable target with the same thought in mind that they always have: what is the quickest, easiest way to make money?

A moving target

In McAfee’s latest Mobile Threat Report, we show some of the emerging tactics being used to turn consumer connectivity into criminal profit – and potentially damage users in the process. Rather guessing or compromising a user’s personal details and passwords, these new threats use sophisticated awareness of how people use their phones in order to manipulate them.

For example, one malware family we found, called LeifAccess or Shopper, shows users scary-sounding but non-specific warning messages, such as ‘security error should be dealt with immediately’, in order to trick users into giving it additional permissions on the phone. It then uses these permissions to create fake accounts and automatically post positive reviews of specific apps. This makes others more likely to download those apps, giving the developers advertising revenue from an app which is at best poor quality and at worst dangerous. In one instance, we found over 7,000 fake reviews for one app.

In a similar trend, we found an increase in HiddenAds malware being distributed outside of app stores. These apps are shared in places like the gaming chat app Discord and in links under YouTube videos, pretending to be free versions of legitimate apps. Once installed, these apps instead hide themselves in the background and request adverts to generate revenue for their creators.

Both of these threats use clever tactics to perform attacks without needing a user’s password, and their presence is growing rapidly: with an increase of 30% from 2018 to 2019, hidden apps now represent almost half of all the malicious activity we detect on mobile. Alarmingly, similar tactics are even being used to attack whole countries. We found that a legitimate public transport app in South Korea had been cleverly compromised to scan the user’s phone for keywords relating to politics and the military and upload any relevant documents to a remote server.

Beyond stronger passwords

Cybersecurity will always be an arms race: on one side, the attackers and criminals, and on the other side, users and security companies like McAfee. The good news is that, while this malware is using a range of clever tactics to fly in under the radar without needing a password, there are still simple actions which consumers can take to minimise their risk:

  • Stick to the app store: We may be seeing some compromised apps on official stores, but that doesn’t mean that the stores aren’t vastly safer than the internet at large as a place to download apps, and the majority of mobile malware downloads we see are coming from unofficial sources such as social media.
  • Keep your software updated: Developers and researchers are finding and fixing new security issues all the time – but those fixes only help if users install them. To maximise your online protection, both your phone’s operating system and its apps should be frequently updated.
  • Use security software: For smartphones just as much as computers, security software is a powerful way of defending your data and maintaining your privacy. You might also consider using an ID monitoring tool, which will alert you to any strange activity which could indicate a compromised phone or account.

Strong, secure passwords are still, of course, incredibly important, but as cybercriminals evolve, so must we. By staying up to date with the latest threats and thinking beyond traditional security measures, you can defend against even the invisible threats.

About the Author

Raj Samani

Raj Samani is Chief Scientist and McAfee Fellow for cybersecurity firm McAfee. He has assisted multiple law enforcement agencies in cybercrime cases, and is a special advisor to the European Cybercrime Centre in The Hague. Samani has been recognized for his contribution to the computer security industry through numerous awards, including the Infosecurity Europe hall ...

Read more posts from Raj Samani

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to McAfee Securing Tomorrow Blogs