For years, security firms have warned of keystroke logging malware that surreptitiously steals usernames and passwords on desktop and laptop computers.
In the past year, a similar threat has begun to emerge on mobile devices: So-called overlay malware that impersonates login pages from popular apps and websites as users launch the apps, enticing them to enter their credentials to banking, social networking, and other services, which are then sent on to attackers.
Such malware has even found its way onto Google’s AdSense network, according to a report on Monday from Moscow-based security firm Kaspersky Lab. The weapon would automatically download when users visited certain Russian news sites, without requiring users to click on the malicious advertisements. It then prompts users for administrative rights, which makes it harder for antivirus software or the user to remove it, and proceeds to steal credentials through fake login screens, and by intercepting, deleting, and sending text messages. The Kaspersky researchers call it “a gratuitous act of violence against Android users.”
“By simply viewing their favorite news sites over their morning coffee users can end up downloading last-browser-update.apk, a banking Trojan detected by Kaspersky Lab solutions as Trojan-Banker.AndroidOS.Svpeng.q,” according to the company. “There you are, minding your own business, reading the news and BOOM!—no additional clicks or following links required.”
The issue has since been resolved, a Google spokeswoman said in an email, adding that there’s no indication the attack ever affected more than one website. The company has said in the past that it works to block malware attacks from third-party ads distributed through its networks. The effort has become increasingly critical as Google and other advertising networks try to dissuade users from filtering out ads altogether with adblocking tools, which also aim to reduce ad-delivered malware and the web beacons used to track users across websites.
Researchers from Kaspersky have reported a 15.6% increase in the number of financial malware in the second quarter of 2016, compared to the previous quarter, as well as a continuing .
The creators of such malware can charge would-be fraudsters thousands of dollars on underground hacking marketplaces for mobile malware tools that deploy such bogus login pages, often in conjunction with other features like the ability to intercept SMS messages, according to research by Limor Kessem, an executive security advisor at IBM Security.
Attackers then send phishing-style SMS messages to mobile users to encourage them to install apps containing the malware, sometimes even soliciting their phone numbers through pop-up messages on PCs in order to send a link to the malicious apps, she tells Fast Company.
“It’s usually some sort of social engineering that would get them to install this application,” Kessem said, though users should also be concerned about the rise in ad-distributed malware, sometimes called malvertising.
“Due to the popularity of malvertising and the ability of cybercriminals to exploit ad networks even on very well known websites… this vector is increasingly potent,” she said. “Security professionals often recommend disabling/blocking ads to reduce the risk of drive-by infections.”
When a phishing link is sent via text, it might be a bogus notification about a package delivery that needs to be tracked through a specialized app, an invitation to participate in an app-based poll, or anything else attackers can think up, said Jimmy Su, director of threat research at security firm FireEye. And if the phishing messages are effective enough, the malware can more than pay for itself.
One malware maker recently raised prices from $5,000 to $15,000, not including monthly service fees, after adding new features, according to Kessem.
“The initial version of this from last November was distributed on a Russian hacking forum, and they were advertising a service where they would charge a certain amount of money per month to provide this command-and-control [server] where they would store the logins and the passwords, and also the customization of the application,” said Su. “Then we can see that these kind of logins and passwords can be purchased on the black market, and that’s how the cycle of the economics works.”
Generally, attackers have targeted phones running Google’s Android operating system, which has a larger user count than Apple’s iOS platform and makes it easier to install apps from outside the official marketplace—a practice often called sideloading.
“We’ve seen some malware on Google Play and on iTunes,” said Domingo Guerra, cofounder and president of mobile security company Appthority. “However, for the most part, Apple and Google do a good part of removing it from the app stores.”
So far, overlay malware has mostly targeted users in Europe and Russia, but there’s no reason to think it won’t become more prevalent in other markets, including the U.S., Su said.
“Both the localization and category of apps are going to expand,” he said. “We already see localizations for particular countries and it will be customized for that particular language.”
For the most part, experts say, the best ways to stay safe from mobile malware and phishing attacks are similar to techniques users are hopefully already using to keep their PCs safe from hackers. Those include keeping operating systems up to date as much as possible, removing unused apps that could house vulnerabilities, and being wary of any kinds of unsolicited links or downloads.
“The same rules of hygiene and security hygiene apply in the PC and the mobile device,” said Kessem.
Users should be particularly wary of any invitations to install apps from outside of official app stores, said Guerra. “Every legitimate app is going to be on Google Play or on iTunes,” he said.
The trouble is, users not accustomed to smartphone malware may be at risk for infection until it sinks in that mobile devices are ultimately just as much a target for attackers as laptop and desktop computers, he warns.
“I unfortunately think it’s going to get worse,” he said. “As users, we’re not thinking of these as computers, so we kind of trust it more than we should.”