The Internet Crime Complaint Center (IC3), a task force that includes the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA) has issued a mobile malware warning late last week. The group also outlined a bunch of steps that mobile users should follow to stay protected.
The warning is a poor one for a few reasons. First of all, it came out on a Friday, and doesn’t follow any particular threat outbreak. Secondly, the title doesn’t list Android specifically (Smartphone Users Should Be Aware of Malware Targeting Mobile Devices and Safety Measures to Help Avoid Compromise) and yet the introduction states “The IC3 has been made aware of various malware attacking Android operating systems for mobile devices.”
New York, are you ready?
We’re building Momentum: an all killer, no filler event this November.
The poor choice of examples doesn’t help. “Some of the latest known versions of this type of malware are Loozfon and FinFisher,” the IC3 goes on to say. The first pick is odd because it is hardly a big threat and the second is even weirder because it doesn’t just target Android.
We haven’t written extensively about Loozfon, but it’s a Trojan horse for Android devices that steals information, such as the user’s address book and the infected device’s phone number, from the compromised device. It has mainly targeted Japanese users, so it’s odd to see the FBI list it specifically, but clearly it has been picked up on their radar somehow. It was first spotted in August; Symantec has more details if you want them, which note that the removal of the threat is easy.
FinFisher, meanwhile, received a lot of coverage, also two months ago, when it was revealed that the infamous malware had been ported to mobile platforms. The threat is labeled as spyware capable of taking control of the mobile operating system’s components for both remotely monitoring and even remotely controlling a device. It’s not just limited to Android, however: there are variants for iOS, BlackBerry, Symbian, and Windows Mobile as well.
If the IC3’s goal was to warn about Android malware, it should have listed FakeInstaller (also known as OpFake), which comprises the larger majority of Android malware. If the IC3’s goal was to warn about mobile malware, it should have talked more about FinFisher and other such malware. Either way, the examples were poor choices.
Nevertheless, the safety tips regarding mobile malware are solid, and worth reproducing in full:
- When purchasing a Smartphone, know the features of the device, including the default settings. Turn off features of the device not needed to minimize the attack surface of the device.
- Depending on the type of phone, the operating system may have encryption available. This can be used to protect the user’s personal data in the case of loss or theft.
- With the growth of the application market for mobile devices, users should look at the reviews of the developer/company who published the application.
- Review and understand the permissions you are giving when you download applications.
- Passcode protect your mobile device. This is the first layer of physical security to protect the contents of the device. In conjunction with the passcode, enable the screen lock feature after a few minutes of inactivity.
- Obtain malware protection for your mobile device. Look for applications that specialize in antivirus or file integrity that helps protect your device from rogue applications and malware.
- Be aware of applications that enable Geo-location. The application will track the user’s location anywhere. This application can be used for marketing, but can be used by malicious actors raising concerns of assisting a possible stalker and/or burglaries.
- Jailbreak or rooting is used to remove certain restrictions imposed by the device manufacturer or cell phone carrier. This allows the user nearly unregulated control over what programs can be installed and how the device can be used. However, this procedure often involves exploiting significant security vulnerabilities and increases the attack surface of the device. Anytime a user, application or service runs in “unrestricted” or “system” level within an operation system, it allows any compromise to take full control of the device.
- Do not allow your device to connect to unknown wireless networks. These networks could be rogue access points that capture information passed between your device and a legitimate server.
- If you decide to sell your device or trade it in, make sure you wipe the device (reset it to factory default) to avoid leaving personal data on the device.
- Smartphones require updates to run applications and firmware. If users neglect this it increases the risk of having their device hacked or compromised.
- Avoid clicking on or otherwise downloading software or links from unknown sources.
- Use the same precautions on your mobile phone as you would on your computer when using the Internet.
Notice again that most of these apply to all mobile platforms, not just Android. While Google’s operating system may be the most popular one, that doesn’t mean the IC3 should not be clear in its warnings.
Image credit: Elvis Santana