99 percent of mobile financial malware writers prefer Android
A new report by information research specialist NSS Labs focuses on the evolving landscape of mobile financial malware. It concludes that cyber criminals are adapting to the use of mobile apps to authorize transactions and that 99 percent of current mobile malware is aimed at the Android platform.
As banks add extra functionality to their apps they open up greater capabilities for both customers and the cyber criminals. Many mobile banking apps are based on HTML code making them especially vulnerable to exploits. The report's author, NSS Labs Research Vice President Ken Baylor, says this should prompt more banks to develop secure native apps for mobiles, incorporating fraud-resistant features, if their customers are to stay secure.
Part of the reason that Android is more at risk than iOS is that it allows the installation of software from untrusted locations. The Play Store still accepts software installations from unauthorized sources. Android's market share plays a part too, as does the fact that most mobile financial malware is coming from ex-Soviet states and there’s a shortage of iOS malware authors in these countries.
Baylor writes, "With the rise of more powerful Android Trojans, malware that specifically targets the financial sector is likely to evolve alongside the extra money transfer capabilities provided to mobile devices by an increasingly trusting financial sector".
The report also identifies a trend towards integrated malware that can compromise both PC and mobile platforms. This allows attackers to capture login credentials, initiate fraudulent transactions and intercept and approve authorization messages meant to provide safeguards. Criminals achieve this in a number of ways including SMS forwarding and by imitating security apps.
Baylor concludes that to stay ahead, "...banks must use hardened browsers on mobile devices with unique install keys, certificate based identification, in app encryption, geolocation, and device fingerprinting. Malware will remain several steps ahead of deployed bank technology so long as bank improvements remain slow and incremental".
You can download the full report View from the Precipice – Mobile Financial Malware from the NSS website.