When it comes to maximizing the results of infection campaigns, mobile malware operators consider official app stores to be the holy grail. Getting a malicious app into an official store yields greater exposure to more potential victims, a cheap distribution channel and user trust. Moreover, malware apps that have already made it into an official store are more likely to fly under the radar of security controls for longer than those hosted on hijacked sites or rogue servers. IBM X-Force reports malicious apps to the official stores to have them removed before more users can be affected.
Malicious apps are a blight that both store operators and developers work hard to limit. Still, it is a recurring problem: In 2017, X-Force mobile researchers reported numerous occasions on which financial malware had sneaked into the Google Play Store, with the BankBot Android malware family leading the pack. The trend continues to escalate.
The average person looks at his or her phone 46 times every day, according to Time. As for banking with our phones, Payment Week reported that 38 percent of consumers interact with a bank primarily via a mobile device, and 63 percent use phones to carry out standard banking tasks. That means mobile banking is being used more than ever before.
With users migrating their everyday banking to mobile devices, cybercriminals are taking advantage of the increased opportunities to dupe them into opening malicious messages and emails, clicking on evil links or downloading innocuous-looking apps from dubious sources. Users can foil most of these attacks by keeping in mind some familiar tips for mitigating malware:
- Email spam and unsolicited messages pose the same threat to mobile device users as PC users. Mobile devices are especially vulnerable to phishing attacks and identity theft schemes.
- Treat unsolicited SMS messages and emails as spam and never open them. Never follow links, open attachments or heed instructions contained in these messages.
- Criminals like using stressful ploys, such as sending text messages to users claiming their bank or credit card account has been disabled. Don’t take the bait. Call the number provided in the SMS, the number on the back of your credit card or dial the bank directly using a number you know to be genuine.
- Update your phone’s operating system as soon as a new update is available.
- Delete apps you no longer use and always update those you do.
- Install a security app on your device.
- Enable a screen-lock password for your device.
- Don’t enable sideloading on your device.
- Don’t root or jailbreak your device.
- Don’t download apps from unofficial app stores.
- Get links to banking and payment apps directly from the service provider’s website.
- Don’t grant applications admin permissions. If an app requires that sort of control, it is likely something you do not want on your device.
- Malicious apps often ask for your location and access to SMS, calls and services that cost money. If you downloaded a legitimate app that needs all the above, make sure it actually uses this access for the services it offers.
- Be vigilant for any odd behavior the device may exhibit. A mobile malware app can lock the device for a ransom or to keep users out while it conducts fraudulent activity. If your device is suddenly inaccessible, check for ransomware and then check your bank account.
For more information, check out these informative articles: