Social engineering: 3 mobile malware techniques

Cyber criminals are taking over mobile devices by using many of the psychological tricks used to con people online.

Social engineers have been using various dirty tricks to fool people for centuries. Social engineering, the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques, is as old as crime itself and has been used in many ways for decades.

For the past several years online, social engineers have been trying to fool unsuspecting users into clicking on malicious links and giving up sensitive information by pretending to be old friends or trusted authorities on email and social networks.

[See also: Social engineering: The basics]

And now that mobile devices have taken over our lives, social engineering is an attack method of choice to gain access to a person's smartphone or tablet.

Information security expert Lenny Zeltser, senior faculty member with SANS Institute and an incident handler at the Internet Storm Center, who also blogs on security topics, recently shared three examples of current cons being used by criminals to get inside your mobile device.

Malicious apps that look like legitimate apps

The example Zeltser uses is the case of a popular and legitimate application Android users were purchasing that caused a virtual "steam" to appear on the screen of a smartphone.

"You could move your finger to scrape the virtual steam off," he explained. "People love this sort of thing."

But a malicious application that looked exactly like the virtual-steam application was created and many were conned into purchasing that one, instead of the authentic application.

"From a users perspective it is very hard to distinguish between an app that is legitimate with an app that turns out to be malicious," said Zeltser.

What users ended up with was an application with unwanted things behind it. In some cases, according to Zeltser, the malicious application activated an SMS message from the victim's phone that was sent to request premium services and the user was charged. The attacker, meanwhile, would delete any return SMS messages acknowledging the charges so the victims had no idea they were being billed.

"In this scenario, the victim had no indication that the phone was sending messages or receiving any kind of notifications of the charges. They would get a large phone bill."

Zeltser said Google removed over 50 malicious apps from Android Market in Spring 2011 that seemed turned out to be variants of the DroidDream trojan, but looked like legitimate applications and had names like Super Guitar Solo.

"The advice we're giving people outside of the mobile world is don't install applications that come from un-trusted sources," said Zeltser. "That same advice applies now to mobile."

Zeltser also noted not to rely on an application's ratings because many users might be enjoying the app's features without realizing that it contains a malicious functionality. He also said the bad apps he is hearing about and seeing are ones on the Android market, which is where most criminals seem to target. It's not that Apple applications could not also be malicious, but Zeltser has yet to see one and thinks it has to do, at least partly, with Apple's vetting and examination process and digital signature requirements.

Malicious mobile apps that come from ads

Zeltser laid out a scenario in which a legitimate application on a smartphone runs a bad advertisement. If the user clicked on the ad, they are taken to a web site that tricks the victim into thinking their battery is inefficient, he said. The person is then asked to install an application to optimize the battery consumption, which is instead a malicious application.

[ 9 dirty tricks: Social engineer's favorite pick up lines]

"Much like outside the mobile world, the attack began here with an ad," explained Zeltser. "We are seeing on our malicious ads on desktop systems as an incredible infection vector because they allow the attacker to present potentially malicious code into the browser of hundreds of thousands of victims. Now we are seeing this happen in a mobile environment too to where ads are being placed into legitimate applications."

Apps that claim to be for "security"

Another new mobile attack vector is a ZeuS malware variant that actually originates with an infected PC. When a user visits a banking site from an infected computer, they are prompted to download an authentication or security component onto their mobile device in order to complete the login process, said Zeltser.

"The attackers realize that users are using two-factor authentication," he explained. "In many cases that second factor is implemented as a one-time password sent to the user's phone by the banking provider. Attackers were thinking: 'How can we get access to those credentials?' Their answer is: 'Attack the user's phone.'"

The way this ruse works is once the PC is infected, the person logs onto their bank account and is told to download an application onto their phone in order to receive security messages, such as login credentials. But it is actually a malicious application from the same entity that is controlling the user's PC. Now they have access to not only the user's regular banking logon credentials, but also the second authentication factor sent to the victim via SMS. In many cases, said Zeltser, people thought they simply were installing security applications, or in some cases, a security certificate.

"When people think something is done for security they forget all logic and reason," he said. "They just blindly do it."

Join the CSO newsletter!

Error: Please check your email address.

Tags securitymobilemalware

More about AppleCA TechnologiesFacebookGoogleSANS Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joan Goodchild

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts