Booming mobile industry spawning global criminal marketplace

Mobile devices have become enticing targets for criminals around the world, so much so that an underground industry has begun to grow to support malicious activity aimed at those devices, according to a report released on Wednesday by the Anti-Phishing Working Group (APWG).

"In a 'post-PC era,' mobile devices increasingly present an attractive, practical and economical alternative to traditional desktops," said the report, "Mobile Threats and the Underground Marketplace."

"In the coming years," it continued, "global mobile payments are predicted to exceed $1.3 trillion, moreover, presenting a mother load of opportunity for cyber crime gangs who appreciate the vulnerabilities of these peripatetic communications and computing platforms."

The purpose of the report is to provide a comprehensive look at the criminal infrastructure growing around mobile fraud, noted APWG Chairman Dave Jevans, who is also chairman and CTO of Marble Security.

"When you look how that underground economy works, you can see a big infrastructure being built for mobile electronic crime," he said in an interview.

That infrastructure is being created much faster than it was for PC fraud. "It's growing at least five times faster," Jevans said. "What took 10 years for PCs is going to take 18 months to two years for mobile."

Some of the mobile crime infrastructure is being built on the existing components of the PC crime network. For example, "bulletproof" hosts used to host phishing sites and malware distribution are now used for hosting Android malware, mobile toolkits and SMS phishing.

"A large part of the infrastructure providers for electronic crime over the last 10 years are merely adding mobile into their mix so everything is moving much more quickly," Jevans said.

[Also see: Mobile security threats are heating up]

This has been a natural progression of the underground arms bazaar, said Tom Kellermann, vice president of cyber security for Trend Micro. He said the trend in mobile crimeware began six or seven years ago when the Asian and European banking communities decided to push mobile banking initiatives.

"You began to see traditional crime kits like Zeus, SpyEye and Citadel add mobile variants," he said in an interview.

Mobile devices can be more vulnerable to man-in-the-browser attacks because not only do they have web browsers, but their apps act as mini web browsers by interacting directly with the Web.

"The browsers in the mobile devices become the Achilles heel because they're providing the session for the authentication to occur, which is why there are so many successful man-in-the-browser attacks that are focused on mobile platforms," Kellerman said.

Another aspect of many mobile devices that makes them easy to exploit by cybercriminals is their small screens. "That means you don't see the hints and the clues you'd get with a desktop or laptop that something is wrong with what you're looking at," said Tim Chiu, director of product marketing for security for Blue Coat Systems.

For example, in a phishing attack on a desktop, there are clues that tell you it's an attack -- you can see the full URL of where you're at or hover over a link to see where it goes. "On a mobile device, you can't hover so you never know the actual URL you're going to when you tap it," Chiu said.

"And when you go to a URL," he continued, "many mobile devices have a feature called auto hide in order to give you the most real estate on your little screen as possible. That hides the URL so you don't know where you are."

Despite the attention mobile devices are grabbing from cybercriminals, it may take a watershed event to bring the point home to the public. "We'll have a big problem when the first widespread Apple malware occurs that is financially targeted," said Ken Baylor, a research vice president for NSS Labs.

"While Apple has the ability to yank bad applications once they're installed as we saw in the recent $45 million ATM fraud scam, the things you can do in eight to 12 hours are pretty amazing," he told CSO.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags gingerbreadsmartphoneAndroidData Protection | WirelessmobileAnti-Phishing Working Groupfroyomobile applicationsconsumer electronicsGooglemobilitysecuritysmartphonesmobile securityGoogle Androidsoftwaredata protectionmobile appsapplicationsNetworkingwirelessfree Android apps

More about AppleBlue Coat SystemsCitadelCSOTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place