Awhile back we mused that the rapid rise in Android malware would hit its stride near the intersection of widespread mobile financial transaction use, and the continuing steep rise in adoption of the platform. Now we see AT&T, T-Mobile and Verizon entering a joint venture to back a payment service for, guess what: Mobile financial transactions. We’ve also watched the numbers of Androids on a meteoric rise, especially with Google’s plan to buy Motorola’s Mobility Holdings, its mobile device division.
The mobile provider giants are teaming up to back a project called Isis, a hopeful competitor against Google, which unveiled its own mobile-wallet service in May. One source pegged the venture cost at $100 million or more, a nice ante to enter the game, and an indicator of how much value they feel the sector may provide. They hope to launch mid-2012, if all goes well. Also, Visa is working on an offering that will allow mobile-payment services.
It’s not hard to guess what happens next. Malware writers have always been busily about finding the lowest hanging fruit that would provide the most bang-for-the-buck for their exploit writing. As the number of users transacting online increases, the fruit looks riper. If users can be tricked into downloading seemingly innocuous apps, likely purporting to have nothing to do with financial dealings, the nastiness might be just beginning. Add to this the fact that users normally install apps on the go and just click through the permission granting questions, and it’s easy to see how an app, after installed, can go skulking around looking for the installation of several financial apps, to begin it’s spying.
Let’s say, for example, a malicious app starts logging information used to complete a purchase transaction. Later, it transmits the information, along with other sensitive information, back to the malware mothership. From then, it can be either acted on directly, or bulk-packaged and sold to the highest bidder.
How can you protect yourself? Well, when you look into a new tasty app for you Android, take a look around at what other users’ experiences have been like. There are user ratings available, if you use the native Market app (which is a good idea anyway), and also you can use your browser to poke around and ask questions about the app in question. Recently, we’ve seen a bevy of security software being released from various vendors. We’ve been having good beta test participation with users on the upcoming ESET Mobile Security for Android, an always-on insurance of sorts. Whatever you do, it might be a good idea to keep an eye out for suspicious-looking activity on your mobile device, especially if you plan to start using the device to make purchases.
Author Cameron Camp, ESET