Smartphones are now a serious target for cybercriminals, with 100% of the top 100 Android apps having been hacked in the past year. Hackers now specifically target financial apps, such as those used by banks – with 53% of Android banking apps having been cracked, and 23% of iOS apps, according to a report by app security company Arxan.
Such ‘hacked’ apps are often distributed through unofficial stores such as Cydia, or via torrent sites – and some have been downloaded hundreds of thousands of times, Arxan said.
“Pirated versions of popular software are available on numerous unofficial app stores like Cydia, app distribution sites, hacker/cracker sites and file download and torrent sites,” said Morgan.
“During our research we discovered that some of the hacked versions have been downloaded over half a million times which gives a sense of the magnitude of the problem especially as we embark upon a season of high consumer activity that will involve payment transactions, and consumption of products and services via the mobile.” Kevin Morgan, chief technology officer at Arxan said in an interview with The Telegraph.
“Mobile financial apps are very fallible,” the report said, “Financial services app owners will commonly deploy on multiple mobile platforms toensure their new mobile services can reach the majority of their total customer base.Evident in this finding, is that these innovative apps are likely targets of hackers as theseapps may support monetary transactions. This high-risk category, especially withregards to mobile banking and payment applications, requires extra vigilance.”
PC World commented, “Hackers often target financial apps, and with good reason. If criminals can get between you and your bank, they have access to your account numbers, passwords, and other useful information. They can easily turn your money into their money.”
While the greatest risks came from apps acquired via torrent sites, unofficial stores and other semi-legitimate sources, Android users could be fooled into downloading “modified” apps even from the official Google Play store, Arxan warned, according to The Guardian’s report.
“Google Play isn’t a vetted app store – it tends to have a lot of cruft,” said Morgan. “Whereas in the Apple Store you’re almost certain to see just legitimate apps.”
Morgan said it would be “easy” to insert an app entitled “Bank of America” into google’s Store. The research was based on data accessed in October 2013, and the Top 100 Paid app lists on Apple App Store and Google Play. The researchers also analyzed 20 popular financial apps for each platform.
The researchers said that the fragmented nature of Android – and the huge number of devices at low price points, “clearly underlines that Android is the more insecure operating system. hackers can more readily target a fragmented, and open Androidecosystem to insert malware into the Google Play Store. Specifically, the majority of Android devices will not be able to receive new security measures provided by Google, which results in users being vulnerable to even known threats.”
ESET Senior Research Fellow Righard J. Zwienenberg commented in a post earlier this year, “The biggest problem for consumers is the enormous number of old phones running Android that are still in use, for which the operators will not release a new version. Regardless of whether Google releases patches for these versions, the phones will remain vulnerable.”
Financial watchdogs have warned that the growing use of banking apps poses a serious threat to banks and their customers, as reported by We Live Security Earlier this year.
“For firms to successfully provide mobile banking services to their customers, they will bedependent on IT systems, technical expertise and detailed knowledge of the payments system.
Many of the firms entering this market are using the specialised services of outsourcing partners,” the FCA said. “This leads to the risk that there may be a chain of companies involved in a customer’s transaction,resulting in a greater likelihood of a problem occurring.”
This week, ESET malware researcher Robert Lipovsky reported on the continuing spread of Hesperbot, a banking Trojan which lures users into downloaidng a fake banking app to their smartphones, “As suspected, it didn’t take long before attackers started using the malware to target online banking users in more countries. In addition to the initial four country-specific botnets (Turkey, the Czech Republic, Portugal and the United Kingdom), in November we discovered new Hesperbot versions targeting Germany and Australia.”
Author Rob Waugh, We Live Security