Security issues vs user awareness in mobile devices a survey

International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN
0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME
217
SECURITY ISSUES VS USER AWARENESS IN MOBILE DEVICES: A
SURVEY
Khaja Mizbahuddin Quadry,
Research scholar,
JNTUK, Kakinada, A.P, India
Dr. Mohammed Misbahuddin,
Senior Technical Officer,
C-DAC, Electronic city, Bangalore
Dr.A.Govardhan,
Professor of CSE Dept and Director of Evaluation,
JNTU, Hyderabad, A.P., India
ABSTRACT
Mobile devices help modern man stay connected. Mobile phones come handy to serve this
purpose; they use a radio link available in a geographical area, to make and receive telephonic calls,
without compromising on the mobility. In the most recent years, the mobile phones are not just meant
for making calls; they are used for many more purposes. Their penetration rate has increased
drastically with a wide range of applications coming into the market every day. The latest ones, the
Smart phones, serve an increasing number of activities besides storing sensitive data. This has made
the mobile phones a prime target for attacks. The users lose all the important data besides losing a
handsome amount with the loss of mobile phones; even messaging has become highly insecure.
Hence this paper intends to discuss the results of a survey made online on the possible attacks on
mobile devices. The paper also throws light on the case studies of a variety of attacks that have been
registered in the world of mobile phones.
Keywords: Security issues, Vulnerabilities, attacks, malware
1. INTRODUCTION
Mobile phones, [1] otherwise called the cell phones, facilitate making and receiving
telephonic calls through a radio link available in a geographical area, while being mobile. The cellular
network provided by a mobile phone service provider in any area allows the cell phone access to the
public telephone network. In addition to telephony, text messaging, mailing, internet access, short
INTERNATIONAL JOURNAL OF ADVANCED RESEARCH IN
ENGINEERING AND TECHNOLOGY (IJARET)
ISSN 0976 - 6480 (Print)
ISSN 0976 - 6499 (Online)
Volume 4, Issue 3, April 2013, pp. 217-225
© IAEME: www.iaeme.com/ijaret.asp
Journal Impact Factor (2013): 5.8376 (Calculated by GISI)
www.jifactor.com
IJARET
© I A E M E

218
range wireless communications (I.R, Bluetooth) business applications, gaming and photography are
also possible by these modern mobile phones.. Hence, every common man in the modern times finds a
trustworthy companion in the form of these mobile phones. They serve as a means to stay connected
with family and friends, carry on business transactions, make emergency calls, etc. Records show that
rural consumers, earning less than $1000 yearly, make the fastest growing cell phone subscribers
world-wide. The expansion of Indian cell phone industry presents a sharp contrast when compared to
the other industries. The present day Smart phones are supported with more general computing
capabilities. The cell phone industry registered a boost in December 2008. More than 10million new
subscribers were reported in comparison to the 8 million in 2007. The overall subscription in the cell
phone industry grew by 48% in 2008 with 34 million customers. The past twenty years, from 1990 to
2010, recorded a growth in the worldwide mobile phone subscriptions, from 12.4 million to over 4.6
billion; it penetrated and reached the bottom level of the economic pyramid in the developing
economies. An exponential increase in the numbers of users has been recorded ever since the mobile
phones were first made available. The end of 2009 saw over 50 mobile operators with 10 million
subscribers each and another over 150 mobile operators with at least one million subscribers. The year
2010, has recorded 4.6billion mobile phone subscribers on the whole, a number that is expected to
grow more rapidly in the years to come...
2.1 VULNERABILITIES and Security of Mobile Devices
With the wide spread use of Mobile phones for a wide range of applications, their security is a
matter of serious concern. Mobile phones are nowadays considered to be the very handy
authentication medium by many websites [3] and by most of the online businesses. They send an SMS
based authentication code for ensuring authentication online; often in clear text involving no codes.
As these mobile phones run the risk of being stolen, the fraudster can easily read the text or forward it
to another number. This allows a cyber criminal authenticate fraudulently. Vulnerability, [2] though
not so common a factor with the desktops, is very serious in case of mobile devices given to their
small size and portability; thus being easily stolen or lost. The report presented at Georgia Tech Cyber
Security Summit 2011, the Emerging Cyber Threats 2011 talks about the rise of vulnerabilities in case
of mobile browsers. The security experts say that the device constraints and tension between usability
and security make it difficult to debug issues. As the mobile browsers never get updated as traditional
web browsers do, and the users continue using the same operating system and the mobile browser as it
was on the date of manufacture, the attackers gain a big advantage. Attackers leverage a logic flaw in
the mobile network standards and force mobile phones to send premium rate SMS messages
preventing them from receiving messages for long periods of time. Major actions like checking credit
or voice mail, calling emergency numbers or customer support and even performing mobile banking
are performed by these malicious applications, while typically they figure themselves as menu or
application bearing the operators’ name. A majority of cell phones don’t notify for the SIM Toolkit
messages; some others wakeup from their sleep mode, but neither they indicate the receipt of any
neither message nor do they show any message in the inbox. However, when automated error reports
are sent, the users of some branded phones get notified for the message being sent but can’t really see
any message. Only the Nokia devices ask for confirmation to send SIM toolkit response. But this
option, asking for confirming the SIM service actions, is off by default on the phones configured by
the operators. The most recent devices like iphones and the Windows mobile 6.x devices notify the
message being sent but offer no way to stop it. However the sender can request for a reply via SMS
either directly to the sender’s number or to the operator’s message center. The online banking
applications through mobile browsers are also vulnerable to the phishing websites that invite the bank
customers to enter their passwords or other credentials.

219
3 CASE STUDIES
We discuss some of the mobile phone attacks reported.
3.1 CASE STUDY: ZEUS TROJAN ATTACKS BANK'S 2-FACTOR AUTHENTICATION
Zeus [4], a type of banking Trojan, has been reported to target the mobile phones when the
users try to get their handsets upgraded to the two-factor authentication facility. The F-secure
antivirus provider researchers informed that the Zeus MitMo attack appears to be similar to the
reported in Spain. In both the cases the malware attempted to steal the mTANs (mobile transaction
authentication numbers) used by a majority of European banks an enhanced authentication service to
their online customers. In this case the financial institutions provide a one-time password through
SMS, which in the secondary stage needs pass codes to login to online accounts. The Zeus Mitmo[5]
creates a fraudulent field on the web page prompting the users to provide their cell phone numbers
and the type of handset they use. As there is no change in the URL or any changes in the header or
footer that hints about the untrusted security panel. The users provide the information thinking that
they are enhancing their security, least knowing that the notification is fraudulent. Thus activated, the
app then monitors your SMS messages and sends the mTANS to the Zeus operator, making it possible
to gain access to your bank account as it has got your user name, password and mTAN; combination
that would clear your account of cash.
3.2 Case study: Spy Eye banking Trojan: now with SMS hijacking capability
Another banking Trojan, the Spy Eye[7] has the capability to reroute the SMSes carrying the one-
time passwords sent to victims' cell phones. This feature enables the Trojan to bypass all the
protections adopted by the financial institutions. In yet another case, the Spy Eye tried to redirect and
trick the victims to reassigning the cell phone number that they have registered with the banks to
receive one-time passwords. The fraudulent pages injected into the online banking sessions make a
false claim that the users have been assigned a unique telephone number and that they would receive a
special SIM card in the mail shortly. Thus injected, Spy Eye allows the fraudsters to receive all the
SMS transaction verification codes for the hijacked account via their own telephone network. In this
way they divert funds using the SMS confirmation system from the customer's account without
acknowledgement or triggering any fraud detection alarms.
How the attack works: The malware first gains the access to the login information logs into the
account without being detected by the bank or the consumer. With the help of social engineering he
obtains the confirmation code originally used to activate the consumer's mobile phone number with
the bank. To do this the malware injects a page that is assumed by the consumer that it is from the
bank. It says that as a requirement for the new security system unique telephone numbers are being
issued to the customers and that they will receive a special SIM card in the mail. The customers are
prompted to reregister with the bank using the original confirmation code into the relevant field; of
course, the Black Hats are ready to capture it. On getting the code the fraudsters claim for a change in
the old phone number with the new one which will be their own number. As soon as this is done, they
divert the funds, without alerting the customer or the bank about the fraud. These unauthorized
withdrawals or expenditures are noticed only when the customer logs in to his account. This is enough
to demonstrate that all out-of-band authentication systems, including SMS-based solutions, are not
fool-proof. As the banks have started verifying the transactions and subjecting them to various fraud
detection systems, the fraudsters are using a combination of MITB (man in the browser injection)
technology and social engineering to buy themselves more time. Once a computer has been identified
to be infected with Spy Eye, such attacks can be checked with endpoint security that blocks MITB
techniques. Only a layered approach to security can solve the issue otherwise even the most
sophisticated OOBA schemes would fail.

220
3.21 First Spy Eye Attack on Android Mobile Platform
Spy Eye [8] is fast spreading in the mobile market, making the Android mobile platform their
target. Ever since Man in the Mobile attacks (MitMo/ZitMo) first emerged in late 2010, Spy Eye
introduced their own hybrid desktop-mobile attacks (dubbed SPITMO). On the Zeus’ tracks.
Trojan: SymbOS/Spitmo
The SPITMO Trojan injects fraudulent fields for the user’s mobile phone number and the IMEI of the
phone into the bank's webpage, thus directing the user to provide them. The Trojan needs to link up with the
developer certificate in order to get installed on the user’s phone. But as the developer’s certificate is tied to the
IMEI of the user’s mobile phone, the malware authors request the IMEI along with the phone number on the
bank's website. On receiving the new IMEIs, they request an updated certificate with the IMEIs of all the
victims in order to sign in and create a new installer. The delay in getting the new certificate from the developer
explains why the Spy Eye injected message states it can take up to three days for the certificate to be delivered.
The cumbersome cycle which is used to circumvent Symbian's signing in requirement makes the
Trojan take up to three days to complete an attack.
• Ask the user for their device's IMEI
• Generate an appropriate certificate
• Release an updated installer
Trojan:DriodOS/Spitmo
The fraudsters find it unreasonable to wait for three days just to steal a couple of SMSs. The Android
OS provides a much more intuitive and modern approach to succeed getting desired treasure. Figure3
has a pictorial overview of how MitMo evolved. The figure shows clearly that before 2011
Blackberry and symbian were affected by Zeus Trojan, but after April 2011 the Spy Eye Android,
Blackberry and Symbian.
Figure.3 MITMO EVOLUTI
(www.pcworld.com/.../spyeye_trojan_targets_online_banking_securit
The Trustee reached the following analysis from a Spy Eye compromised machine on July 24th:
Stage 1: MITB – web injects module (you know the drill...)
When a compromised mobile is used for transacting with the targeted bank, a message
prompts a "new" security measure, supposedly being enforced by the bank, which is mandatory in
order to use its online banking service thereafter. It seems to be an Android application, fully safe and
protecting the phone’s SMS messages from being intercepted (there’s irony for you…) and guards the
user against any fraud.

221
The "set the application" button on clicking, provides further instructions for installing the
application:
Stage 2: Android (malicious) App installation
The user is directed to click on the URL: hxxp://www.androidseguridad.com/simseg.apk.
After the installation of the Android application on the compromised device, the application named
"System" is not visible. It's not a service, and it’s not listed in any of the current running applications.
In order locate the existence of this app, a bit of searching is required:
In order to complete the installation, the user is made to dial the number "325000"; the Android
malware hijacks this call presenting a malicious activation code that is to be submitted later in to the
"bank’s site":
Following is the de-complied code snippet found responsible for the "activation code"
operation but there is no reference to it in the application package (as of July 24)
Stage 3: Android secure application is a Trojan
After the successful installation, the Trojan intercepts all incoming SMSs and transfers them
to the attacker C&C; the de-compiled code snippet given below creates a string for later use,
whenever an SMS is received:
“? Sender= [SendeerAddress] &receiver=[ReciverAddress]&text=[MessageBody
The above formed string structure will be later be appended, as a query string, with a GET HTTP
request, to be sent to the attacker's end.
There is a "Settings.xml" file (asset directory) with a configuration, within the app, for the Trojan;
"Settings.xml" defines:
• The transfer method i.e. SMS or HTTP
• The attacker's drop zone URLs
Here’s a snippet of the extracts from "Settings.xml":
Stage 4: SMS Spy Command & Control
Four domain names in the URLs in use were found not registered (yet!): 124ff42.com;
124ffdfsaf.com; and 124sfafsaffa.com.However, Spy Eye - the domain ‘124ffsaf.com’ has been found
‘hopping’ around in different IPs, in several locations, around the world.The snippet from SpyEye’s
tracker history record for the domain 124ffsaf.com over a three day period shows as follows:Peeping
around the attacker C&C reveals an unprotected (at the moment!) statistics page
It’s worth mentioning that the Attacker C&C above was produced the above stated information when
the Trojan was tested in action in the lab. The Sender 15555215556 and the Recipient 15555215554
refers to the two Android emulators used in the lab to simulate the attack (the corresponding HTTP
traffic is presented above). As indicated in the page, the attack has yet to gain momentum, so consider
this a warning. I'm pretty sure this is just the beginning so I’m tempted to say, “To be continued…”
SPITMO for Android loses the battle against Trusteer
It is hightime that the Organizations acted and installed a desktop browser security solution in
the multi layered security profile they have been using. The banks that already offer Trusteer Rapport
are automatically protected and are NOT vulnerable to this attack - even if the Trojan is downloaded.
This is due to Rapport being supported by a feature to prevent Spy Eye from installing on the
customer's PC, thus terminating the attack before it takes hold. Those who are not using Rapport,
Trusteer Pinpoint will detect and report the real-time victims, as being infected with this variant of
SpyEye, when they attempt to log in to the bank's website. The attack is nullified by restricting the
services to these reportedly infected machines, like disabling it to complete transactions. Finally,
Trusteer Mobile for Android (either Secure Library or Secure Browser) will detect and block such
attacks by preventing any malicious activity.

222
3.22 SPY EYE BANK TROJAN HIDES ITS FRAUD FOOTPRINT
Another nastier version of Spy Eye [9], has been detected with the ability to hide all
fraudulent transactions from victims and was found allegedly targeting the major UK banks. This Spy
Eye version is a tweak of the Zeus crimeware kit that grabs web-form data within browsers. This new
Trojan, doesn’t intercept or divert email messages, rather hides the fraudulent transactions, masks the
amount of the transaction, and puts forward a fake balance, ensuring that victims are unaware of
anything being amiss on their account. Its work can be briefed as:
1. Spy Eye steals the debit card data by employing a man-in-the-browser attack on an online
banking session.
2. The fraud is committed with the debit card data.
3. Thirdly, the Spy Eye initiates a post-transaction attack and hides the fraudulent transactions
from the victim, when he logs in to his account the next time
Here’s detailed description of how it goes down:
Step 1 – Malware Post-Login Attack - Credentials Stolen:
a. The victim’s machine is first infected with any Man in the Browser malware (e.g. Zeus, Spy Eye,
Carberp), with a suitable configuration.
b. The fraudulently configured malware asks the customer for debit card data during the login phase
(HTML injection) – e.g. card number, CVV2, month and year of expiry, etc.
Step 2 – Fraudster Commits Fraudulent Activity:
c., The cybercriminals then create a card-not-present transaction fraud by making a purchase or
transferring money over the telephone or the internet using the customer’s debit card details.
d. The fraudulent transaction details are immediately fed in to the malware control panel by the
fraudster.
Step 3 – Malware Post-Transaction Attack with Fraud Hidden from View:
Figure 4 MitMo Attack Cycle ( nakedsecurity.sophos.com/.../spyeye-bank-trojan-hides-its-fraud-
foot.)

223
3.32 Case Study: Android Trojan records calls
Cyber Criminals [11] have increased the functionality of Android Trojans. Earlier versions of
mobile malware strains for Google's mobile platform were able to log the duration and numbers of
incoming and outgoing calls. The new malware goes a step ahead by capturing the whole content of
conversations before storing them on the SD-slot memory card of infected Android phones. The
hackers then upload these conversations to a server, according to the tests carried on the malware by
the security researchers at CA in a closed environment On installation, the malware drops a
'configuration' file containing the key information about the remote server and the parameters.’ This
as-yet-unnamed malware cannot install by itself. It needs to be installed by the victims who consider it
to be a prototype of some sort, a game or a tool that they can use against their spouses to keep track
of their activities. The Victims, tricked into installing it, would need to agree to install the application,
grant it permissions to record audio, read the state of a phone and prevent it from sleeping.
3.31 NEW Drive-By Android Trojan Attacks Mobile Users
Android.Notcompatible [11], an Android Trojan horse program getting installed via a partial
drive-by download has been identified as a threat by Symantec. Though Symantec gives
Android.Notcompatible its lowest risk level, very Low, the main concern is that it might be copied by
other hackers to use the technique in other attacks. Drive-by downloads—the malware that installs
itself without the user's knowledge--typically occur when a website is visited. Android.Notcompatible
pretends as a genuine system update under the name "com.Security.Update". The images below show
the download and installation. Taking the program to be a genuine update by its pretence, the infected
users approve installation. After being installed on a phone, Android.Notcompatible monitors all
incoming and outgoing data including the personal one, sends its copies to the attacker through a
proxy code. Android.Notcompatible spreads via URL redirects injected into the HTML of innocent
bystander sites. The users who allow installation from unknown sources are most susceptible. Users
who download apps from Google Play are safe from this or any other threat. The following sites have
been identified as Android.Notcompatible hosts, by Symantec. (The "http" part of the addresses is
bracketed to prevent accidental launches of infected sites.):
• [http://]androidbia.info
• [http://]androidjea.info
• [http://]gaoanalitics.info
• [http://]androidonlinefix.info
3.4 Case Study: Scumbags get sneaky with new self-robbery Trojan
A particularly sneaky banking Trojan equipped with a self-robbery tricks that traps victims
into transferring funds into the accounts controlled by cyber crooks or their partners has been
developed by the malware-peddlers[12]. The users of the infected machines, on logging in to the bank
site, get a fake message alerting them of a mistaken credit to their account, asking the user to revert
the said amount to unfreeze their account. Trojan falsely inflates displayed account balances on
infected machines, besides offering a pre-filled online transfer form in order to make the ploy more
plausible. All these make the victim trust and transfer the said amount without getting it confirmed
from the bank. While previous banking Trojans, like the URL Zone Trojan displayed fake balances on
infected machines, this latest strain of malware is an evolution of this line of attack. As the period of
time involved in banking fraud increases the risk of the fraud being tracked down, the fraudsters find
it safer tricking victims into transferring funds themselves rather than employing money mules to
force entry to the compromised accounts. Fraudsters can thus quickly loot accounts, before the
compromised accounts are suspended or login credentials changed.

224
4 CONCLUSIONS
This survey concludes that Mobile phones are not secure unless the user is well aware of the
risks. They can be attacked and used for various fraudulent purposes, not normally identified by users.
This paper explores some vulnerabilities, and explains how they may be exploited. Finally, the case
studies expose consequences of attacks on mobile phones by malware. The lack of security awareness
[15] among cell phone users and their carelessness are the two prominent risk factors that fall the
users prey to the fraudsters. It is extremely important to understand that a smart phone is far more than
just a phone and cannot be treated like one of ordinary standards. Unlike the previous generations of
cell phones, that were least susceptible to Bluetooth hijacking, the modern smart phones are prone to
the same risks as PCs, equipped with Bluetooth or internet features. New attack vectors will
increasingly be exploited by fraudsters as online banking services use these devices as second
authentication factors given the convergence between PCs and cell phones.
Recommendations for a secure mobile banking:
• Check rating, user reviews, and comments for each mobile application you download.
Avoid low rated, new applications, and bad reviews.
• Carefully evaluate the permission requested by Android applications when you install them.
Applications that ask for access to text messages and other sensitive information should
raise a red flag and further researched before you download it
• Have your PC protected with online banking security software such as Trusteer Rapport that
can be downloaded from your bank's website. This software rules out the possibility of
MitMo attacks by restricting fraudsters from controlling the web channel.
• Regularly install updates on your mobile device
• Enable access protection measures such as a PIN or password (if possible). Configure the
smart phone to automatically lock after a minute or so when being idle.
• Before installing or using new smartphone apps or services, check their reputation. Only
install applications from trusted sources.
• Pay attention to the security permissions requested by every application and service you
install.
• Keep your operating system and software applications up to date.
• Disable features not in use: Bluetooth, infrared or Wi-Fi.
• If you have Bluetooth enabled, set your device to be hidden and password-protect it.
• Make regular backup copies of your important files.
• Encrypt sensitive information whenever possible.
• Use call and SMS encryption software.
• Whenever possible, do not store sensitive information on the smartphone. Make sure it is
not cached locally.
• Erase all information from the smartphone once you get rid of it.
• In the event your phone is lost or stolen, inform your service provider and give them your
device‘s IMEI number to block it.
• You can also use remote or automatic deletion of data (after several failed login attempts).
• Monitor the smartphone for anomaly detection.
• Check your account activity frequently to detect fraud.
• Be aware of the risks associated with these devices and use them correctly

225
REFERENCES
[1] http://www.en.wikipedia.org/wiki/Mobile_phone
[2]en.wikipedia.org/wiki/Mobile_virus
[3]http://www.theregister.co.uk/2011/02/22/zeus_2_factor_authentication_attack/
[4] www.eweek.com/.../Zeus-Trojan-Mobile-Variant-Intercepts-SMS-Pas.
[5] www.thinkdigit.com/Mobiles.../ZeuS-Trojan-now-affecting-BlackBer
[6] www.networkworld.com/.../zeus-trojan-back-and-targeti... - United States
[7]www.theregister.co.uk/2011/10/06/banking_trojan_steals_sms/
[8] www.trusteer.com/.../first-spyeye-attack-android-mobile-platform-no.
[9]nakedsecurity.sophos.com/.../spyeye-bank-trojan-hides-its-fraud-foot[
10]http://www.theregister.co.uk/2011/08/02/android_malware_records_calls/
[11]www.informationweek.com/byte/news/232901415
[12] http://www.theregister.co.uk/2011/07/29/tricky_banking_trojan/]
[13] http://www.theregister.co.uk/2011/02/22/oddjob_banking_trojan/
[14]www.informationweek.com/news/security/vulnerabilities/229219049
[15] http://www.scribd.com/doc/57779895/CNCCS-Smart-Phone-Malware
[16] K.Sangeetha and Dr.K.Ravikumar, “A Framework for Practical Vulnerabilities of the Tor (The
Onion Routing) Anonymity Network”, International Journal of Computer Engineering & Technology
(IJCET), Volume 3, Issue 3, 2012, pp. 112 - 120, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375
[16] A.Edwinrobert and Dr.M.Hemalatha, “Behavioral and Performance Analysis Model for Malware
Detection Techniques”, International Journal of Computer Engineering & Technology (IJCET),
Volume 4, Issue 1, 2013, pp. 141 - 151, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375

Security issues vs user awareness in mobile devices a survey

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (19)

Destaque

Destaque (20)

Semelhante a Security issues vs user awareness in mobile devices a survey

Semelhante a Security issues vs user awareness in mobile devices a survey (20)

Mais de IAEME Publication

Mais de IAEME Publication (20)

Último

Último (20)

Security issues vs user awareness in mobile devices a survey