Social engineering: 3 mobile malware techniques
Cyber criminals are now taking over mobile devices by using many of the psychological tricks used to con people online. A look at three ways social engineers fool smartphone and tablet users
By Joan Goodchild , Senior Editor
July 25, 2011 — CSO —
Social engineers have been using various dirty tricks to fool people for centuries. Social engineering, the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques, is as old as crime itself and has been used in many ways for decades.
For the past several years online, social engineers have been trying to fool unsuspecting users into clicking on malicious links and giving up sensitive information by pretending to be old friends or trusted authorities on email and social networks.
[See also: Social engineering: The basics]
And now that mobile devices have taken over our lives, social engineering is an attack method of choice to gain access to a person's smartphone or tablet.
Information security expert Lenny Zeltser, senior faculty member with SANS Institute and an incident handler at the Internet Storm Center, who also blogs on security topics, recently shared three examples of current cons being used by criminals to get inside your mobile device.
Malicious apps that look like legitimate apps
The example Zeltser uses is the case of a popular and legitimate application Android users were purchasing that caused a virtual "steam" to appear on the screen of a smartphone.
"You could move your finger to scrape the virtual steam off," he explained. "People love this sort of thing."
But a malicious application that looked exactly like the virtual-steam application was created and many were conned into purchasing that one, instead of the authentic application.
"From a users perspective it is very hard to distinguish between an app that is legitimate with an app that turns out to be malicious," said Zeltser.
What users ended up with was an application with unwanted things behind it. In some cases, according to Zeltser, the malicious application activated an SMS message from the victim's phone that was sent to request premium services and the user was charged. The attacker, meanwhile, would delete any return SMS messages acknowledging the charges so the victims had no idea they were being billed.
"In this scenario, the victim had no indication that the phone was sending messages or receiving any kind of notifications of the charges. They would get a large phone bill."
Zeltser said Google removed over 50 malicious apps from Android Market in Spring 2011 that seemed turned out to be variants of the DroidDream trojan, but looked like legitimate applications and had names like Super Guitar Solo.
"The advice we're giving people outside of the mobile world is don't install applications that come from un-trusted sources," said Zeltser. "That same advice applies now to mobile."