Owning a smartphone is a blessing and a curse. The blessing is that a modern phone is so personalized that it’s like having your life in your pocket. The curse is that the device is full of personal data that‘s a rich target for cybercriminals.
GDPR Undermined By Fraudsters
The scandal of mobile malware aimed at stealing personal data is particularly ironic following the introduction of the European Union’s General Data Protection Regulation, which took legal effect last year. It’s meant to bring an age of increased protection for personal data, with the rules updated for the modern online age. United Stated is already looking to enhance their global data privacy policies providing advanced protection around personal data that will also comply with GDPR. That would be great if it wasn’t for a major flaw: fraudsters don’t follow rules.
What Data Theft Looks Like
In late 2017 and early 2018, Secure-D blocked a high level of attempted online transactions by the same app, titled com.rock.gota, on Android phones in Brazil and Myanmar. As well as the attempted transactions, the phones were loading ads behind the scenes to try to defraud advertisers.
Perhaps most seriously, the app was also recorded as collecting and transmitting user data without explicit permission. This included precise GPS location data, e-mail addresses and two different ID numbers from the handset itself. The MAC address identifies the phone on the Internet, while the IMEI number identifies the phone on cellphone networks.
Things were just as bad with another app, titled tct.weather and marketed as “Weather Forecast – World Weather Accurate Radar.” Here Secure-D revealed the app was collecting email addresses, IMEI numbers and geographic location and then transmitting them to China-based servers.
That’s a major concern given the app has more than 10 million downloads from Google Play as well as being pre-installed on some handsets. Indeed, it was so serious a discovery that the Wall Street Journal covered the story, noting the data theft was more likely to be a criminal operation rather than Chinese spying.
Permission System Not Foolproof
Android does use a permissions system to restrict inappropriate behavior by apps, but mobile malware exploits flaws in the system. For example, where tct.weather was pre-installed on handsets it required access to the BILLING permission for in-app billing. It also used READ_LOGS, a permission that can mean accessing personal data.
Rogue apps also take advantage of users who don’t understand what permissions mean or simply click to grant permissions without questioning whether they are necessary for the app’s supposed purpose. For example, tct.weather included a permission screen saying it would collect details such as e-mail address, device ID and location.
A Wall Street Journal story on the Secure-D findings found one victim in Myanmar had bought her handset for just $77. With such cheap offers being the only way many in such countries can afford a smartphone – or indeed any internet-enabled device – it’s understandable they might not question the security risks.
The Price Of Data Theft
How cybercriminals use personal data stolen through mobile malware can vary dramatically. Often it’s a multi-stage process in which the criminals try to discover a user name and password combination from one site or service, then try it elsewhere in the hope the victim reused it. The biggest goal is accessing email and social media accounts that unlock the details needed for identity theft and fraud.
Even if that approach doesn’t payoff, the criminals may sell on the login details to other groups who want to hijack accounts, for example to weaponize thousands of social media accounts for political or promotional aims.
This isn’t always a quick cash grab, either. Some fraudsters will set malware to run on a long-term basis to monitor ongoing activity. That’s partly to increase the chances of coming across particularly useful details such as an email login, and partly to help build up a more detailed picture of the user so that an identity fraud attack is more likely to be effective. Getting such detail also aids those malware creators who want to sell on personal details to other scammers on the black market.
Security Tools Are The Only Solution Right Now
Unfortunately, personal data theft malware isn’t a problem that looks like it will disappear any time soon.
Tackling risks such as pre-installed malware on low cost handsets or fraudsters exploiting confusion over Android permissions, can’t be done without long-term economic changes and cyber-education programs.
Government regulations can play a role but are limited by geographic scope. For example, in theory Europe’s General Data Protection Regulation (GDPR) places further legal restrictions on harvesting personal data through smartphones. The problem is that many victims, along with the fraudsters and their servers, are based in countries with limited regulatory controls over online activity. The reality is that no matter where users are located, anti-malware tools including real-time detection and blocking of malicious activity remain the most effective defense against mobile fraud.