13 Smartphones & Tablets - part 1

More and more of us are using our smartphones and tablet computers as our primary way of accessing the internet outside of work. This trend is set to grow, and the criminals know this is too big an opportunity to miss. Currently 90% of all mobile device malware is aimed at systems using Google Android, which accounts for the highest number of users worldwide. One study found that 86 per cent of Android mobile-malware payloads were repackaged with legitimate apps, which is how users were tricked into installing them.

Mobile phone scams have been around for ages, but now internet enabled smartphones have given criminals and unscrupulous companies a wider range of tools and techniques to get people to unwittingly agree to signing up for their 'premium' services. Recently after opening an ad-supported app on my smartphone, I was presented with a free competition to win an iPad. There were over 5 multiple choice questions, each were well presented and hard enough to catch a few people out. After the 4th question I was told that if I answered the final question correctly, I would need to give my name and mobile number to enter the competition. The fifth question was quite easy, at which point I noticed the small print. By entering my mobile number, I would be agreeing to a competition subscription service charged at £4 a week. The problem with these ‘scams’ is that weeks can go by before people realise they are being charged, as their mobile bill is monthly. Together with long 30-day cancellation terms, the end result is that people could easily be £30-£50 poorer for entering what appeared to be a free competition.

Another opportunity smartphones present for criminals is for them to trick a device into sending a premium rate text message repeatedly. Previously stolen phones would be setup to call premium rate numbers, but now a virus can automate the whole process. A 20-year-old French hacker was arrested after tricking over 17,000 Android smartphone users to downloading his fake apps, which then sent out 1/2 million euros worth of premium text messages. The particular trick he used has since been fixed in later versions of Android, but there are lots of devices that could still be affected.

If you have an Android based device, I highly recommend you install one of the free antivirus apps such as Avast Mobile Security or Sophos Intercept X for Mobile for Android, or if you prefer a paid for multi-device solution like F-Secure TOTAL or Bitdefender Total Security, offers a wider range of protection. Users of Apple iOS devices are less likely to encounter malware, but also have the same Avast and Sophos free options.

The trend to 'root' or ‘jailbreak’ a device, which basically gives the user complete access and control, also removes many built-in security features. Because you can now install unauthorised apps, bypassing the official app stores of your device, you are effectively unlocking every door in the house and opening all the windows, and then sitting in the garden. To top it off, your warranty is also invalidated, so long term the cons outweigh any benefits. Some recent reports by antivirus companies claim that over 10% of all apps in unofficial app stores are malware, while others claim 30% or higher, so it’s best to avoid all unofficial app stores even if you have antivirus installed.

Whatever mobile device you use, you can still fall victim to WiFi snooping, traditional phishing scams and also phishing scams based around your app store ID. Every mobile device needs to have an online ID provided by the developer of the mobile operating system, for Apple iOS, you need an Apple ID, Android, a Google account, Windows Mobile, a Microsoft Live ID and for Blackberry, a Blackberry ID. So now we have phishing email scams based around this device ID, which is normally linked to lots of other cloud services. When you first setup a new device, a number of verification emails are normally sent to allow you to purchase apps. The criminals know this and constantly send out phishing emails hoping to get lucky. Here are three Apple ID based phishing scams I received posing as verification emails:

This can look identical to the genuine email, but the ‘click here to confirm’ link goes to: http://www.altlinks.ru/admin/.apple/ which is a redirector that could actually take you to any web address the criminals want.

This rather impressive attempt was reportedly from secure@icloudmessagecentre.co.uk and had a convincing link going to: https://icloudmessagecentre.net/myappleaccountmessageview-ticket-id8912380357849182wua-secureapple/?

But it was nothing compared to this pixel perfect fake.

Which then goes on to ask for a social security number, driving license and even a passport number. So not only would you be giving up your Apple ID credentials, but the criminals would also have everything they need for identity fraud.

This fake iCloud email arrived with a subject of ‘Account will be deleted after 5 hours! Please Confirm !!’ from an account named Payment Pending which on a mobile hides the email address, but on a computer is displayed as Payment Pending from webmaster@taste.vwdheal.com which is obviously not from Apple.

Another trick the criminals use is to send you a confirmation order for a brand-new top of the range mobile phone, that is going to be shipped to a stranger, that you will be paying for. In the email below, they are hoping that you are an Apple customer, and that you see red and click ‘Cancel Order’ because obviously you didn’t order a new phone for someone you don’t know.

Clicking ‘Cancel Order’ then takes you to the Apple ID login page for you to enter your credentials as expected.

Or does it?

Could you tell that the first one was fake, and the second one was real?

As this problem has grown so big, Apple has issued guidance to help identify legitimate emails at: https://support.apple.com/en-us/102406. Also, there are premium app subscriptions that can help protect you against advanced scams and WiFi snooping for both iOS and Android, like F-Secure’s Freedome VPN which basically encrypts all your internet activities. If you do all your online banking and internet shopping on a mobile device, I urge you to seriously consider one of these types of services which work out slightly more than a single premium take-away coffee per month.

Mobiles also give criminals the opportunity to start a phishing scam via a SMS text message with a web link. It is very easy for criminals to spoof a text message from what they hope is your mobile phone network provider. By spoofing a genuine text message mobile number, the fake text message will appear grouped with any real text messages from you have previously received. Because of this grouping with previous legitimate text messages, the criminal’s message is automatically trusted by most people and rarely given a second thought.

Obviously, if it’s the wrong the mobile provider, you’ll be suspicious, but otherwise the small mobile phone screen helps the criminals to hide the full web address of their fake websites. 

Take this text message supposedly from O2, which points to a convincing but totally fake sign in page. People see the domain ‘o2.uk’ but don’t realise they are actually at ‘bill979.com’.

Index or next chapter Smartphones & Tablets - part 2