When I taught computer programming classes in the 1980s, many first=time C programmers would write a Trojan login program for fun. They’d simulate the login prompt (no Windows back then). I gave a bit more info about this when I first wrote about Trojans on thus blog. Trojans are a form of social engineering: the user is directly deceived into doing something harmful.
In December of 2015 RSA disclosed that a Trojan, masquerading as an RSA phone app could enable attackers to withdraw money from the victim’s bank account. The Trojan installs a man-in-the-middle SMS capturing proxy that looks exactly like a real RSA OTP (One Time Password) app.
According to the blog post, the Trojan asked for the phone number of the victim. The author presumed the bank would have had it, and I agree. That request was quite suspicious and should have tipped off savvy users. Unfortunately, users of apps of this type are often thinking, “I want this transaction done. This is just another annoying security thing.” They may even think the bank is validating the number. If they do, that’s sort of good because they are thinking the bank has good security; it’s bad because they miss that key indicator of a possible Trojan.
The real issue (and the post addresses this) is assuring you are running genuine security apps. It seems this Trojan asked users to download software from a particular site other than the official app store. Android users often get quite useful, safe software from third parties. I do. But it is important to verify that the software is safe. Better, if you are even the slightest bit unsure of the source or if the software is important for security or privacy, download it only from the appropriate app store.
Also, be sure you have current anti-virus/anti-malware software on your phone. It unlikely to catch everything, but it will catch some malware and it is far better than nothing. We generally give phones a pass when it comes to malware, but this case makes it clear that malware for mobile devices does exist and can be quite damaging.
Finally, be suspicious. There. I said it. You have to be suspicious of any potential attack vector. It’s part of a mindset of security. Of course, being suspicious doesn’t mean being paranoid or fearful. Google defines suspicious as “having or showing a cautious distrust of someone or something.” That’s an attitude we try to develop in in Learning Tree’s System and Network Security Introduction when it comes to cyber security. In the security context, too much trust can lead to serious trouble.
Do you have anti-malware on your mobile device? Do you load software from sites other than an app store? Let us know in the comments below.
To your safe computing,