Xafecopy Malware Raises Concerns Over Mobile SecurityDespite Rising Mobile Attacks, Awareness of Risks Is Low in India
Mobile malware risks are surging in India. For example, about 40 percent of all the attacks involving Xafecopy mobile device malware, which impacted 47 countries, were targeted at the nation, according to a study by Kaspersky Labs
The malware, which targets the WAP [Wireless Application Protocol] billing payment method, steals money through victims' mobile phones without their knowledge, according to the report.
The increasing attacks on mobile phones has called attention to the need to boost awareness of mobile security in India and take critical mitigation steps.
How Xafecopy Works
Security practitioners say that the Xafecopy Trojan usually comes hidden in Android apps and secretly loads malicious code onto the device.
"Once the app is activated, Xafecopy keeps tab on webpages via Wireless Application Protocol billing, thereby siphoning money without ever getting noticed by the victim," says Sapan Talwar, CEO, at Aristi Ninja. "The malware uses deceptive techniques to bypass Captcha systems." Captcha is an acronym for "Completely Automated Public Turing Test to tell Computers and Humans Apart."
The Xafecopy malware clicks on web pages with WAP billing - a form of mobile payment that charges costs directly to the user's mobile phone bill. After this, the malware silently subscribes the phone to a number of services, because the process doesn't require users to register a debit or credit card number or set up a username and password, security practitioners say.
"WAP billing is a form of cardless billing wherein the consumer is directly billed by their telecom company, for the value added services subscribed by the consumer," says Shweta Thakare, senior associate vice president for Europe and APAC at eScan. "The malware would upon infection covertly subscribe the consumers to billed WAP services."
Security practitioners also warn Android users to be cautious. "It's best not to trust third-party apps, and whatever apps users do download should be scanned locally with the Verify Apps utility," says Altaf Halde, managing director-South Asia at Kaspersky Lab. "But beyond that, Android users should be running a mobile security suite on their devices."
A Weak Link
Mobile devices are one of the weakest links in corporate security. Executives are wrestling with managing a proliferation of devices, protecting data, securing networks and training employees to take security seriously.
According to news reports, a third of over 10.8 million apps in app stores are infected with malware.
Two-thirds of all those accessing the Internet in India do so using a mobile device, according to Norton Mobile Security Report, 2016. So they're particularly vulnerable to mobile malware.
Symantec's Internet Security Threat Report indicates that dependency on mobile devices in India has gone up significantly in the last two years.
And in India, mobile security awareness among consumers is weak.
"Over the last four to six quarters, markets have witnessed a lot of enablers in BFSI space for carrying out mobile transactions. The government too is pushing through UIDAI, NSDL etc," says Sivakumar Krishnan, former head information technology and information security at M Power Microfinance.
"In the eagerness and the ability to quickly carry out a financial transaction online, the security aspect have been conveniently forgotten/ignored in mobile," Krishnan contends.
Despite the rising mobile malware threat, organizations in India have taken little action.
"The situation of mobile security today is at the same level as security for computer and IT infrastructure was a decade ago - things are yet to mature," says Berjes Shroff, CEO at Berj InfoSec. "It all boils down to cost and privacy. Companies don't want to invest too much."
A CISO at a major IT firm, who asked not to be named, describes what happened when he put forth the idea of mobile security to his board: "They all accepted the criticality of this. However, the moment I gave them a rough cost of how much this will cost, idea went on the backburner."
Talwar offers a similar perspective: "There is definitely a lack of mobile security awareness. More importantly, while being aware to some extent, we continue to ignore mobile security threats. It is imperative to make enterprises mobility-usable and threat-free. The CIOs and CISOs must get visibility of mobile risks to protect IP and sensitive data. The signs are clear that mobile threats need to be taken seriously."
The biggest mobile device security challenges are malicious applications and vulnerable operating systems.
Testing of new applications for security before they're put on the market is lacking, some security experts say. "This is being missed to large extent," Talwar contends. "Also, multiple versions of OS and irregular patch updating cycles make the situation even more grave."
Furthermore, mobile apps are often the cause of unintentional data leakage.
"Riskware apps pose a real problem for mobile users, who give them sweeping permissions, but don't always check security," Halde says. "These apps send personal - and potentially corporate -data to a remote server, where it is mined by advertisers or even cyber criminals."
Data leakage can also happen through hostile enterprise-signed mobile apps. Here, mobile malware uses distribution code native to mobile operating systems to spread valuable data across corporate networks without raising red flags, Halde explains.
Some security experts recommend ending the practice of using personal mobile phones for business purposes to help prevent corporate data leakage.
They also recommend that if a mobile account is running out of cash suspiciously fast, then open the carrier's self-service page and check to see if you are subscribed to something unwanted. Some mobile operators allow subscribers to disable all WAP billing services.