Mobile Malware becomes a new Threat to Mobile Payments

The Mobile Cyber Threats report (a new joint report by Kaspersky Lab and INTERPOL) analyzed mobile malware data collected for over 5 million smartphones and tablets. The data was collected from the cloud based Kaspersky Security Network with devices under observation running Kaspersky security products. Android’s global dominance in mobile OS makes it the biggest target for mobile malware.

The report cites a warning for retailers, banks and mobile users and especially to mobile payment companies. Google Wallet, PayPal and many other mobile payment systems are battling out to gain dominance in the mobile payments space. But security should now be a continuous and major focus area. Kaspersky estimates reveal that Android itself receives more than 98% of mobile threats currently in existence. In the first half of this year, the Kaspersky research team found 175,442 new unique malware programs designed especially for Android.

As per data from IDC, Android has 85% share of the overall mobile platform market. Android is also a more open platform which makes it an easier target for exploitation. It is indeed less secure than rival platforms because it allows users to download third party apps. This is where cybercriminals have the opportunity to create apps embedded with malicious programs, target careless users and convince them to install the malware.

Speaking of mobile payments, a popular trend in many regions is conducting transactions through SMS. This provides an incentive for mobile malware developers who try to hack into the transaction information embedded in such messages. Over a 10 month period from August 2013 to March 2014, Kaspersky saw the number of attacks per month rise from 69,000 to an astonishing 650,000. The number of users attacked also increased from 35,000 to 242,000. These are mind boggling numbers indeed.

A few countries, specifically Russia, India, Kazakhstan, Vietnam, Ukraine and Germany have reported the largest number of attacks. These regions possess a large base of SMS based mobile payment users. Around 6 out of 10 mobile malware programs detected are capable stealing a user’s money. They are usually in the form of Trojans which can target the messaging apps to perform hidden transactions.

Countries are gearing up to counter such threats. For example, in Russia, the telecom regulator imposed new rules for payments via SMS which requires users to respond to confirmation messages before the actual transaction is completed. But as consumers are increasingly accessing their social media profiles via mobile, criminals are designing crafty new methods to target users. Not to mention that companies like Facebook and Twitter are getting ready to integrate payments into their platforms.

One thing is for sure – mobile security decisions need to be defined in different terms. The context, content and user of any app have to be looked at and the detection with an appropriate response has to be continuous. From the payments context, the ability to leverage the network to stop malware before it reaches the endpoint would be a better solution. With an increasing number of companies entering the mobile payments space, we hope they are coming up with remedies to the existing threats as well.