In this recent spate of Google phishing attacks, experts say they have seen more than 50 phony banking applications offered via Android Marketplace.
The Android phishing attacks don't contain malicious code, experts say. Instead, the attacks solicit users with phony banking applications, which supposedly create a shortcut to online banking sites through the mobile Web browser, in an effort to obtain account numbers, login credentials and other personally identifying information. The banking applications were not developed or issued by the banks themselves, but instead written by a programmer known as "09Droid," security experts say.
"They'll toss (the applications) out there and see what they can catch," said Sean Sullivan, security advisor for North American Labs at F-Secure. "They'll get as much revenue as they can from something really simple."
Thus far, it's impossible to tell how many victims were affected by the scam, Sullivan said.
Google has since removed the phony banking applications and numerous banks whose sites were targeted issued warnings about apps that could be used for phishing attacks. Some of the targeted banks include Barclays Bank, Chase, Wells Fargo, Bank of America, Wachovia and Deutsche Bank. Additionally, users have posted warnings in Android forums about the phishing attacks.
Security experts contend that it is not surprising that attackers are going after mobile platforms, and in particular Google's Android operating system. The Android got a boost in the mobile OS market with the release of the new Motorola Droid smartphone at the end of 2009. Amid a flurry of chatter, Google launched its own Nexus One phone last Tuesday, also utilizing its Android OS.
Meanwhile, Sullivan said that the Google Marketplace community will have to weigh the demand for a freely accessible mobile operating system with the need to secure the vulnerabilities inherently contained in the open source Android.
"It's just going to take a lively marketplace community when there's a scam that comes around," he said. "The community will be keeping the product on the ball. After that, it should be relatively okay. The trustworthy apps will rise to the top."
Meanwhile, solution providers say that they have already begun to watch the mobile security space very closely as attackers increasingly target data stored on smartphones.
"Security administrators have been watching the mobile phone industry very diligently over the past few years," said David Sockol, president and CEO of eMagined Security, based in Santa Clara, Calif. "As more smartphones are being introduced into the marketplace the number of attacks are growing exponentially. What is difficult or more challenging is that the Google operating system is a more open platform than others."
Some channel partners, like Sockol, are already starting to incorporate mobile security services into their portfolio, with penetration testing for various mobile platforms and architecture reviews. However, despite the fact that mobile phones are increasingly targeted by hackers, customers often still lack awareness that hackers could target company smartphones, such as the Droid, to access and steal sensitive data, he said.
"The potential exists to not only phish and acquire information that's in transit, but also fully access other phones and use them as platforms to get information from directory services, access to e-mail systems, and use credentials," he said. "It's a new area and the users of the phones, they just don't have a clue what they're opening themselves up to."