A malicious mobile app that can tap into SMS messages and steal passwords, two-factor authentication passcodes and other sensitive mobile data makes the recent attack against celebrity iCloud accounts pale in comparison to the dangers it foreshadows against mobile users.
Researchers at security vendor FireEye said the Android KorBanker malware app, which has been used against a variety of victims in Korea, provides evidence that mobile malware can be part of a larger operation to collect data on corporate users. KorBanker is designed to gain access to SMS text messages and steal as much information it can glean from device owners, and send it to a remote server where criminals can retrieve it.
The attack campaign has been ongoing for the last 11 months, but the criminals behind KorBanker conducted a new round of attacks in August, infecting more than 1,700 devices with the malware, said Hitesh Dharmdasani, a FireEye malware researcher in a blog post about the threat. Dharmdasani said the attack is adding to an already complex threat landscape.
[Related: Horror Stories: Top 5 BYOD Threats]
Over the course of 55 days, FireEye researchers monitoring one of the command-and-control servers connected to KorBanker uncovered 10,000 SMS messages from nearly 100 devices. The messages contained two-factor authentication codes from social networks, and other services and passwords to VPN services, Dharmdasani said. The information also included location sharing and mobile banking information, he said.
"Since such information can potentially be used to access corporate networks, mobile malware plays an important role in the newly evolving multivector threat landscape," Dharmadasani said.
Mobile threats are growing but remain more widespread in Eastern Europe, Russia and Asia, according to several new reports. Mobile malware and high-risk apps numbered 2 million in the first half of 2014 and are growing at a rate of 170,000 apps per month, according to Trend Micro, which issued its mobile threat report last week.
Threats to mobile users took center stage this week following the leak of hundreds of nude celebrity photos that were stolen by hackers who gained access to their Apple iCloud accounts. Apple acknowledged the iCloud security incident this week, following its investigation, which found the attacks were targeted at users and were not part of a data breach. But security experts point out that the Apple application believed to have been used to tap into the data didn't contain a security mechanism to thwart brute-force attacks that use automated tools to make repeated attempts to guess account passwords.
The isolated mobile security incidents shed light on potential new dangers to mobile users, said solution providers, who are advising businesses about the risks posed by mobile devices. Mobile device owners can be easily tricked into downloading an app that could be used to steal data, said Bob Coppedge, owner of Hudson, Ohio-based managed service provider Simplex-IT. The risks in the near term seem mundane, but dangerous threats often rely on time-tested techniques because they work, Coppedge said.
"I don't really know how a flashlight app works, but I know it doesn't need to have access to who my contacts are or require a password to function," Coppedge said. "Millions of consumers are giving up their security and privacy by blindly installing applications, and it may have a future impact on data protection."
NEXT: Future Mobile Threats Trump Apple iCloud Attack