Within 12 to 24 months over 1 in 20 (5.6%) of all Android phones and iPads/iPhones could become infected with mobile malware if fraudsters start to integrate zero-day vulnerabilities into leading exploit kits, claims security firm Trusteer.
According to the company, Google's Android platform is a 'fraudster's heaven' because the "security architecture is not currently up to the challenge" given the "ease of generating powerful fraudulent applications and the ease of distributing these applications." Also highlighted is the fact that there are no effective controls over the app submission process and that this allows malware into the Android Market.
Here's the killer quote:
"Compared to Apple's App Store, Android Market is the Wild West. You can't always trust applications you download from it."
Apple and the iOS doesn't escape criticism either. While the company admits that Apple's App Store is far more secure than Android market because of the strict controls placed on apps and the manual review process, jailbreaking represents a real threat, and vulnerabilities that allow for jailbreaking over the web could present a serious problem.
"JailbreakMe.com published an exploit which allows the automated jailbreaking of iOS devices from a specially created Web site. PDF files that exploit this vulnerability are reportedly publicly available. Even clicking a crafted PDF document or surfing to a website with the PDF documents are sufficient to infect the mobile device with malware."
Trusteer also offers up a four-point recommendation for secure mobile banking which I think are worth repeating here:
- Check rating, user reviews, and comments for each mobile application you download. Avoid low rated, new applications, and bad reviews.
- Carefully review the permission requested by Android applications when you install them. Applications that ask for access to text messages and other sensitive information should raise a red flag and further researched before you download it
- Have your PC protected with an online banking security software such as Trusteer Rapport, which you can download from your bank's website. This software can break MitMo attacks by not allowing fraudsters control of the web channel.
- Regularly install updates for your mobile device