USAToday.com recently posted an item concerning a malicious mobile app that has been infecting Android-based mobile phones. Potential victims receive an offer to download free versions of popular games like Grand Theft Auto and Angry Birds Star Wars. If an unsuspecting user installs the software, the mobile phone then sends spam to people in that user’s contact list.
As USA Today reporter Byron Acohido explains in this video, users should notice a few red flags during the installation process. First, the download does not come from the Android Market Place. Secondly, the instructions for installation require the user to give the application permissions for all kinds of things that a real game would have no need to do (such as sending SMS messages to your contact list). The instructions claim that such manual permission-setting is required because the game is a “beta” version.
Once installed, the malware uses your phone (and your data and texting plans) to send spam texts to your contacts. If you don’t have an unlimited texting plan, you might be in for an unpleasant surprise when your next phone bill arrives.
It’s important to note, however, that this malware doesn’t exploit any technical flaws in the mobile Android operating system. Like many successful malware attacks, it relies on social engineering to get users to behave in a certain manner (in this case, getting victims to grant access to the phone’s texting abilities by playing on people’s desire to get free games).
Social engineering represents a formidable threat to IT security, since no amount of technical fixes or “patches” can prevent humans from, say, divulging a password over the phone to someone claiming to be from their company’s technical support department.
The only way to protect yourself and your company from attacks that rely on social engineering is to have a comprehensive “Acceptable Use Policy” in place, educate your employees about it, and enforce it rigorously.