Unwanted advertising, or spam, has long been an aspect of email that is begrudgingly accepted – but with the global proliferation of mobile internet, it is fast becoming an unwelcome reality on mobile devices as well. DT editor James Barton spoke to Cloudmark’s Alan Ranger about how spam is affecting the way that mobile users worldwide perceive their devices, how users in emerging markets are particularly vulnerable, and what can be done to curb the growth of spam and malware in the mobile sector.
DT: How has the growth of mobile spam and malware affected user perceptions of their devices?
AR: People seem less trusting of SMS than they were this time last year. SMS spam and claim-harvesting activities have been receiving a lot of publicity recently and this may have something to do with it – people are much more aware of it and so have become more suspicious.
SMS spam usually takes the form of insurance scams, suggesting that people might be able to claim if they’ve had an accident. While levels in Western Europe are fairly low, people get very upset when they receive it, probably as a phone is a very personal device. The first reaction is always “how did they get my number?” - they don’t realise that spammers are typically blasting out around 8 million messages per day to random numbers. If just a few people respond then it’s a worthwhile endeavour – certainly with claim harvesting, the contact details of a legitimate phone number can be sold on for around £5 each. If the claim harvesting companies find someone who actually has had an accident, they can sell the details on to a no-win, no-fee legal firm for a further £1000.
Another issue is malware, which is beginning to appear in the Android market and is becoming increasingly inventive. There are broadly two categories. The first is the ‘deliberately malicious’, which might for example come in the form of a text message seemingly from your operator and containing a link to a security update for the phone. The downloaded application is usually a spam botnet; these are controlled by spammers, and are present on around 30% of all computers with email access. They attach themselves to a computer and send out spam from it. The tech has spread to the mobile market – once a piece of malicious software is present on a phone it can be used to send out text messages without the owner realising.
The second category is ‘hidden’ malware, in which a genuine application from an official app store is modified and placed in a less legitimate store in the hope that users will download it. Seemingly innocent downloaded apps – such as games – will then request access to phone functions that they don’t actually require, e.g. permission to send out SMS. While users may initially balk at this suggestion, they will normally go along with the app’s requests as otherwise it won’t start. Some apps will even include fine print that subtly subscribes users to expensive services which are paid for by direct debit from the phone, or send out invitations to all contacts on the phone to download the app. This further propagates the malware as people are likely to download an app that their friend suggests. Alternatively (or additionally) the phone’s details could be sent to a central command centre where it can be signed up to premium rate web services. These services always feature a secondary PIN which is sent via text, but hackers are able to intercept this, overriding the security and costing unwitting customers money.
DT: With the prevalence of mobile banking in emerging markets, could mobile malware become a serious threat to mobile finance?
AR: It’s financially worthwhile for spammers to move from email to mobile due to the billing relationship. Over the last 2 years we’ve investigated mobile spam with the GSMA, and around 70% of it is an attempt at financial fraud. In much of the developing world people have phones but no bank accounts; they use micropayment services where the system relies on SMS as the contact medium, and this can be very easily faked. Even some of the more sophisticated payment systems rely on SMS, and this leaves them vulnerable to fraud. For example, a seller will only provide a buyer with goods after receiving confirmation that funds have been transferred - if this notification is a text message from the payment service, it would be easy to deceive the seller with a fraudulent message. Therefore, it could be a big issue for the unbanked. However, as operators are moving to more open and IP-based networks, we may find that the issues are addressed.
DT: Are consumers in emerging markets more at risk due to a lack of cynicism about the internet or a strong trust in their mobile phones?
AR: Definitely – particularly with ‘lottery scams’, wherein a text is received that appears to be from a customer’s operator, telling them that they’ve won money. A text is very short, so it’s easier to make a fraudulent message look official.
DT: People are far less tolerant of receiving spam on their phones than via email. How is it viable for spammers to use mobile as a channel – at what point will consumers strike out against it?
AR: The tipping point varies from market to market. In China, subscribers in some provinces have complained of receiving up to 180 spam messages a day on their mobile phones – they can’t actually delete them quickly enough, their inboxes are filling up too quickly. They don’t however tend to do much about it – it’s not malicious, it’s just advertising.
DT: How do you see the situation improving?
AR: I think believe the market is moving towards allowing people to opt in for specific types of advertising – people that trust SMS will sign up for certain types of messages, specifying the maximum number per day as well as the hours in which they’re willing to receive them. The response rates for these tailored services are very positive – people are ten times more likely to respond to a text from their operator than if it was sent by a major brand.
In our view the best approach is to stop threats while they’re in the network, particularly with regard to malware. We place a filtering solution in the network which forwards us a copy of every single message that’s passing through to a database; within 5 milliseconds we deliver a decision on whether to deliver it or not. The decision is based on a massive database called the Global Threat Network – it can trace a threat even if it’s being sent from hundreds of numbers. Even if every single message is slightly altered, there will always be something in the body of it that identifies it as an illegitimate attack.