Mobile devices have become enticing targets for criminals around the world, so much so that an underground industry has begun to grow to support malicious activity aimed at those devices, according to a report released on Wednesday by the Anti-Phishing Working Group (APWG).
"In a 'post-PC era,' mobile devices increasingly present an attractive, practical and economical alternative to traditional desktops," said the report, "Mobile Threats and the Underground Marketplace."
"In the coming years," it continued, "global mobile payments are predicted to exceed $1.3 trillion, moreover, presenting a mother load of opportunity for cyber crime gangs who appreciate the vulnerabilities of these peripatetic communications and computing platforms."
The purpose of the report is to provide a comprehensive look at the criminal infrastructure growing around mobile fraud, noted APWG Chairman Dave Jevans, who is also chairman and CTO of Marble Security.
"When you look how that underground economy works, you can see a big infrastructure being built for mobile electronic crime," he said in an interview.
That infrastructure is being created much faster than it was for PC fraud. "It's growing at least five times faster," Jevans said. "What took 10 years for PCs is going to take 18 months to two years for mobile."
Some of the mobile crime infrastructure is being built on the existing components of the PC crime network. For example, "bulletproof" hosts used to host phishing sites and malware distribution are now used for hosting Android malware, mobile toolkits and SMS phishing.
"A large part of the infrastructure providers for electronic crime over the last 10 years are merely adding mobile into their mix so everything is moving much more quickly," Jevans said.
This has been a natural progression of the underground arms bazaar, said Tom Kellermann, vice president of cyber security for Trend Micro. He said the trend in mobile crimeware began six or seven years ago when the Asian and European banking communities decided to push mobile banking initiatives.
"You began to see traditional crime kits like Zeus, SpyEye and Citadel add mobile variants," he said in an interview.
Mobile devices can be more vulnerable to man-in-the-browser attacks because not only do they have web browsers, but their apps act as mini web browsers by interacting directly with the Web.
"The browsers in the mobile devices become the Achilles heel because they're providing the session for the authentication to occur, which is why there are so many successful man-in-the-browser attacks that are focused on mobile platforms," Kellerman said.
Another aspect of many mobile devices that makes them easy to exploit by cybercriminals is their small screens. "That means you don't see the hints and the clues you'd get with a desktop or laptop that something is wrong with what you're looking at," said Tim Chiu, director of product marketing for security for Blue Coat Systems.
Sign up for Computerworld eNewsletters.