Jan 24, 2012

Don’t Let Mobile Malware Torpedo Your Marketing Plan

[caption id="attachment_393" align="alignright" width="405" caption="More effective than a "free kittens" sign"]

[/caption] 2011 was the year in which mobile marketing became an essential tool for small-business owners who are customer-focused. It was also the year mobile malware became a big worry. A study by Lookout Mobile Security that was released in August 2011 stated that attackers are deploying techniques as insidious as taking control of people’s smartphones, racking up SMS (short message service) charges, and stealing people’s identities and making off with their data, including financial data.¹ The worry for small-business owners is that their good names and brands can be damaged if a malicious app that masquerades as theirs targets mobile users. The Lookout study gives examples of gaming apps like Bubble Buster by developer SkitApps, which cyber-thieves revised and republished on a download site where unsuspecting gamers loaded a “repackaged doppelganger” on their Android phones. Partly because of the screening process to sell apps in the Android marketplace versus Apple’s app store, Androids are more susceptible to malware attacks. Another difference is in the architecture of the operating systems, with Apple’s keeping downloaded apps in a “closed” system where they can’t access private data. Also, there are a lot more Android phones out there in the marketplace, giving the bad guys another incentive to go after them. Lookout’s study says that upwards of 500,000 mobile users were affected by malware in the first half of 2011. It’s not only gaming developers who need to worry that their apps will be hijacked. A battery-saver app and a scientific-calculator app were also repackaged by malevolent developers last year. “Repackaged apps containing malware create a crisis of trust,” the study points out. As Laurie Sullivan wrote for MediaPost about the malware threat, “One bad incident can damage a brand’s reputation, forcing marketers to design a search engine marketing (SEO) campaign to combat the bad press.”

Learn the Threats

Malicious QR codes—The black-and-white scannable squares that embed a link to your advertising or website have the potential to be hijacked by cybercriminals. This new threat was uncovered by Kaspersky Labs, an internet security firm, in September. In a report on the development, Mobile Marketer’s Chantal Tode quoted Kaspersky Lab malware researcher Tim Armstrong saying he expects to see more malicious QR code campaigns because “it is a very easy campaign to set up. … QR codes are a pretty low-level scam in regards to how technical the malicious author needs to be.”² Malvertising—Another way business owners can lose customers is when malicious programmers create what look like innocent ads that, when clicked, send customers to a bogus website to download malware. The Lookout study cited a case where a website imitated the Android Market site and the customer’s mobile device got a “drive-by download” (an automatic download of a malware app, in this case GGTracker, whose aim is to sign users up for premium messaging, running up high charges). Lookout calls GGTracker “the first mobile malware that steals money from users in the U.S.” (many malware products originate in Russia and Eastern Europe before moving, in more sophisticated form, to North America). Mobile payments using SMS are on an upward trend because they facilitate all sorts of transactions. Juniper Research reported that $170 billion worth of SMS charges in 2010 will likely grow to nearly $630 billion by 2014.³ That makes SMS a tempting pot of gold for criminals. The electronic device security industry is aware of sophisticated work on the part of malware creators, whereby customers actually authorize premium SMS charges, because the requests are hidden deep in the “Terms of Service” or other fine print that almost no one reads before completing a download.

Watch out and Be Watched

Security providers (like Symantec and McAfee) that have fought viruses and phishing scams on PCs suggest that the same sort of vigilance from users that is now fairly routine on desktops and laptops will keep users’ data safe on mobile devices. Tony Bradley, chief marketing officer at Zecurion, a data protection company, wrote in a PCWorld article, “Mobile operating systems have enough security in place that apps generally have to request permission to access core functions and services of the device. Think about the permissions you are granting before you just tap and blindly accept them. Does that Sudoku app really need access to your contacts, camera function, and location information?”⁴ Meanwhile, the big search engines are watching for malware and will flag your advertising if it is associated with a site where users’ devices can become infected. In a post on the Webmaster Center blog at Bing, users can get some insight into what it means to be flagged as malware and what you can do about it.⁵ For more information, visit: 1. “Mobile Threat Report” 2. “Malicious QR Code Campaigns Threaten Legitimate Marketers” 3. “Press Release: Mobile Payments Market to Quadruple by 2014, Reaching $630 Billion in Value, Although Still Only Accounting for Around 5 Percent of Ecommerce Retail Sales” 4. “Five Tips to Avoid Malware in Mobile Apps” 5. “Getting Flagged as Malware? Some Insights”