Skip to content

Mobile Phishing: A Problem on the Horizon

Mobile phishing is an emerging threat targeting the customers of popular financial entities. By the end of 2012, we already saw 4,000 mobile phishing URLs, representing less than 1% of all our phishing URL detections. Of the total combined URLs used in phishing attacks against the top targeted entities, 7% were mobile URLs.


Cybercriminals launch mobile phishing attacks because they can take advantage of certain limitations of the mobile platform. A mobile device's small screen size, for example, inhibits the mobile browser's ability to fully display any anti-phishing security elements a website has. This leaves users no way to verify if the website they're logging in to is legitimate or not. A study from the staff of Georgia Tech University in Atlanta cited this inability to display security elements as a critical security flaw in most of today's popular mobile browsers that made them unsafe. As seen in Figure 1, a legitimate PayPal mobile site URL (right) looks similar to a phishing page discovered by TrendLabs researchers (left) on a small screen.


Another limitation is the permanent default browsers preinstalled on certain phones. Their ability to automatically start up and display links the user opens makes it easier for cybercriminals, who now only have one browser to exploit instead of many.


Fake PayPal for mobile vs. legitimate site


Despite these limitations, the mobile platform has some advantages that lessen the concern of mobile phishing at this time. For one thing, the platform allows phishing targets like online shopping and banking sites to develop their own apps for customer use. Provided there's an absence of spoofed apps and a mechanism for continuous updates, these legitimate apps facilitate more secure exchanges of information between organizations and their customers. Mobile browsers are also becoming more powerful, able to process and run complex scripts. Websites that require login details may soon take advantage of this fact to implement better security measures.


The enduring popularity of desktops also takes away from the risk of mobile phishing. Users still prefer desktops and laptops over mobile devices to do complex tasks. Current browser usage stats trace 87% of global browser usage to desktops and the remaining 13% to mobile devices in November 2012.


While these advantages stun the emergence of mobile phishing as a formidable threat, it must be reiterated that this is only temporary. A recent Juniper Research study indicates that over 1 billion users will use their mobile devices for banking purposes by 2017. As we've previously noted, the direction of cybercrime is heading toward the "post-PC" era. Cybercriminals follow where the users and their money go. Soon, cybercriminals will catch up with the organizations and users' shift to mobile computing.


Avoid the Hook


Keep these in mind to protect against mobile phishing:

  • Avoid opening links in emails, particularly from suspicious or unfamiliar senders. Always verify the legitimacy of the email messages you receive
  • Use official apps. If the website you're trying to log in to has an official app you can use, use it instead of a browser.
  • Check the permissions of all the apps you download. Some apps may be asking for too much and could violate your privacy. Check out our e-guide about this subject, "When Android Apps Want More Than They Need."
  • Manually type in the URLs of the websites you want to visit then bookmark them for future visits. This eliminates typographical errors in the URL that can direct you to a phishing website.
  • Install a security solution. Trend Micro™ Smart Protection Network™ helps protect mobile users with its Mobile App Reputation technology, which dynamically collects and rates mobile apps not just for malicious activity, but also for resource usage and privacy violations.


Mobile Phishing Site 2012


Top Targeted Websites


Threat Spotlight: Data Stealers


One of the more prolific mobile malware we encountered in 2012 was the data stealer, which does what its name states, steal information. It made up nearly a quarter of all the malicious samples we collected last year.


Once data stealers are introduced to a user's mobile device—either mistaken for legitimate apps, or downloaded by existing malware on the device—they run quietly in the background, collecting specific data. Some of the most common data stolen are:

  • Application programming interface (API) key—a value that authenticates service users
  • Application ID
  • International Mobile Station Equipment Identity (IMEI)—a number used to identify mobile devices
  • International Mobile Subscriber Identity (IMSI)—a number used to identify network subscribers
  • Location
  • Network operator
  • Phone ID and model
  • Phone number
  • Text messages
  • User contact list


The information stolen by this type of malware may be used for malicious purposes depending on the data's form and content:

  • Recorded phone calls can lead to blackmail
  • Location tracking can endanger victims' safety and personal possessions by making them more vulnerable to stalking and robbery
  • Stolen text messages that contain personal details can lead to the compromise of victims' financial accounts
  • Stolen mobile device details can help cybercriminals develop socially engineered SMS spam attacks or scams
  • Stolen phone numbers or contact lists can lead to more scams, spam, or infections


Such stolen information also benefit cybercriminals by being tradable commodities. For instance, stolen U.S. credit card numbers can sell for US$1–3 each, while those from other developed countries (Europe, Australia) are charged US$3–8. Bank account credentials can fetch around US$25–35.


The extent of user information a cybercriminal can purchase goes beyond that. Underground forums sell complete records of victims, known as "fullz," for as little as US$5 each. A typical "fullz" contains not only the credit card numbers and names of victims, but also more personal information like their birthdays, driver’s license information, social security numbers, and even the answers to their security questions.


A point to consider here is while the consequences of being affected by a data stealer are considerable, infection requires the download of a malicious app to set off the chain of events. As such, exercise extreme caution when choosing which apps to download onto your mobile device to stay safe.


Notable Data Stealers


Connect with us on