With Google Inc.’s Android mobile operating system increasingly finding itself in the sights of malicious software, Canadian banks are facing a new enemy on the mobile frontier.
Reports of Android malware have increased sharply in recent months, with Juniper Networks reporting that as many as 55 per cent of Android applications are not what they seem. It’s a disturbing trend, but financial information is not being targeted in significant way, say banks and industry experts. At least, not yet.
“We’re constantly monitoring all these threats that are out there,” says Vinay Venugopal, head of IT strategy at ING, the first bank in Canada to offer cross-platform mobile banking. “We keep a close eye on things.”
The company keeps abreast of the latest news, both good and bad. So far, ING clients haven’t reported significant Android security breaches. But Venugopal says the popularity of the technology means new forms of mobile fraud are at our doorstep. “We see mobile as being the channel of the future, especially with the prevalence of tablets.”
James Quin, lead research analyst at InfoTech Research Group Ltd., estimates there has been a 400 per cent increase in Android malware in the first half of 2011. However, he says the figure needs to be seen in context.
“A 400 per cent growth is this big, honking, scary-sounding number, but bear in mind that it’s a very small start point and still a very small end point,” he said. “You go from one piece of malware to four pieces of malware, and it’s a 400 per cent growth. That being said, it is an explosive growth rate and I see nothing to indicate that it’s going to slow down.”
The Royal Bank of Canada is a more recent comer to the mobile banking scene, launching its Android application this past October. It was downloaded more than 50,000 times in the first few weeks, says Sharad Ojha, head of Mobile Channel Strategy at RBC.
But Ojha acknowledges that the company now faces a new security challenge.
“As mobile banking continues to grow, it is expected that there will be an increase in the number and types of attacks on the platform,” Ojha said. “RBC continually adapts and tunes our fraud controls to ensure a safe and secure platform.”
“It is far easier to write software for it. It’s easier to write for it, it’s easier to post and publish that software, it’s easier to get that potential malware onto that end device.”
Patrick Szeto, a senior consultant at Security Compass, a Toronto-based company that tests and develops mobile security systems, says Android banking applications in themselves are no less secure than ordinary Web applications.
“With mobile banking or just online banking, the risks are pretty much the same for the end user,” he says. “To the bank, it doesn’t really matter if you’re on a mobile device or sitting at home.”
The real risk, he says, is in malicious software downloaded onto the devices, whether wittingly or unwittingly.
“The majority, I would say, of the risk involved in using mobile banking is not with the actual banking application, but with other applications residing on your phone.”
Fake banking applications are not the only threat.
“You have a class of things that we’ve seen out there that are designed for SMS intercepts relevant to your banking,” he said. So far, he says, they haven’t turned up very often. “It’s been relatively limited. There’s yet to be any evidence that it’s been used on a large scale.”
In the meantime, says Max Veytsman, another consultant at Security Compass, Android is becoming more secure. With the new Ice Cream Sandwich OS, Android users will have a few new security features, such as being able to encrypt all their data. And open-source platforms can constantly be improved, he says.
“I think that in the future we’ll see corporations or individuals putting out a very secure build of Android.”
The bot threat
Some of the most serious threats networks face today are "bots," remotely controlled robotic programs that strike in many different ways and deliver destructive payloads, self propagating to infect more and more systems and eventually forming a "botnet."