The new malware is designed to target the “smartphones of business, government, and embassy officials around the world.” Hackers first send a spearphishing email claiming to be a “What’s App” application update to select users in 37 countries. Then, if a user clicks the link, it downloads an Android, Blackberry, or iOS version of the app infected with the malware.
Once installed on a smartphone, the malware records calls made by the user and then drops them at various Internet addresses. The system is complex, involving encrypted instructions on hacked blog posts for the malware to deposit the data on compromised web pages.
The high-level malware is able to cover its tracks and hide the identity of the hackers. “If anything is wrong or the system is not configured just right, this malware detects it, quietly backs off, doesn’t make any errors, cleans itself up and is gone,” says the senior malware researcher. Mark Anderson “Cyber Espionage Malware Taps Smartphones, Sends Chills,” spectrum.ieee.org (Dec. 29, 2014).
Commentary and Checklist
Malware can go undetected for months, all the while stealing your most valuable and sensitive data and sending it to hackers thousands of miles away. A malware attack can cost an organization hundreds of thousands of dollars, as well as countless hours trying to repair the computer system and your reputation.
Educating all employees on the dangers of malware is essential.
Teach employees the following to help prevent a malware attack:
- Respond quickly if you receive reports of spam coming from your account.
- Install security software, including anti-virus and anti-spyware software, and pop-up blockers.
- Maintain a firewall on all computers and devices.
- Set your security software, Internet browser, and operating system to update automatically.
- Back-up your data regularly to prevent lost data if your computer becomes infected and crashes.
- Set your browser’s security setting to detect unauthorized downloads.
- Do not select links or open any attachments in emails unless you are familiar with the link or attachment.
- Only download and install software from trusted websites.
- Avoid downloading free online software.
- Never select any links in a pop-up window.
- Never download software in response to an unexpected pop-up, especially if it claims to have detected malware on your computer.
- Remember that most legitimate organizations will never ask for personal or account information through email.
- Never respond to spam.
- Never reveal personal or financial information in response to an email request.
- Use common sense. If an offer sounds too good to be true, it probably is.
- Confirm requests for information by contacting the sender by phone, using the number on an invoice or legitimate email.