The world barely noticed the news this week from cyber security specialists Kaspersky that a cyber attack on banking apps in Brazil was about to go global.
A hacker group called Guildma is using a banking “Trojan” that lures victims into installing the malicious file through an e-mail that implies they owe money. If victims click on a link that will supposedly give them more information about what they owe, the link activates the installation of the malware, which is then able to spy on at least 153 different mobile apps, mainly from banks and other financial services.
It is still a hidden scourge, with the potential of wreaking as much financial hardship as the Covid-19 pandemic.
However, it will come as no surprise to organisations like mobile technology company Upstream, which warned in September that it had detected malware on 1.7-million SA mobile devices using its service in 2019.
It will also be no surprise to executives at HMD Global, makers of Nokia phones, who have been warning for several years that security has to be a central feature of mobile devices. The revived Nokia brand prides itself on running on “stock Android”, meaning the pure or “vanilla” version of the Android operating system, developed by Google. Most phone makers install their own “skin” or user interface.
The drawback of those skins is that, every time Google updates Android, users have to wait for manufacturers to update their skin – and that includes security updates. Given the global efforts by hackers to find vulnerabilities in smartphones, this leaves consumers open to attack while they wait for Google’s security fixes, patches and updates to be rolled out to their phones. Since its relaunch in 2017, the full Nokia range has received updates automatically and immediately they are issued by Google.
“Having that pure, secure and always-up-to-date platform is really important for us and for our consumers,” says Justin Maier, vice-president of HMD Global for Sub-Saharan Africa. “We have thought all along that security is going to be really important, but consumers hadn't caught up with it. For many consumers, it's more important to have the biggest screen than the most secure device. But I think that will change.”
There is an added benefit to Nokia’s commitment to vanilla Android: it is able to guarantee full security support for its devices far beyond the traditional lifespan of smartphone upgrades. For example, the Nokia 3, first launched in 2017, will still receive automatic updates throughout 2021.
Patrick Henchie, HMD head of product and operations for Sub-Saharan Africa, says: “A four-year commitment to keeping a device relevant is pretty being impressive. Especially for a device that sold in SA for under R3,000. This commitment and investment is made not only on flagship devices, but across the entire portfolio, from flagship all the way to affordable, entry-level smartphones.”
Security, says Henchie, is like a security blanket.
“You never know how much you need it until you need it. That's the big thing. Every month when we release a security update, it’s associated with an Android service bulletin. In the past, a lot of the vulnerabilities the bulletin reported were theoretical, or had been proven only in a lab. But now you're talking about how many devices have actually been affected and why those devices have been affected. And the reason they've been affected is because users haven't had a route to update their devices. The security patches just haven't been available.
“We would love for those vulnerabilities not to exist, but unfortunately there are elements out there who are going to try and take advantage of people. As we move more to this world where banking is almost ubiquitous across mobile devices, what greater motivation is there for criminals, when we're dealing with finances and the data that is on people's mobile phones? The majority of attacks in recent years have been as a result of people not having correct security updates on their devices or their browsers.”
That doesn’t mean every non-pure Android phone is about to be attacked, but it won’t be for want of trying by the likes of the Guildma gang.
• Arthur Goldstuck is founder of World Wide Worx and editor-in-chief of Gadget.co.za.
