White paper

Keep mobile shopping safe:

Threats and solutions

Keep mobile shopping safe: Threats and solutions

Contents
Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
The smartphone explosion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Malware for mobiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Mobile shopping made safe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Keep mobile shopping safe: Threats and solutions

Executive summary
Consumers are using their mobile devices anywhere, any time and, increasingly, for online banking and shopping. While
mobile transactions are convenient, there are a growing number of threats to such sensitive data passed over a mobile
network.
Mobile vulnerabilities increased by 93 percent in 20111, and there has been a rise in threats aimed at the Android operating
system2. Hackers are targeting consumers and businesses with methods such as data collection, tracking and sending
content. The consequence of security breaches is a loss of consumer confidence and trust, which results in lost business.
However, with a secure mobile strategy that includes SSL certificates, organisations can protect their customers, providing
safe online shopping services and giving their customers confidence that their sensitive data is protected.
This white paper looks at recent research from Symantec to highlight the importance and ubiquity of mobile and the
impact it is having on business. It will touch on the browser-based types of mobile malware threats, and then focus on why
businesses must take responsibility for mobile security and protecting sensitive data, using SSL as part of a secure mobile
security strategy.

1
2

Symantec Internet Security Threat report, 2011

State of Mobility Survey EMEA, Symantec, 2012

Keep mobile shopping safe: Threats and solutions

Introduction
Shopping online has been commonplace for 10 years or more, but only recently has mobile shopping, or m-commerce,
gained in popular use, driven by the explosion in the number of smartphones in peoples pockets and handbags. As well as a
growth in the numbers of devices, this has resulted in an explosion of mobile data3.
However, the growth of platforms such as Android has been accompanied by a growth in malware that takes advantage of
the way that the mobile market has coalesced around a small handful of operating systems4.
The result has been a rise in security breaches, which can result in a loss of trust in mobile devices and in making
transactions online. When people cannot be sure about the identity and security of the mobile shopping sites to which they
connect, they will stop using them.
In order to build and maintain customer confidence in your mobile shopping sites, your business will benefit from a security
solution that can help protect sensitive data and alert you to potential hacks and attacks. Trusted solutions such as SSL
encryption and real-time malware scans can add to an all-round security package.

3
4

Mobile and UK Web traffic, Tecmark, 2011 [PDF]

Worldwide Mobile Device Sales to End Users by Vendor in 1Q12 (Thousands of Units)

Keep mobile shopping safe: Threats and solutions

The smartphone explosion

Smartphones, tablets and other mobile devices are rapidly becoming the standard way of accessing online services.
Over four billion such devices are in use today, and their owners depend on them for financial transactions, for business
operations and for personal connections. Some people never use a desktop Internet access device5.
A growing proportion of those devices are being used not just for shopping but also at work for business purposes. While
their usefulness is seen as outweighing their potential risks, a recent survey6 of IT managers said that security is top of their
list of concerns about such devices. In particular, they are concerned about device loss, data leakage, unauthorised access
to corporate resources and malware infection. One in four respondents felt that the risks of mobile computing are somewhat
high to extremely high, and they identified the fastest growing risks as spam, phishing and malware.

Businesses large and small are seeing damages as mobility-related security issues increase. Source: Symantec State of Mobility Survey EMEA, 2012.

Their security concerns are justified. Businesses large and small are seeing damages as mobility-related security issues
increase. They have suffered a variety of losses, measured by lost productivity, direct financial expenses, and loss of
data. Within the last 12 months, the average cost of these losses was $247,000 globally, but $259,000 in EMEA7. Large
enterprises and small businesses are largely experiencing the same kinds of loss, but to a very different degree -- globally,
small businesses averaged $126,000 of loss, while enterprises averaged $429,0008.
Nearly one-third (30 percent) of all IT leaders report their company has experienced a security threat as a result of personal
mobile devices accessing company data9.

The Mobile Only Internet Generation. OnDevice Research, 2010

State of Mobility Survey EMEA, Symantec, 2012
9
Trusted Mobility Index, Juniper, 2012
5

6 78

Keep mobile shopping safe: Threats and solutions

Malware for mobiles

Such threats result from the rise of mobile malware, which has accompanied increased smart device use. This is an entirely
predictable development in the light of experience of the malware threat landscape for desktops and laptops.
Using PC malwares evolution as a basis, there are three required
factors before a major increase of mobile malware will occur: a
widespread platform, readily accessible development tools, and
sufficient attacker motivation, which is financial10.
The growth of Android as the worlds most popular mobile
operating system (OS) makes it an increasingly attractive platform
for malware authors, and its growing market share parallels the
rise in the number of mobile threats during 201111.
Android is also an open OS, so it is easier for developers,
The number of variants of mobile malware attacks is currently rising
including malware authors, to write and distribute applications.
faster than the number of unique families of mobile malware.
In particular, the lack of either a single Android marketplace
Source: Symantec Internet Security Threat Report, 2011
for apps or central control over what is published makes it easy
for malware authors to create Trojans that are very similar to popular apps, even although Android users must explicitly
approve the set of permissions that is outlined for each app12. However, when
presented with a long list of permissions in small print, most users tend to just
hit I agree without reading the detail, which can make it easy for malware to be
downloaded along with the app.
The rate of mobile device vulnerabilities is increasing, with Symantec documenting
315 vulnerabilities in mobile device operating systems in 2011, compared to 163 in
2010, an increase of 93.3 percent13.
Types of threats
The most common activities of such malware are collecting device data, spying
on the user, and sending premium rate SMS messages. In 2011, we saw malware
families, such as Opfake, migrate from older platforms to Android. Opfake
masquerades as various apps and content, including an installer for the Opera Web
browser and a pornographic movie, which requires payment demanded for the app
or content through Short Message Service (SMS) messages. The latest strains of
Opfake have used server-side polymorphism in order to evade traditional signaturebased detection14.
The most common activities of such malware are
collecting device data, spying on the user, and sending

Mobile devices are also vulnerable to the kinds of browser-based attacks found in
premium rate SMS messages.
Source: Symantec Internet Security Threat Report, 2011
desktop machines. For example, malvertisements, which are pop-up windows that
look like advertisements, especially those warning of the possibility of the device being infected and inviting users to click
on them. If a user is alarmed enough to click on this so-called scareware, the site to which they are directed may attempt to
infect their machine or extract money from the user for removing non-existent threats from their device15.
10

Motivations of Recent Android Malware, Symantec, 2011

Gartner, May 2012

Internet Security Threat Report, Symantec, 2011
13
Threat Activity Trends, 2012, Symantec
14
Android.Opfake In-Depth, Symantec, 2012
15
Malware threat landscape, Symantec, 2012
11
12

Keep mobile shopping safe: Threats and solutions

Another example is drive-by downloads. These applications download unwanted and malicious code after being granted
permission by the user to install an application, sometimes without checking its permissions thoroughly, or after a user has
clicked on an ad or a malicious browser link.
Loss of confidence and trust
The nature of mobile devices amplifies the danger of such malware. A smartphone is an intimate part of an individuals life;
it stores all kinds of personal, private information, making it an attractive target. At the same time, people routinely allow
apps to track their locations and activities, often without fully checking their functionality16. This behaviour can open the
door to infection, such as drive-by downloads.

Service

Moderate
confidence (%)

Little to no
confidence (%)

Online banking

51

16

Healthcare services

44

20

Online shopping

60

18

Business email

45

13

Social networking

36

39

The consequences of this growth of malware for mobile

commerce could be a significant loss of business as a result
of reduced confidence. Users already have wavering trust
in mobile devices. In Germany, for example, 24 percent of
consumers said they had no confidence in mobile devices,
although globally, 63 percent said they were undecided on the
question17.

Source: Trust Mobility Index, Juniper, 2012

A substantial proportion of shoppers in the United States,

the United Kingdom, Germany, China and Japan have little to no confidence in many commercial services on offer. Banks
have made the most effort to demonstrate to their customers that they take online security seriously, yet the result is only a
modest uplift in the perceived level of security18.
Most consumers (63 percent) also hold businesses accountable for protecting their sensitive data. Additionally and
interestingly, nine of out ten said that employers should protect mobile devices19.

16

Trusted Mobility Index, Juniper, 2012

ibid.

17 18 19

Keep mobile shopping safe: Threats and solutions

Mobile shopping made safe

As indicated above, your business could be adversely affected by this growth of mobile malware and the resulting loss of
confidence in online transactions, especially if you offer online shopping services. The key to retaining confidence is to take
responsibility for threats to mobile devices and for protecting your customers sensitive data. This means building secure
and trusted sites, which then help to attract more customers and gives them confidence to complete their transactions. In
practice, it requires you to demonstrate that your sites are free from malware, secured against attacks, and that the sites
identities are never in doubt.
Sustained, proactive security
Your customers will look for trustworthy signs, such as symbols or security indicators in the browser address bar while
shopping online. These symbols indicate a legitimate site and denote the use of highly secure Extended Validation (EV) SSL
Certificates, which provide a strong line of defence and allow
customers to shop at your website with confidence.
Secure Socket Layer (SSL) technology enables the encryption
of sensitive online information, such as your customers logins
and personal details. A Certificate Authority (CA) establishes
your mobile shopping sites credentials by verifying unique
information about your business. Providing a more rigorously
audited authentication method, EV SSL Certificates are a strong
line of defence and allow customers to shop at your website
with confidence. Symantec offers EV SSL Certificates as a highly
reliable choice for website security.
Additionally, Symantec has developed Code Signing for Android,
a cloud-based service with the aim of helping application
developers to follow best practices. Symantec offers a secure
code signing portal for use throughout the authentication
process, ensuring the storage and protection of the signing
While shopping on a Windows Phone, Android device or iPhone, certain symbols or
security indicators indicate a legitimate site and denote the use of highly secure
keys. Symantec will also safely store signed apps if developers
Extended Validation (EV) SSL Certificates.
wish, keep apps and app versions safe, eliminating the worry
of lost code if on-site servers or systems go down. These added layers of security and authentication help to vet the serious
developers from those with more malicious tendencies.
Real-time, proactive security
Shopping sites rank high in lists of websites carrying browser exploits, such as drive-by downloads, and a typical site may
have thousands of potential vulnerabilities that shift as the site changes. From a technology standpoint, real-time defences
can quickly identify potential entry points through which a websites functionality or data can be damaged, downloaded or
manipulated. An automated scan and report of a sites vulnerabilities and possible threats to it can act as a complement to
your existing protection.
A vulnerability assessment system should be able to identify commonly-targeted weaknesses on your mobile shopping
website and report on them. Vulnerability reports should categorise the issues based on type and risk, and propose
corrective actions. This helps you quickly identify and remedy critical safety issues, making it easier to secure your website.
Symantec provides a free Vulnerability Assessment tool with its premium SSL Certificates.
Malware scanning is another way to help protect your mobile shopping site in real-time, alerting you if your website

Keep mobile shopping safe: Threats and solutions

becomes infected with malicious software. Malicious code can be hidden in the source code of your website and can be
difficult to detect without line-by-line analysis. It also can result in your site being blacklisted or excluded by search engines.
This protection should be deployed in addition to traditional anti-malware software, which focuses on the client device. Most
scanning solutions are designed to protect employees from downloading or installing malware rather than protecting the
companys website from distributing malware. Symantecs Web site malware scanning service, also included with its SSL
Certificates, will inspect your mobile shopping site on a daily basis, providing a list of infected pages and notification of the
code causing the problem, so that you can then apply a suitable remedy to the site.
Conclusion
With an all-round approach to Web site security, especially shopping sites, your business can establish and maintain online
trust while keeping the hackers away. Worldwide mobile spending online is due to top $171.5 billion in 201220, up 61.9
percent over 2011, so maintaining your online reputation is of paramount importance. By using a complementary service set
such as SSL encryption, vulnerability assessment and malware scanning, you can detect, identify, alert and defend against
potential problems, protecting your customers and your reputation.
The additional levels of reassurance and trust that such a service set creates will allow visitors to your mobile shopping
website to click with confidence, which in turn can help increase conversions and improves your business results.

20

Press release, Gartner, 2012

Keep mobile shopping safe: Threats and solutions

More information
Visit our website
www.verisign.co.uk
To speak with a product specialist
Call 0800 032 2101 or +44 (0) 208 6000 740
About Symantec
Symantec is a global leader in providing security, storage and systems management solutions to help consumers and
organisations secure and manage their information-driven world. Our software and services protect against more risks at
more points, more completely and efficiently, enabling confidence wherever information is used or stored.
Symantec (UK) Limited
350 Brook Drive, Green Park
Reading, Berkshire
RG2 6UH, United Kingdom

2012 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton Secured, and the Norton Secured Logo, are trademarks or registered trademarks of
Symantec Corporation or its affiliates in the U.S. and other countries. VeriSign and other related marks are the trademarks or registered trademarks of VeriSign, Inc. or its affiliates or subsidiaries in
the U.S. and other countries and licensed to Symantec Corporation. Other names may be trademarks of their respective owners.

10