It's easy to overreact about new cyber threats, but as ThreatPost reports, a piece of fledgling Android malware is pretty much a brain virus that might create an army of infected zombie smartphones that will attack eight of Korea's biggest banks. Okay, maybe that is a bit of an exaggeration. But only slightly.
This new malware (called Trojan-Banker.AndroidOS.Wroba.m) is a remote access program that has been targeting smartphones in Korea and stealing their data. But experts think the malware is only lying in wait. The true purpose of the smartphone malware is to gain access to mobile banking apps, and eventually, it will steal money from the thousands of users who have this app in one coordinated attack.
The malware is ingenious. It has the innocuous name "Google Services." The first move it makes is to disable an antimalware function that is commonly bundled with eight of Korea's most popular banking apps. Once the smartphone's defenses are down, the app harvests user data and contact lists and positions itself to remotely access user bank accounts through mobile banking apps.
What New Mobile Malware Threats Mean for IT Consultant Liability
Fortunately for IT consultants in the States, this new malware has only targeted users in Korea. But researchers are surprised by the ingenuity and sophistication of the attack and warn that it's a sign of a new wave of mobile malware.
For a hacker, remote access – when cyber criminals are able to make your phone do what they want – is the pinnacle of malware because it means they can make your device send them money or do anything else their black hearts desire. As mobile malware grows more sophisticated, it could expose your clients to a greater risk of a data breach.
It's easy to get lost in the technical details of malware and forget about its monetary effects. Let's look at a couple of scenarios in which malware like this could lead to a lawsuit filed against an IT consultant:
- BYOD liability. An IT consultant installs the network at a client's new office, but network security is compromised when a client logs on to it using their personal mobile device (which contains malware). In the lawsuit, the client alleges that the consultant should have taken more precautions to limit bring-your-own-device vulnerabilities. (For more on BYOD liability, see our analysis in "What Google's Investment Means for the Future of BYOD.”)
- Tablet hack. A local boutique uses tablets as its cashier / point-of-sale device. However, mobile malware on the tablet is able to breach the company's digital banking and customer sales records. The boutique sues the IT contractor who recommended the system and set it up in-store.
- Flawed antimalware. An investment firm hires an IT project manager to oversee security on its computers. The PM installs antimalware, which unfortunately doesn't pick up a new sophisticated attack. The firm's computers are infected. Its data is compromised and customer investment records and bank accounts are exposed. The firm sues the IT project manager for damages to its reputation and other costs related to the data breach.
Any of these lawsuits could easily last over a year and rack up hundreds of thousands of dollars in legal expenses and damages. It all comes down to this: malware could end up costing you a lot of money.
As mobile malware continues to evolve, many antimalware programs and security features will lag behind. As you know, no security software is 100 percent bulletproof. There's always some risk of attack – especially with new, unknown malware. These risks are compounded when workplaces allow employees to bring their own devices to work.
In addition to keeping up with new attacks and updating security software, IT consultants should invest in Professional Liability Insurance, which covers the cost of lawsuits.
This insurance (also called Errors and Omissions Insurance) can cover lawsuits over simple client disputes (like missed deadlines) as well as data breaches, BYOD liability, and third-party software flaws, where you are held responsible for the software or services you recommend to a client.
For a ballpark cost estimate on Professional Liability Insurance for IT professionals, see our sample IT insurance quotes.
