Enterprise: Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Enterprise: Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Mobile Device User: Use Android Verify Apps feature to identify apps that may intercept SMS messages.
Enterprise: Perform application vetting to identify inappropriate behaviors by apps including interception of SMS messages.
Enterprise and Mobile Device User: Avoid the use of applications that rely on SMS messages for 2-factor authentication.
Enterprise: When stronger 2-factor authentication methods are available, such as FIDO U2F tokens, educate enterprise users to avoid the use of SMS messages for configuring 2-factor authentication for enterprise applications.
Enterprise: Use application threat intelligence data to identify apps that increase risks associated with SMS message interception.
Mobile App Developer: Avoid the use of SMS messages for 2-factor authentication.
Y. Zhou and X. Jiang, “Dissecting Android Malware: Characterization and Evolution”, in Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012, pp 95-109; http://ieeexplore.ieee.org/document/6234407/?arnumber=6234407 [accessed 8/25/2016] ↩
C. Zheng, et al., “New Android Trojan XBot Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom”, blog, 18 Feb. 2016; http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/ [accessed 8/25/2016] ↩
R. K. Konoth, V. van der Veen, and Herbert Bos, “How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication”, Proceedings of the 20th Conference on Financial Cryptography and Data Security, 2016; http://fc16.ifca.ai/preproceedings/24_Konoth.pdf [accessed 8/25/2016] ↩