The battle has been won, but the war is not over: A study of the end-user remediation of mobile phone users infected by smishing-based malware and the misalignment thereof

Master thesis (2022)

Authors

A.A. Geers Technology, Policy and Management

Contributors

S.E. Parkin Organisation & Governance - TPM (supervisor 1)
Aaron Yi Ding (supervisor 2)
C. Hernandez Ganan Organisation & Governance - TPM (coach)
Faculty
Technology, Policy and Management
Copyright: © 2022 Artur Geers
More Info
expand_more

Published Date

26-09-2022

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Technology, Policy and Management

Abstract

Mobile phones are playing an increasingly significant role. The surge of services and tasks performed on mobile phones is accompanied by an ever-increasing amount of personal data about the owner. This has made mobile phones ideal targets for cyber criminals and it has translated into an increase in malware targeting mobile phones. Social engineering threat actors have very effectively adopted SMS texts, as these are universally trusted by phone users, for Flubot, a new and very dangerous malware. The malware spreads through SMS texts and secretly harvests personal and financial information. Because of the novelty of the malware and its tactics, academic and industrial knowledge is very scarce on how to remediate such infections and how to best involve victims.
This research is focused on a better understanding of how the remediation has influenced the impact Flubot has had on victims and smartphone users in general. A quantitative research approach, based on a survey of victims within a large Dutch telecom provider’s client database, is used to gain this understanding. This is aided by desk research, an interview with an active case of Flubot and expert input (employed by telecom providers and governmental bodies). The results from these research methods are put into context by making use of the Fogg Behavior Model, to better understand what might trigger certain target groups to or not to remediate the infection. The larger environment Flubot functioned in, is analysed too, as it was developed over time and by June of 2022 it had been taken down.
This research has found that the detection methods used against Flubot, before it was taken down, were ineffective in detecting and stopping the spread of the malware. This is a result of a misunderstanding of the more recent workings of Flubot and a larger incorrect presumption that there was no urgency to do much about the malware. Furthermore, in the remediation process some important issues are unclear or unaddressed for victims, leading to a situation where it is often not clear what might have caused the infection or what can be done to prevent a future infection. It is important to prevent further infections, as similar malware does exist, functioning on similar principles, and there is a chance that Flubot might reappear.
The research is based on victims and there was no target group reached that had not been victimised. This makes for a possibly skewed understanding of the situation which should be researched. The data has been gathered through one of the largest telecom providers of the Netherlands, which is not necessarily representative for the whole Dutch industry. Researching other telecom providers in and outside the Netherlands could provide a more comprehensive understanding. The research has led recommending an adaptive notification systems and improvements to the notifications currently used.