The coronavirus, known as COVID-19, has caused thousands of deaths and has had a big impact on organisations and individuals across the world. It affected us from different aspects such as economic policy, medical and health, psychology, education, crisis management, insurance policy, and cybersecurity as well.
Currently, there is a high demand and a sharp increase in the usage of social media platforms, mobile applications (apps), and online meeting applications either for education, leisure, business, banking, food delivery, product purchasing, or donation.
In Malaysia, more people are online now, and based on CyberSecurity Malaysia statistics 2020, 82.5% of cybersecurity cases have spiked during the Movement Control Order (MCO) and mostly on fraud, intrusion, and cyber harassment. Verizon statistics (2020) showed that 71% of cybercrime attacks such as two-factor authentication exploitation, bitcoin scams, credential theft, smishing, phishing, ransomware, fraud, and identity theft were financially motivated and 28% involved malware.
Furthermore, with the rapid development of mobile apps to track COVID-19 in the United States, Israel, South Korea, and China, we saw an increase of cybercrime attacks on these mobile apps, online applications, and businesses and cybercriminal groups exploiting COVID-19 for malicious ends.
In 2020, Emotet Trojan successfully exploited the COVID-19 pandemic scenario by impersonating a state welfare provider and spread via infected Microsoft Word document in Japan. In 2018, Trojan-Banker.AndroidOS.Asacub infected more than 250,000 victims worldwide. AppleJeus masquerades as legitimate apps and infects its target via the supply chain in cryptocurrency traders.
The malware exploited victims’ mobile phones via legitimate mobile apps where they embedded it with malware. It is predicted that these exploitations will last longer, even after the end of COVID-19.
It is our daily basic need to have a secure and private life. With the increase in the number of COVID-19 cases, the government management of COVID-19 outbreaks with the support of public users is significant. In Malaysia generally, the general public is using MySejahtera, a mobile application (app) that monitors and prevents the spread of COVID-19.
Public users can use it to perform health self-assessment and can track the location of positive COVID-19 individuals by using the hotspot tracker which is included in the app. Besides, they can use MySejahtera to register themselves before entering any premises.
Alternatively, they can write their phone number and name on the premises’ logbook. One simple question yet one that is at the forefront of our minds is, how sure are we that the information given via MySejahtera or in a logbook is safe? There are a few challenges related to mobile apps especially in terms of privacy, surveillance mechanism and secure mobile app.
MySejahtera was developed by five strategic cooperating bodies - the National Security Council (NSC), the Ministry of Health Malaysia (MOH), the Malaysian Administrative Modernisation and Management Planning Unit (MAMPU), Malaysian Communications and Multimedia Commission (MCMC) and the Ministry of Science, Technology and Innovation (MOSTI).
MySejahtera is managed by the MOH which acts as the application administrator, assisted by the NSC and the MAMPU. The government guarantees that the personal information collected in MySejahtera is for the monitoring and prevention of the COViD-19 epidemic only.
MySejahtera complies with the Personal Data Protection Act 2010 (PDPA). PDPA has been effectively applied in Malaysia since Nov 15, 2013, to protect individual data related to commercial or service transactions. PDPA gives users more control over their data which includes full name, identification card (IC), photo, phone number, email, fingerprints and home address.
For the communications sector, the General Consumer Code of Practice (GCC) was introduced on Nov 23, 2017, and applies to licensed service providers. The principles of data protection related to authenticity, data security, data quality and access to personal information.
In terms of data security, MySejahtera has many security features and complies with global standards to protect the confidentiality and security of user information. Data in transit is encrypted and data at rest is stored in a server with high-security features.
Based on our research findings concerning mobile security at the Universiti Sains Islam Malaysia (USIM), we have developed Mobotder. Our MobotDer is able to detect and predict any cyberattacks by using permission and API in a mobile phone. It consists of 745 new classifications that were related to mobile botnet exploitation in mobile apps.
This is a mobile app designed to check the level of mobile app security based on five (5) main surveillance features. These are geolocation (GPS), images, audio, SMS and call logs. Most exploitations that occur are easily executed via these five (5) main aspects.
Based on our Mobotder results, MySejahtera is safe for use by the public. Besides, to prevent exploitation, public users should download mobile apps only from reliable and official mobile app stores.
Also, users need to read the privacy terms and understand the requested information and permission for the mobile app that is to be installed on their smartphone, and they should scan any mobile app before installing it by using anti-virus or security software. Lastly, users also need to update their mobile apps and platform with the latest version, using strong and secure passwords. #kitajagakita.
Ts. Dr. Madihah Mohd Saudi is Associate Professor in the Faculty of Science and Technology and Chief Information Officer at Universiti Sains Islam Malaysia (USIM) in Nilai, Negeri Sembilan. She is an expert in cybersecurity and mobile security.