Mobile Threats: Have We Reached a Tipping Point?

Researchers have been warning about the security risks surrounding mobile devices for years. Phil Muncaster examines what’s new...

When revelations over the hacking of the iPhone belonging to Amazon CEO Jeff Bezos surfaced at the start of the year, it felt like a watershed moment. The UN suggested that malware sent via WhatsApp from the Saudi Crown Prince Mohammed bin Salman resulted in a massive exfiltration of data from the device. It promptly called for a “moratorium on the global sale and transfer of private surveillance technology.”

For many CISOs, the question today is: “If the world’s richest man can get hacked, are my executives safe?” The answer is, probably not, but highly targeted information-stealing threats are just one piece of the mobile security puzzle. IT bosses must also mitigate the risks of BYOD employees succumbing to more opportunistic malware infection and exposing the organization that way, and of apps which mimic their brand to defraud and steal from customers.

As a new normal of flexible and remote working starts to emerge from the ashes of COVID-19, mobile device security is no longer an option but an essential part of any corporate cyber-risk management strategy.

Power in Your Pocket

We’ve come a long way. In just over two decades, the mobile device has evolved from a clunky handset used exclusively to make calls, into a high-powered mini-computer. The feature-rich smartphones and tablets we carry around with us today are 1000-times more powerful than the first PCs plugged into the corporate mainframe. Increasingly they not only store sensitive data, but are a gateway to corporate networks and business critical applications.

We’ve seen threats evolve accordingly over the past few years, according to Gartner VP Dioniso Zumerle.

“Many attacks in the early days would require physical possession of the device, rather than remote execution,” he tells Infosecurity. “This still occurs, but risk mitigation for enterprises today should focus on the real-world attacks we see. Usually these come from malicious apps and links.”

According to F-Secure, the majority of threats seen in the wild today are less serious for users. At the start of 2020, the most common category was privacy-infringing threats (40%) followed by adware (29%). Malware (28%) came next, and attacks featuring malware are generally focused on one of two things: financial gain, usually via banking Trojans, or theft of personal data or intelligence gathering via targeted malware. The vast majority of it is Android-based, due to openness of the ecosystem. This allows for numerous third-party app stores which can be seeded with malware hidden in legitimate-looking apps. Apple’s iOS on the other hand is tightly regulated and few, if any, malicious apps ever make it onto the App Store.

“One of the most concerning tactics for security teams is the rise in employee credential theft through mobile devices”

How Attacks Work

Although you can find mobile ransomware, cryptomining malware, adware, stalkerware and banking Trojans today, the biggest threat to enterprise security comes from Remote Access Trojans (RATs). This class of malware allows for a broad range of eavesdropping and data theft through features like: GPS logging, screen-grabbing, keylogging, enabling the mic and camera to capture audio and take videos, interception of Two-Factor Authentication (2FA) tokens, exfiltration of SMS, retrieval of browsing history, contacts and call history, and much more.

“One of the most concerning tactics for security teams is the rise in employee credential theft through mobile devices,” Forrester senior analyst, Christopher Sherman, tells Infosecurity. “This can lead to lateral movement to other enterprise assets, culminating in sensitive data and intellectual property theft for sale on the black market.”

The most sophisticated mobile RATs, developed by grey-market firms like NSO Group and Gamma Group, use zero-day exploits to install silently on the target’s device, as per the attack on Bezos. However, most RATs and mobile malware generally hide in legitimate-looking applications and are uploaded to a third-party app store, although increasingly they sneak through onto Google Play. Others may be uploaded to spoofed sites where users are directed by SMS or phishing emails. In more sophisticated operations, legitimate sites are sometimes compromised to host mobile malware. More original efforts include embedding malicious links into YouTube videos prompting forthcoming apps.

According to Trend Micro, mobile cyber-espionage campaigns have increased by 1400% over the past four years. Yet firms are also exposed by their employees, if BYOD policies are not properly policed, according to Calvin Gad, manager of F-Secure’s Tactical Defense Unit.

“There are some businesses that rely on their employees using personal devices but are unable to manage or have visibility over them,” he tells Infosecurity. “As such, the business has no control over how the device is used, meaning there could be no differentiation between personal and official use for the employee. Corporate information will then be mixed with personal information, which then opens up the device to attack.”

There’s also a growing challenge for white hats, in that sophisticated malware and attack techniques are increasingly being democratized on the cybercrime underground, argues CrowdStrike technology strategist, Zeki Turedi.

“The targeting of mobile platforms is increasingly being adopted by a range of criminal and targeted intrusion adversaries, supported by an underground industry of developers operating mobile malware-as-a-service subscription models,” he explains.

“Additionally, targeted adversary groups continue to develop mobile malware variants, typically as ports of established malware families. Development capability has proliferated to less-skilled groups due to the accessibility of proof-of-concept mobile malware variants.”

Cyber-attackers keep on innovating to find new ways to compromise enterprise employees. One tactic involves phishing emails which include a meeting invite which, when opened, automatically adds itself to the device calendar. The user is then more likely to click on the malicious meeting reminder pop-up as it comes from the trusted calendar app, explains F-Secure’s Gad.

Best Practice Defense

So how should CISOs go about improving enterprise mobile security? For financial institutions, banking Trojans can best be combatted through AI-powered anti-fraud tools designed to detect when customers are being impersonated. Banks could also try running awareness-raising programs for customers and even providing free anti-virus software for their devices. In an era of Open Banking, this kind of differentiator may end up being good for business.

When it comes to corporate security, the good news is that a few simple steps will help take care of the vast majority of threats. It amounts to installing anti-virus with URL protection, improving awareness of phishing attempts and the risks associated with public Wi-Fi, bolstering log-in security, steering clear of unsanctioned apps and app stores and regular patching of devices.

“CISOs must do the basics right by implementing a Mobile Device Management (MDM) solution and enabling Multi-Factor Authentication (MFA), especially when users wish to access company resources through these devices. With this in place, the attack surface would reduce considerably, while the remaining threats to these devices could be mitigated by security measures deployed to the organization’s backend,” explains F-Secure’s Gan.

“CISOs must also help raise awareness amongst employees regarding the different threats that they should be vigilant about as well as keeping them informed about ever-changing tactics and techniques. An employee falling for a phishing/smishing trick, or if they just decide to install unauthorized/unverified apps, could still cause a security breach.”

CrowdStrike’s Turedi adds that MDM processes must be properly hardened. “Corporate management of mobile devices can provide protection against mobile malware by restricting which applications can be installed and allowing for the automatic deployment of security patches,” he explains.

“Enterprises should lock down devices to ensure they are unable to communicate with untrusted MDM servers, and establish user security training to minimize the risk that phishing techniques could be used to trick them into enrolling manually with a rogue server. Servers running MDM software should be monitored using cloud and AI-powered endpoint protection to ensure they are not compromised from within the network and used to push out malicious updates to mobile devices.”

The main thing is not to wait until it’s too late, warns Gartner’s Zumerle. “Mobile attacks are and will continue to be less visible because they are typically a stepping stone to a more complex enterprise attack,” he concludes. “What enterprises should focus on now is improving their mobile security maturity by including it into their overall endpoint security strategy.”

In a world of increasingly flexible working patterns and powerful handhelds with access to the corporate crown jewels, it’s time to take mobile security seriously.

What’s Hot on Infosecurity Magazine?