It really is a great time to be a mobile threat. As mobile devices become ever more critical in our daily lives, hackers are seizing on a vulnerable blindspot in the enterprise attack surface.
The Rise of the Mobile Device
In the past, data, endpoints and users might have been confinable within the office. However, mobile devices, BYOD schemes and remote work have made enterprise IT hard to contain.
Mobile devices now hold a central place in enterprise IT. Even as far back as Zimperium’s 2019 State of Enterprise Mobile Security report, 60% of enterprise endpoints are mobile devices. Furthermore, 80% of daily work is performed on a mobile device.
Whether they’re corporate-issued, purely personal or part of a BYOD program, mobile devices often sit outside corporate security controls and are wielded by users who aren’t thinking about security.
Hackers see an opportunity. Although cyber-criminals have often focused their efforts on traditional endpoints, mobile devices have drifted right into their crosshairs.
While many think that mobile devices are more secure than traditional endpoints, that’s looking less relevant with a record number of security patches being produced each year and with every new iteration of mobile-based malware, malicious networks and mobile phishing attacks. Cyber-criminals are actively looking for ways to exploit these weak points.
Where Good Mobile Devices Turn Bad
Mobile threats often emanate from app stores, where many types of mobile malware hide as legitimate apps. These are often unofficial app stores, which exist outside of the vetting processes of Google or Apple. These apps can also be directly sideloaded from developer’s websites which also circumvent app store protections.
While the security controls of the official app stores are stronger, attackers have found innovative ways to bypass vetting, including weaponizing apps after they have been deployed. Last year we found a malicious app on Google Play called Grifthorse, which would surreptitiously subscribe their users to unwanted services, charging them €36 per month. Google immediately removed the apps, but not before the attackers stole at least €10 million from their unsuspecting victims.
Spyware
As Sun Tzu once said, “There is no place where espionage is not possible.” Spyware exemplifies that statement perfectly. Spyware turns a personal mobile device into a corporate espionage bug just by entering an office, nestled in someone’s pocket.
Spyware has been around for decades, but the best example of late is Pegasus. Pegasus’ victims have allegedly included Gulf royalty, French President Emmanuel Macron, the United States State Department and Amazon founder Jeff Bezos. Pegasus has apparently compromised thousands of journalists, activists, business leaders, state officials and regular citizens. While Pegasus has been exposed, it’s only the tip of the iceberg.
Last year, we discovered a piece of spyware called PhoneSpy. We found it targeting South Korean citizens and masquerading as a range of lifestyle apps. Upon infection, PhoneSpy could download data from the phone and remotely control the phone’s camera and microphone while hiding its presence from victims. We discovered 23 apps loaded with PhoneSpy, covertly surveilling thousands of victims. The reality is that there may be as many as 20 enterprise-grade spyware families in the wild, surveilling a variety of organizations, businesses and individuals without their notice.
Mobile Threat Defense
Enterprise computing is now mobile. It makes up a large part of the enterprise attack surface. It’s a vector that we all keep in our pocket, wherever we go. Threat actors now use that blurring of the personal/professional distinction to exploit businesses by going after their employee’s personal devices.
This state of affairs has solidified in the last few years. Mobile devices and remote capabilities were key to ensuring business survival during the global pandemic. In our personal lives, we all rely more on our mobile devices to entertain ourselves and keep in touch with our dispersed social circles.
Digital transformation has boomed in the last 18 months. McKinsey estimates that adoption rates have accelerated by three years since the start of the pandemic. Mobile and mass remote work will likely become an embedded feature of post-pandemic work.
To secure this largely-unrecognized vector, enterprises can look to mobile threat defense. When incorporated as part of a zero trust approach, MTD technology can examine the security of individual mobile devices, alerting the enterprise to threats and blocking access. It can ensure the device hasn’t been infected, jailbroken or compromised and act to protect corporate data if a threat arises.
Mobile devices are now a fundamental part of the enterprise attack surface. They reach far outside of most enterprise security controls, often without the understanding of their owners. Attackers have realized that, even if enterprises haven’t.