Welcome to Brown’s Bytes! Your weekly insight from Mobliciti’s CTO Andy Brown. Follow #brownsbytes
30th August 2019
At the risk of sounding like a stuck record, I thought this week I would point you to a blog posted by Google’s Project Zero Team.
I would strongly recommend reading the cover page at least – to be fair it gets pretty technical with the mechanics of the attacks after that. For those who prefer my summary I would say the key points were:
- There are a number of hacked websites that are being used to attack iOS devices
- The attacks being used were 0-day (ones for which there is no patch)
- The attacks have been in place for years
- The vulnerabilities are from iOS 10 to the latest version of iOS 12
- These websites receive thousands of visitors per week
- The exploits resulted in root (admin) control of device installing agents that would call into command and control servers every 60 seconds
- The vulnerabilities would target personal data and upload it all – photos, messages, contacts.
Now, if anyone still says, “iOS is secure – what’s the risk?” then I’m just going to point them to this blog. This is about as bad as it gets.
In the interests of fairness, I will also point out that Project Zero is part of Google, and that Google’s Android is far from immune to this kind of thing either.
Just this week there was news of two apps from the Google Play Store that had malware in them. News story here, but in summary:
- A notepad app and a fitness app were able to bypass Play Store security and implement ad clickers on the device
- These apps have been installed by 1.5 million people
- They were in the wild for almost a year and were removed just a week ago
Now, although not nearly as serious as the iOS item above, it does show once again that all mobile operating systems are vulnerable and (despite Google’s protestations) that the Play Store isn’t as effective as the iOS App Store in blocking this kind of thing.
It’s now 8 years since Mobliciti started pointing all this out and brought the first Mobile Threat Defence solutions to the market. The demo back then scared the hell out of me… well, this is all real stuff in the wild now. Mobile devices are being targeted like never before – everything from adware to malware and all the way to nation state-level scary stuff.
Hopefully, you can agree that this underlines once again that putting data on unprotected iOS or Android devices should now be classed as a risk – Zero-day threat is real. I will (again) finish with a quote from my last Byte:
“Oh, and if you still think you don’t need Mobile Threat Defence then I’m sorry, but you’ve got your head in the sand…”
Get in touch to understand how to get Mobile Threat Defence solutions put in place – this is a risk that now needs to be managed better than just hoping you don’t have an issue and waiting for the OS to be patched.