Mobile Threat Landscape 2018

2017 was a remarkable year for mobile security. Attacks aided by AI, sophisticated social engineering techniques and the exponential growth of connected devices, are just a few of the factors that pathed the way for a year of unprecedented threats to the enterprise.

Cyber incidents targeting businesses nearly doubled from 82,000 in 2016, to 159,700 in 2017. Ransomware attacks like WannaCry and SLocker wreaked havoc worldwide and barely a day went by without a data leak or exploit dominating the global headlines.

With most web traffic now taking place on mobile devices, it’s become clear that malicious actors are taking time to research their targets, and play up to their weaknesses.

The rise of nation state cyber-attacks is one of the most worrying areas of cyber-security. When a malicious actor is working for more than financial gain, there’s little you can do to deter them. The World Economic Forum is grouping cyber-crime with environmental disasters, large-scale involuntary migration and illicit trade as one of the largest global threats this year.

New technology that has drastically changed the way we interact, we embraced BYOD (bring your own device) policies and as a result, internal IT teams lost sovereignty of how we use our mobile corporate devices.

ARE YOU VULNERABLE?

September 2017 saw a series of critical Bluetooth flaws that affected billions of Android, iOS, Windows and Linux devices. Mobile devices running older operating systems are susceptible to the vulnerability dubbed ‘Blueborne’.

The sophisticated attack exploited a total of eight Bluetooth implementation vulnerabilities that allow attackers to run malicious code, steal sensitive information, take control of the device and launch Man-in-the-Middle Attacks.

The user doesn’t even have to click on a link or download a questionable file, so the attack could easily go unnoticed.

Another example is the Meltdown and Spectre chip exploit, the critical security flaw. Vendors scrambled to provide quick resolutions to the vulnerability, all while sensitive corporate data was at risk. Research shows 14% of mobile devices are said to be un-patchable from the Meltdown and Spectre exploits.

PHISHING IS THE NUMBER ONE MOBILE THREAT

When people think about phishing, they think of emails offering ‘unclaimed lottery winnings’ from anonymous third parties.

One of the big four accounting firms email network was infiltrated in 2017. Hackers compromised the consultancy firm through a mobile attack that started within a popular social media app, where an employee was sent to a fake Gmail login page and subsequently parted with their login credentials. This gave the perpetrators full access to their account. They were then granted unrestricted access to the firm’s data.

WHY ARE PHISHING ATTACKS SO DANGEROUS?

They exploit the most vulnerable part of an organisation: its employees. They’re arguably a corporation’s best asset, but when it comes to keeping data safe they double up as their biggest security threat. Human error is expected every now and again and cyber-criminals use this to their advantage.

WHY MOBILE?

The mobile’s smaller screen means it’s harder to inspect suspicious looking URLs, the on-the-go nature of the device results in users being more distracted. In 2017, 92% of organisations fell victim to a phishing attack, and it’s expected to become even more prevalent. Phishing is the most damaging and high-profile cyber-security threat facing organisations today.

The proliferation of mobile technology has dramatically changed the phishing landscape. Research revealed that 83% of mobile phishing attacks occur outside of email with apps, messaging services, and websites being the most attractive targets.

MORE SOPHISTICATED ATTACK METHODS

There’s been an influx of phishing sites utilising HTTPS verification to conceal their deceitful nature.

HOW DOES THIS WORK?

SSL certificates are a way of digitally certifying the identity of a website, informing the user that their personal information has been encrypted into an undecipherable format that can only be returned with the proper decryption key.

Users perceive HTTPS sites to be secure, so they’re less likely to suspect a ‘phish’. The number of phishing sites operating from a secure HTTPS domain skyrocketed in 2017, and is predicted to continue as attackers continue to advance their techniques.

SHIFT IN MOTIVATION

Malicious actors are playing the “long game,” they’re taking their time to intimately research targets. They’re profiling victims by gaining generalised personal, financial and employment data prior to orchestrating a spear-phishing attack.

WHY IS THIS CONCERNING FOR ORGANISATIONS?

This means that you could be taking every step plausible to protect your systems, but if employee credentials are circulating online, a high-profile breach could be imminent. Once an attacker has your email address, it only takes a quick search on Twitter or Facebook to retrieve information that they can use against you.

Data is becoming more powerful than ever across almost every industry. As a result, underground markets sell full identities of individuals, and organisations for as little as $10 a piece. It’s important that organisations invest in robust mobile threat protection that blocks and prevents data from being captured by malicious sites and applications in the first place.

MOBILE MALWARE IS GROWING MORE AGGRESSIVE BY THE DAY

Ransomware attacks dominated the headlines throughout 2017 with outbreaks like NotPetyaWannaCry and SLocker causing unprecedented destruction.

Which variants of mobile malware are most destructive, and what trends should enterprises expect to see over the next twelve months?

RANSOMWARE

A piece of malware that demands money from users and, in exchange, promises to release either the files or the functionality of the devices being held hostage.

SLocker – The destructive ransomware that came back on the scene in 2017

SPYWARE

Spies on the infected user, from recording audio, to capturing photos. Apps riddled with Spyware are usually those with the most invasive permissions.

Xagent – iOS malware used to gather pictures, contacts and geo-locations

ADWARE

Adware is designed to show frequent ads to a user. It’s probably the best-known malware, an estimated 6% of apps within the Google Play Store contain some sort of adware.

FalseGuide – The gaming app installed over two million times

TROJAN

A malware that hides itself within a piece of seemingly innocent, legitimate software. Rooting a device enables the hacker or the user to install unapproved apps, change the OS, serve the phone malware, and customise any aspect of the device.

Acedeciever – exploits design flaw in Apple’s digital rights management to allow hackers access

ROOTING MALWARE

Is the Android equivalent of jailbreaking a device. It includes any malware that roots the device, essentially unlocking the operating system and obtaining escalated privileges.

CopyCat – This rooting malware affected nearly 14 million Android devices

SMS FRAUD

Banker malware takes the form of any malicious software attempting to steal users’ banking credentials without their knowledge.

ZTORG – Is a family of SMS-Fraudware found in the Play Store

BANKER MALWARE

It takes the form of any malicious software attempting to steal users’ banking credentials without their knowledge.

Charger – The banking malware was spotted in the Play Store last year

MOBILE CRYPTO CRIME IS RIFE

THE  ¥46.3 BILLION HEIST

Tokyo-based cryptocurrency exchange ‘Coincheck’ said it would return around $425 of the digital money it lost to hackers in one of the largest ever digital thefts. Around 10,000 organisations in Japan accept cryptocurrency, displaying the potential impact of this breach to the wider community.

Popular cryptocurrency Bitcoin achieved a monumental milestone, hitting $20,000 dollars a coin.

Cryptocurrencies are digital means of exchange created and used by individuals or groups. They’re viewed as alternative mediums of financial exchange that exist outside of government controls. Instead, digital currencies rely on a technology called blockchain that makes its transactions so secure that experts consider them to be almost un-hackable.

When you buy an item using cryptocurrency, the transaction is stored in a digital ledger. To keep these transactions secure digital currencies, use cryptographic protocols, or complex systems of encryption, rendering them virtually impossible to hack. The widespread adoption of cryptocurrency means that digital trading apps and services have become a hotbed for cybercrime.

THE RISE OF CRYPTO CRIME

While hackers are unlikely to succeed at attacking the complex encryption in the immediate future, cybercriminals have already conceived and distributed malware to exploit weaknesses, mine cryptocurrency and steal digital currency from users’ wallets. This presents huge concern for enterprises who accept cryptocurrency. If an attacker can infiltrate a device to clear a wallet, then it’s not inconceivable that they could exfiltrate highly confidential corporate data at the same time.

CRYPTO JACKING WILL STEAL THE SHOW

Cryptojacking has become one of the most worrying new threats for enterprises. The untraceable nature of the currency, along with how simple it is to transfer funds, made it preferred by criminal groups.

The technique involves the use of scripts that run on web pages or in mobile apps. These scripts are designed to harvest the processing power (CPU) of the user’s device to mine for cryptocurrency. Currencies such as BitcoinEthereum and Monero are all continually ‘mined’ using distributed computing resources to work out problems that generate ‘hashes’.

THE PLUGIN CRYPTOJACK HACK

In February this year, thousands of websites around the world from the UK’s NHS to the US government’s court system were found to be secretly mining cryptocoins when a popular plugin was hacked.

The affected sites all use a fairly popular plugin called ‘Browsealoud’, which reads out webpages for the visually impaired. The tech was compromised altering the original source code in the app, silently injecting Coinhive’s Monero miner into every webpage using the Browsealoud plugin.

WI-FI THREATS ARE GIVING HACKERS ACCESS TO YOUR INFORMATION

People tend to prefer Wi-Fi over cellular as it’s usually faster, it doesn’t drain your data plan and is widely available. It has been predicted that by 2021, 63% of total mobile data will be on Wi-Fi, compared to 60% it was at last year.

WI-FI SECURITY

The proliferation of mobile means employees are connecting to Wi-Fi hotspots all the time. In fact, the average number of Wi-Fi connections the typical corporate device makes per day is 12.

For minimal cost, an attacker can get their hands-on equipment advanced enough to set up their own hotspot. A hacker can monitor online traffic to capture valuable information, and obtain sensitive corporate data.

A RISE IN HIGHER-LAYER PROTOCOL ATTACKS

SSL stripping is a technique by which a website is downgraded from a secure HTTPS, to a HTTP connection. The attacker turns their focus to the connection between a user and the internet in order to tamper with the security protocol. HTTPS uses a secure tunnel (known as a SSL) to transfer and receive data which validates its security. In SSL strip, the traffic from the victim’s browser is forced to communicate in plain-text over HTTP exposing the user to eavesdropping and data manipulation when the service is downgraded.

Hackers favour SSL stripping because a successful attack can kill a secure communication, without the user suspecting a thing. If sensitive corporate information is stored on the device in question, then data can be exfiltrated without raising any alarms.

Another technique to look out for is DNS spoofing, whereby the attacker supplies an incorrect IP address to the user. The user types in a web address like www.Facebook.com and a DNS request with a unique ID number is made to the server. The attacker can then intervene and respond to the DNS request with their own malicious website’s IP address using the same identification number so that it is accepted by the victim’s computer.

MORE VULNERABILITIES 

Denial Of Service (DOS) – DoS attacks are primarily focused on rendering the device unusable. Hackers infect mobile devices with large malicious files, overthrowing the central processing unit (CPU), causing the device to shut down. Mobile devices are particularly vulnerable to this kind of attack as mobile devices have less processing power than your average desktop device.

Overflow – a flaw in OS code that can lead to hacker exploitation and subsequent overwriting of device executable code and data. The vulnerability usually lies in the stack/heap buffers, which are meant to limit the amount of data written into the memory of the device. When this is exploited by a hacker, the buffer is unable to limit the amount of code generated, leading to other code being overridden. Resulting in erratic device behaviour, crashes and data loss.

Bypass Something – in an OS, makes a device susceptible to a third party circumventing a layer of protection set up by the user, administrator or OS itself. Usually involves a hacker ‘getting around’ the security authentication procedure of a device. Within mobile devices the flaw is usually embedded in the OS code.

Code Execution – A program that is designed to exploit this vulnerability, resulting in a code execution attack. An example of this is a command to download a piece of malware, or send arbitrary requests and cause a Denial of Service attack. Code execution is one of the highest severity vulnerabilities, as the results of an attack can mean the ‘bricking’ of a device as well as any type of malware becoming active on the phone.

Memory Corruption – a programming error in the operating system that leaves the memory component of a device open to exploitation. The vulnerability lies in the memory location of a device and an attack occurs when the code is modified, violating the safety of the information kept in the memory.

Gain Information/ Privileges – allows a hacker to exploit a flaw in the operating system to gain access to either private information or a heightened permission level on the device. This can be done using a malicious web page, program or application. Usually resulting in the exfiltration of personally identifiable information from the device to an external hacker.

RISKY CONFIGURATIONS

The process of altering a mobile device to remove its limitations so users can add features – known as “jailbreaking” or “rooting” – changes how the security for the device is managed and could increase security risks. Jailbreaking allows users to gain access to the operating system of a device to allow the installation of unauthorised software functions and applications.

Users face increased security risks, because they are bypassing the application vetting process established by the manufacturer, thus have less protection against inadvertently installing malware.

DATA LEAKS

Organisations are also increasingly vulnerable to “leaky apps”. Data leaks involve the unauthorised or unintentional transfer of sensitive information from an enterprise mobile device to another internet space. By not protecting the data, the app developer is essentially making the data available to anyone who utilises the same network as the device with the vulnerable app.

A recent example of this came in the form of the Sonic the Hedgehog game series. The apps that have collectively been downloaded over a hundred million times, were found to be leaking users’ geolocation and device data to uncertified servers.