A smartphone can feel like a ticking time bomb to IT security pros. With the BYOD trend now well established in the workplace, and employees less vigilant about avoiding malicious links, the chances for trouble remain high.
But when your personal and professional lives intersect on your phone -- the same one that often includes confidential corporate data and email -- it's inevitable that someone will stumble onto malware. Chris Crowley, an instructor at the SANS Institute, offers a rundown of the top mobile security threats today and what can be done to head then off.
1. Untrustworthy devices. A device itself may be faulty or maliciously configured within the supply chain, providing violation of CIA (confidentiality, integrity, availability), he said. One example: CheckPoint earlier this year found an infection of 36 Android devices at a large telecommunications company. In each case, the breach was not caused by the user, but by malware already on the phone when the employee took it out of the box.
“According to the findings, the malware were already present on the devices even before the users received them. The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain,” CheckPoint wrote on its blog.
2. Malicious apps. Installed applications that claim to perform one task, but actually do something else, represent a hard-to-spot vulnerability.
CheckPoint found malware on Google Play last month, for instance. Called “Judy,” it's an auto-clicking adware developed by a Korean company. “The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it. The malicious apps reached an astonishing spread between 4.5 million and 18.5 million downloads,” Check Point wrote.
Palo Alto also found in 2015 Apple iOS malware. YiSpecter was the first malware the security company had seen that abuses private APIs in the iOS ecosystem to implement malicious functionalities, Palo Alto noted.
3. Useful apps with unwanted information leakage. Many applications installed for legitimate uses, can still result in misappropriation of information, such as the extraction of contacts from telephone, Crowley said.
4. Banking malware. Kaspersky Lab Senior Malware Analyst Roman Unuchek sees banking malware as an ongoing mobile security threat. Cybercriminals use phishing windows to overlap banking apps and steal credentials from mobile banking customers, he said. They also can overlap other apps and steal credit card details. Furthermore, they can steal incoming Mobile transaction numbers (mTans) and even redirect calls.
Cybercriminals are adding file-encrypting features to traditional mobile banking trojans, creating hybrid threats that can steal sensitive information and lock user files at the same time.
One such trojan, Faketoken, is designed primarily to generate fake login screens for more than 2,000 financial applications in order to steal login credentials. The malicious app also displays phishing pages to steal credit card information -- and it can read and send text messages.
Alarmingly, Faketoken's creators have added the ability to encrypt user files stored on a phone's SD card sometime in July, have released thousands of builds with this functionality, according to researchers from Kaspersky Lab.
5. Ransomware. In the first quarter of 2017, ransomware was the most popular type of malware in the U.S. Ransomware blocks a device (or desktop computer) by imposing its demand-for-payment window over all other windows, including system windows. After that they demand money to unblock the device. Ransomware comes in a variety of forms, most recently as the WannaCry malware, which attacked Windows desktop systems.
The evolution of ransomware is heading toward what's being called ransomworms. That's basically ransomware attached to a network worm.
"After infecting one victim, it would tirelessly copy itself to every computer on your local network it could reach,” said Corey Nachreiner, CTO at WatchGuard Technologies. “Whether or not you want to imagine such a scenario, I guarantee that cybercriminals are already thinking about it.”
Top 7 common sense mobile device security steps
SANS Institute's recommendations on how to harden your device:
- Enforce device passcode authentication
- Monitor mobile device access and use
- Patch mobile devices quickly
- Prohibit unapproved third-party application stores
- Control physical access to devices
- Evaluate application security compliance
- Have in place an incident response plan for lost or stolen mobile devices
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.