Mobile devices typically have not been the most common attack-vector in data breaches, but now isn’t the time to underestimate the risk they pose to enterprise security.
Developments over the past year suggest that attacks and threats directed at mobile devices are growing. Malware authors are building more tools for exploiting vulnerabilities and threat actors are increasingly adding smartphones and tablets to their list of targets for data theft and access to the corporate network.
A Check Point study of 850 customers last year found 100 percent of organizations that permit mobile devices for work are exposed to malware and attacks to varying degrees. While not all of them suffer actual data breaches or malware infections, they are under constant mobile attack, the report showed.
“There is a marked increase in the quantity of malware directed specifically at mobile devices, with the intent of capturing VPN and other network and application login credentials,” warned David Gehringer, an analyst at Dimensional Research. “Criminals want to use that information to gain access to enterprise systems.”
From an actual data risk standpoint, people who lose mobile devices with files and access to corporate systems continue to pose the more immediate danger, Gehringer said. But, he added, ignoring the growing threat of mobile malware and attacks is a mistake. “Given the current headlines of corporate espionage and data stealing, that is a major threat to keep an eye on in the next year or two.”
Several recent developments highlight the growing threat actor focus on mobile devices. Last year, malware writers managed to slip hundreds of Android applications tainted with a malware tool called WireX into Google’s official mobile app store. Between 70,000 and 160,000 Android devices infected with the malware were later used to build a massive botnet that was first used for click fraud purposes and then for launching DDoS attacks. The botnet was so sophisticated it required a multivendor effort to take down.
Over the course of the year, Google removed hundreds of Android applications embedded with various other malware tools that attackers managed to sneak repeatedly into its official Play app store. Many of the applications were downloaded tens of thousands of times exposing users to adware, spyware and other threats. One ad-serving malware tool dubbed LightHouse that was hidden in about two dozen Android apps on Play was downloaded some 7.5 million times before it was removed.
The repeated success that attackers have had in uploading malware to Play—and to a much lesser extent on Apple’s mobile application store—have shown how even mobile apps from trusted sources can sometimes pose major risk to enterprises.
The APT Threat
Another sign of the times is the growing focus on mobile devices by some APT groups. Dark Caracal, a threat group operating out of Libya, has made them its primary attack target in a wide-ranging espionage campaign spanning more than 20 countries. The group has stolen hundreds of gigabytes of audio recordings, SMS messages, contact lists, photos, location information and other data from thousands of Android devices using Trojanized versions of apps including WhatsApp and Signal. Lazarus Group, the North Korean actor believed to be responsible for the massive data breach at Sony and the attacks on the SWIFT financial network, last year for the first time began using mobile malware to steal data from Android device users in South Korea.
“Mobile threats have advanced quickly,” said Will LaSala, director of security solutions at VASCO Data Security. Most attacks previously were for account takeover via SMS redirection and screen overlays. These attacks were widespread, hitting a large number of victims, and continue to pose problems for users, he said.
“But increasingly, mobile attacks are leveraging more of the smartphone capabilities including geolocation, cameras, and the inner workings of the application provisioning and application runtime environments through library hooking,” LaSala said.
Beyond malware, legitimate applications with overreaching permissions also pose a major security risk when loaded on devices used in the workplace, LaSala noted. As one example, he pointed to a recent incident in which the publisher of a keyboard app accidentally exposed names, phone numbers, mobile device IDs, social media profiles, birth dates and other information belonging to some 31 million people whot had downloaded its software. “There was no reason for a keyboard app to collect and store all of this information.”
To counter the threat, enterprises need to start treating mobile devices like they do any other critical enterprise asset, said Pete Lindstrom, an analyst with IDC. “What we are seeing is Android and iOS becoming just another OS on just another device” that needs to be protected, he said. The tendency by mobile device users to constantly want to connect via Wi-Fi and hotspots on the enterprise has reached a point where mobile devices should be treated like any other point on your network.
“As enterprises continue to follow digital transformation projects, adding mobile or moving to mobile should be examined from a security perspective—just as the enterprises traditional applications were and continue to be,” LaSala echoed.