Untrustworthy App Permissions Help Attackers Own Your Phone

New York State Cyber Command employees demonstrated how attackers can get free rein on mobile devices – with a little help from the device owners – at SC Media’s RiskSec NY 2018 conference. SC Magazine reported on Mark Bilanski, Deputy Director of the NYS Cyber Command Center’s Cyber Incident Response Team, and Louis Smith, Senior Security Analyst’s presentation, which showed how mobile users download untrustworthy apps on their phones, agree to dangerous permissions requests without realizing it, and open the door to attackers to give them complete access to their phones.

Bilanski, Smith, and their team created an application for the demonstration and installed it on the demo phone, an Android device, thereby infecting the phone. Their goal was to see just how far they could take it. They basically mirrored the users’ phone screen, while the attacker was able to do whatever they wanted (take photos, access pictures, modify data, make calls, send texts, etc.) all while the user was seeing their normal home screen and were none the wiser.

The panel of experts watching the demonstration shared some ideas to encourage employees to be wary of permissions and not just agree to them by default in order to get the app installed. Namely, mobile device management (MDM) was suggested, as were some basic education programs for employees – who may be targeted by cybercriminals eager to get around two factor authentication on an employee’s phone and use that as the key to get at a corporation’s internal data, or send fake messages from high-ranking executives requesting financial transfers.    

Says fellow panelist Tony Sager, senior VP and chief evangelist at the Center for Internet Security (CIS):

“You can’t train people to stop everything, but you can help them understand these are the trigger things you should be aware of (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Sally Feller and Cylance Research and Intelligence Team. Read the original post at: https://threatvector.cylance.com/en_us/home/untrustworthy-app-permissions-help-attackers-own-your-phone.html